立即与支持人员聊天
与支持团队交流

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Custom searches

Previous Next

Custom searches

You can create custom searches to meet your specific needs by using the following search properties tabs to define the criteria:
What - allows you to search for events generated in a specific subsystem
Who - allows you to search for events generated by a specific user
Where - allows you to search for events captured by a specific agent
When - allows you to search for events that occurred within a specific date and time range

 

* 
NOTE: Selecting the Private folder creates a search that only you can run and view, whereas selecting the Shared folder creates a search that all users can view and run.

The following examples show how to use searches to find the information you need.
Creating custom Exchange Online searches
Creating a custom SharePoint Online and OneDrive for Business search
Creating custom Microsoft Entra searches

Creating custom Exchange Online searches

Previous Next

Creating custom Exchange Online searches

To create a custom Exchange Online search:
1
Open the Searches page.
2
In the Explorer View, expand and select the folder where you want to save your search.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and click Subsystem | Microsoft 365.
* 
NOTE: You can use Add with Events | Subsystem | Microsoft 365 (instead of Add | Subsystem | Microsoft 365) to search for events associated with an online mailbox or administrative action that already has an event associated with it.
6
Choose the Selected Events option to configure the search.
* 
NOTE: When multiple entries are added to the selection list at the bottom of the page, Change Auditor uses the ‘OR’ operator to evaluate events, returning events that meet any of the entries listed.
7
Select the Mailbox Event option.

Search

Procedure

To search for activities performed on a specific mailbox
1
Select Mailbox Name to specify the mailbox to include.
2
Select the comparison operator to use: Contains or Does Not Contain. Enter the pattern (character string) to be used to search for a match. For example: Contains admin finds all events for mailboxes that contain ‘admin’ anywhere in their name.
3
Click Add to add the expression to the selection list at the bottom of the page.

Repeat this process to add any additional mailboxes to the search query.

To search for all activities performed on a specific folder and its contents across all monitored mailboxes
1
Select Folder Name to specify the folder to include.
2
Select the comparison operator to use: Contains or Does Not Contain. Enter the pattern (character string) to be used to search for a match. For example: Contains Inbox finds all events in ‘Inbox’ folder across all audited mailboxes.
3
Click Add to add the expression to the selection list at the bottom of the page.

Repeat this process to add any additional folders to the search query.

To search for all activities by specific synchronized accounts based on their on-premises account name
1
Select On-Premises User Name to specify the user to include.
2
Select the comparison operator to use: Like or Not Like. Enter the pattern (character string and * wildcard character) to be used to search for a match. For example: Like *admin* finds all events performed by accounts that were synchronized from on-premises Active Directory that contain ‘admin’ anywhere in their sAMAccountName attribute.
3
Click Add to add the expression to the selection list.

Repeat this process to add any additional users to the search query.

NOTE: For this search to function, the Microsoft Entra ID must have been synchronized with the on-premises environment using Microsoft Entra Connect. For details, see Auditing in synchronized environments.

To search for all activities performed on synchronized mailboxes based on their on-premises account name

 
1
Select On-Premises Target Name to specify the user to include. Use this format domain\username.
2
Select the comparison operator to use: Like or Not Like. Enter the pattern (character string and * wildcard character) to be used to search for a match. For example: Like *admin* finds all events performed on synchronized mailboxes that have ‘admin’ anywhere in their on-premises sAMAccountName attribute.
3
Click Add to add the expression to the selection list.

Repeat this process to add any additional mailboxes to the search query.

NOTE: For this search to function, the Microsoft Entra ID must have been synchronized with the on-premises environment using Microsoft Entra Connect. For details, see Auditing in synchronized environments.

To search for activities performed on specific mailboxes based on their mailbox display name

 

 
1
Select Target Display Name to specify the mailbox to include.
2
Select the comparison operator to use: Like or Not Like. Enter the pattern (character string and * wildcard character) to be used to search for a match. For example: Like *admin* finds all events for mailboxes that contain ‘admin’ anywhere in their mailbox display name.
3
Click Add to add the expression to the selection list.

