Change Auditor 7.4 - Web Client User Guide

Office 365 and Azure Active Directory auditing

Change Auditor provides extensive, customizable auditing of critical activities and provides detail alerts about vital changes taking place in Microsoft Office 365 Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory. Continually being in-the-know helps you to prove compliance, drive security, and improve uptime while proactively auditing changes to configurations and permissions.

To ensure Office 365 and Azure Active Directory compliance, you can generate intelligent, in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications. By correlating activity across the on-premises and cloud environment, you can easily search all events regardless of where they occurred

To audit Office 365 Exchange Online, SharePoint Online, OneDrive for Business and Azure Active Directory you must first create an auditing template that defines the service and for Exchange Online the type of events (mailbox and administration cmdlet) to audit and the Change Auditor agent to assign. This can only be configured through the Windows client. For more information, see the Office 365 and Azure Active Directory Auditing User Guide.

SQL auditing

To enable SQL Server auditing, you must add a SQL Auditing template to an agent configuration, which can then be assigned to the appropriate agents. Change Auditor ships with a pre-defined SQL Auditing template that can be used to audit key events on the default SQL server instance or you can create a new SQL auditing template to specify the SQL instances and SQL Server operations to be audited.


	IMPORTANT: When multiple SQL Auditing templates are assigned to an agent configuration, the criteria specified in the last template assigned to the agent takes precedence.

SQL Auditing page

The SQL Auditing page is displayed when SQL is selected from the Auditing task list in the navigation pane of the Administration Tasks page, and contains an expandable view of all the SQL Auditing templates that have been defined. From this page you can launch the SQL Auditing wizard to specify the SQL instances and the operations to be audited. You can also edit existing templates, copy templates, disable/enable templates, or remove templates that are no longer being used.


	NOTE: For more information, including important tips and a full description of the following page, refer to the Quest Change Auditor for SQL Server User Guide.

To create a new SQL auditing template:

Open the Administration Tasks page.

Click Auditing.

Select SQL (under the Applications heading in the Auditing task list) to open the SQL Auditing page.

Click Add to open the SQL Auditing wizard which steps you through the process of creating a SQL Auditing template.

Table 35. SQL Auditing Wizard

Enter a name for the template.

Click Next.

SQL Instances

Select the SQL instance(s) to be audited.

Click Add to open a drop-down list and select the SQL instance to add:

•

Default

•

Named (enter the name of the SQL instance)

•

All Instances

Click Next.

SQL Events

Select the operations (facilities or event classes) that are to be audited.

NOTE: At least one event must be selected.

Select an operation to be audited

Select one of the following options to add it to the selection list:

•

Add | Add This Event to add individual events.

•

Add | Add All Events in Facility to add all events in the selected facility.

Click Next.

NOTE: Clicking Finish saves the template and closes the wizard.

SQL Column Filters

(Optional) Define column filters to capture only a subset of transactions.

Select a filter.

Click Add to add it to the selection list.

From the selection list, click in the Operator cell to change the operator.

Click in the Value cell to enter the value or string to be used in the filtering.

NOTE: When multiple filters are specified these filters are ‘ANDed’ together and all filters must be met in order to be considered a match. To use the ‘OR’ operator instead, click in the left-most column of a column filter row and select OR from the drop-down. When filters are ‘ORed’ together, then only one of the filters must be met in order to be considered a match.

NOTE: When both ‘AND’ and ‘OR’ operators are present in the filter list, ‘ORed’ filters are evaluated first and their results are used by the ‘AND’ filter.

Click Finish to save the template and close the wizard.

SharePoint auditing

To enable SharePoint auditing, you must deploy the Change Auditor SharePoint component to the SharePoint farms to be audited by Change Auditor, then create a SharePoint Auditing template for each SharePoint farm to be audited. The SharePoint Auditing template also defines the paths within the farm that are to be audited and specifies the agent to be used to capture the SharePoint events for the selected SharePoint farm.

SharePoint Auditing page

The SharePoint Auditing page is displayed when SharePoint is selected from the Auditing task list in the navigation pane of the Administration Tasks page, and contains an expandable view of all the SharePoint Auditing templates that have been defined. From this page you can launch the SharePoint Auditing wizard to specify the SharePoint farm and paths to be audited. You can also edit existing templates and remove templates that are no longer being used.


	NOTE: For more information, including a full description of the page, refer to the Quest Change Auditor for SharePoint User Guide.

To create a new SharePoint Auditing template:

Open the Administration Tasks page.

Click Auditing.

Select SharePoint (under the Applications heading in the Auditing task list) to open the SharePoint Auditing page.

Use Add to launch the SharePoint Auditing wizard which steps you through the process of creating a SharePoint Auditing template.

Table 36. SharePoint Auditing Wizard

Select the SharePoint farm to audit.

Click Find a SharePoint farm to select a SharePoint farm for auditing.

Select from a list of agents that host a SharePoint farm and enter credentials to access the farm. Click OK to close the dialog.

Click Next.

SharePoint Paths

Select the SharePoint paths to be audited and excluded from auditing.

Click Add at the top of the page to open the Browse SharePoint dialog.

On this dialog, locate and select the paths to be audited. Click OK to close the dialog and add the path(s) to the SharePoint paths to audit list (top pane).

(Optional) On the Add optional SharePoint paths to exclude from auditing under pane, select a path that has been added to the SharePoint paths to audit list (top pane) and then click the Add button to locate and add any subsequent paths within the selected path that are to be excluded from auditing. Click OK.

Click Next.

SharePoint Events

Select the operations (facilities or event classes) to be audited.

NOTE: At least one event must be selected.

Select the event classes and/or facilities to exclude.

Select one of the following to add it to the selection list:

•

Add | Add This Event to add an individual event.

•

Add | Add All Events In Facility to add all events in the selected facility.

Click Next.

Agent Selection