Repeat this process to add any additional mailboxes to the search query.

To search for activities performed on specific mailboxes based on their synchronization status

1
Select Target Sync Type to specify the type of mailbox accounts to include based on how they are synchronized.
2
Select In cloud to include mailboxes existing only in the cloud.
3
Select Synced from AD to include mailboxes that have been synchronized from on-premises Active Directory.
4
Click Add to add the expression to the selection list.
To search for Administration cmdlets that were run:
1
On the What tab, expand Add and click Subsystem | Microsoft 365.
2
On the Microsoft 365 Exchange Online dialog, choose the Selected Events option to configure the search.
a
Select the Administration Cmdlet Event option.
Click Cmdlet Name and select the comparison operator to use: Contains or Does not contain. Enter the ‘command’ to use to search for a match. For example, to search for any ‘add’ users, enter add.
Click Cmdlet Parameters select the comparison operator to use (Contains or Does not contain), and enter the name (or partial name) of a parameter to use to search for a match.
Click Parameter Values select the comparison operator to use (Contains or Does not contain), and enter the value to use to search for a match.
Click Cmdlet Object, select the comparison operator to use (Contains or Does not contain), and enter the name (or partial name) of a mailbox to use to search for a match.
* 
NOTE:  
If the Cmdlet Name, Cmdlet Parameters, Parameter Values and Cmdlet Object are specified, all expressions must be met before an event is returned
Cmdlet Parameters and Parameter Values can be searched separately; however, when both are selected the query is limited to the parameter that contains the selected value.
b
To add the expression to the selection list, click Add.
c
Repeat this process to add any additional search query requirements.
* 
NOTE: When multiple entries are added to the selection list at the bottom of the page, Change Auditor uses the ‘OR’ operator to evaluate events, returning events that meet any of the entries listed.

Creating a custom SharePoint Online and OneDrive for Business search

Previous Next

Creating a custom SharePoint Online and OneDrive for Business search

To create a custom SharePoint Online and OneDrive for Business search:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and click Subsystem | Microsoft 365.
6
Choose the Selected Events option to configure the search.
7
Select SharePoint/OneDrive Events.
8
Select a service from the Microsoft 365 services filter to include in the search. You can choose SharePoint Online, OneDrive for Business, or both. If no additional filters are set, all events for the selected services are returned. You can specify additional filters as follows:
Select the Operation filter to specify the operation to include in the search. Select a comparison operator (Like or Not like) and enter an operation name (character string and the * wildcard character). For example: Like *delete* will search for events where Operation contains ‘delete’. For a list of all available operations, see the Microsoft support article “Search the audit log in the Microsoft 365 Security & Compliance Center”.
Select Site URL filter to specify the full or partial URL to include in the search. Select a comparison operator (Like or Not like) and enter a string (character string and the * wildcard character).
Select the Target filter to specify the full or partial name of the operation target (for example, the folder, file, user, or group) to include in the search. Select a comparison operator (Like or Not like) and enter a string (character string and the * wildcard character). This search field corresponds to the contents of the Object Name column in the results grid.
9
Click Add to add the expression to the selection list.
10
Repeat this process to add any additional conditions to the search query.
* 
NOTE: When multiple entries are added to the selection list at the bottom of the page, Change Auditor uses the ‘OR’ operator to evaluate events, returning events that meet any of the entries listed.

Displaying additional SharePoint Online and OneDrive for Business information

Previous Next

Displaying additional SharePoint Online and OneDrive for Business information

When auditing Microsoft 365, you can add columns to display extra SharePoint Online and OneDrive for Business information through the search Layout tab:

Table 5. Available columns

Layout Tab

Search Column Name

Description

Microsoft Entra - Microsoft 365 Site URL

Site Url

The SharePoint Online or OneDrive for Business website URL.

Microsoft Entra- Activity Name/Operation

Activity Name/Operation

This field matches Operation property in the Microsoft 365 Audit log.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级