Change Auditor Built-In Reports

ChangeAuditor 5.
Built-in Reports Reference Guide

© 2011 Quest Software, Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under
a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of
the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the
written permission of Quest Software, Inc.
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel
or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products.
EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR
THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO
EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR
INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT,
EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or
warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make
changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to
update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Quest Software World Headquarters

LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
www.quest.com
email: legal@quest.com
Refer to our Web site for regional and international office information.
Trademarks
Quest, Quest Software, the Quest Software logo, ChangeAuditor, Defender, InTrust, and Quest Authentication Services are
trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a
complete list of Quest Software’s trademarks, please see http://www.quest.com/legal/trademark-information.aspx. Other
trademarks and registered trademarks are property of their respective owners.
Third Party Contributions

ChangeAuditor contains some third party components. For a complete list, see the Third Party Components page in the
ChangeAuditor online help.
Quest ChangeAuditor Built-in Reports Reference Guide

March 2011
Version 5.5
Table of Contents
CHAPTER 1
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
CHAPTER 2
BUILT-IN REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
ALL EVENTS REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
LDAP QUERY REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
QUEST AUTHENTICATION SERVICES (QAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
QUEST DEFENDER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
RECOMMENDED BEST PRACTICE REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
AUDITING SERVICE ADMINISTRATOR ACTIVITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
DOMAIN CONTROLLER CHANGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
DOMAIN-LEVEL CHANGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
EXCHANGE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
FOREST-LEVEL CHANGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
SEVERITY BASED CHANGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
REGULATORY COMPLIANCE REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
FISMA (FEDERAL INFORMATION SECURITY MANAGEMENT ACT) . . . . . . . . . . . . . . . . . . . 28
GLBA (GRAMM-LEACH-BLILEY ACT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT) . . . . . . . . . . . . . . . 39
PCI (PAYMENT CARD INDUSTRY) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
SAS 70 (STATEMENT ON AUDITING STANDARDS, SERVICE ORGANIZATIONS) . . . . . . . . . . . 52
SOX (SARBANES-OXLEY GENERAL IT CONTROLS EVIDENCE BASED ON THE COBIT
FRAMEWORK). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
SECURITY REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
1
Introduction
ChangeAuditor provides predefined reports which allow you to quickly retrieve valuable configuration change
information from a variety of perspectives.
The terms ‘searches’ and ‘reports’ are used in conjunction to acquire the desired output. You run a
‘search’ and the results returned are referred to as a ‘report’.
To execute a built-in search:
1. Click on the Searches tab or select the View | Searches menu command or Ctrl+F10 to open
the Searches page.
2. Expand and select the appropriate folder in the explorer view (left-hand pane) to display the list of
search definitions stored in the selected folder.
3. In the right-hand pane, locate the search to be run and use one of the following methods to run
the selected search:
• Double-click a search definition
• Right-click a search definition and select the Run menu command
• Select the search definition and select the Run tool bar button at the top of the Searches
page
4. A new Search Results Page will be displayed populated with the audited events that met the
search criteria defined in the selected search definition.
This document contains a list of the all the built-in reports provided with ChangeAuditor. They are listed here
according to the folder structure under the Shared folder as they are displayed in the explorer view (left-hand
pane) of the Searches page.
2
Built-In Reports
CHANGEAUDITOR REAL-TIME
Who = All Users What = All Event Classes Where = All When = Last 20
sources minutes
All Events Reports

ALL ACCOUNT LOCKOUT EVENTS
Who = All Users What = Local User Account Locked; Local user Where = All When = Last 7 days
Account Unlocked; User Account Locked; User sources
Account Unlocked
ALL ACTIVE DIRECTORY EVENTS
Who = All Users What = Active Directory subsytem Where = All When = Last 7 days
sources
ALL CHANGEAUDITOR INTERNAL AUDITING EVENTS
Who = All Users What = ChangeAuditor Internal Auditing facility Where = All When = Last 7 days
sources
ALL COMPUTER EVENTS
Who = All Users What = Custom Computer Monitoring facility Where = All When = Last 7 days
sources
ALL CONNECTION OBJECT EVENTS
Who = All Users What = Connection Object facility Where = All When = Last 7 days
sources
ALL DNS EVENTS
Who = All Users What = DNS Service facility; DNS Zone facility Where = All When = Last 7 days
sources
ALL DOMAIN CONTROLLER EVENTS
Who = All Users What = Domain Controller Configuration facility Where = All When = Last 7 days
sources
ALL DOMAIN EVENTS
Who = All Users What = Domain Configuration facility Where = All When = Last 7 days
sources
ALL EMC EVENTS
Who = All Users What = EMC facility Where = All When = Last 7 days
sources
ALL EVENTS
Who = All Users What = All Event Classes Where = All When = Last 7 days
sources
ALL EVENTS IN THE PAST 24 HOURS
Who = All Users What = All Event Classes Where = All When = Last 24 hours
sources
ALL EXCHANGE EVENTS
Who = All Users What = Exchange subsystem Where = All When = Last 7 days
sources
ALL FAULT TOLERANCE EVENTS
Who = All Users What = Fault Tolerance facility Where = All When = Last 7 days
sources
ALL FILE SYSTEM/MISC. EVENTS
Who = All Users What = ChangeAuditor Internal Auditing facility; Where = All When = Last 7 days
Computer Account Disabled; Computer Account sources
Enabled; Computer Added; Computer Moved;
Computer Removed; Computer Renamed;
Computer Service Pack Applied; Computer
Service Pack Rolled Back; Disk Size Changed;
Memory Amount Changed; Quest Compliance
Agent Connected; Quest Compliance Agent
Disconnected; Quest Compliance Agent
Uninstalled
File System subsystem; ChangeAuditor Event
subsytem; Computer Event subsystem
ALL FILE SYSTEM EVENTS
Who = All Users What = Custom File System Monitoring facility Where = All When = Last 7 days
sources
ALL FOREST CONFIGURATION EVENTS
Who = All Users What = Forest Configuration facility Where = All When = Last 7 days
sources
6
Quest ChangeAuditor
ALL FRS EVENTS
Who = All Users What = FRS Service facility Where = All When = Last 7 days
sources
ALL GROUP EVENTS
Who = All Users What = Member Added to Critical Enterprise Where = All When = Last 7 days
Group; Member Removed from Critical Enterprise sources
Group; Nested Member Added to Critical
Enterprise Group; Nested Member Removed from
Critical Enterprise Group
Custom Group Monitoring facility
ALL GROUP POLICY EVENTS
Who = All Users What = Group Policy Link Added to OU; Group Where = All When = Last 7 days
Policy Link Removed from OU; Group Policy Link sources
Setting Modified; Group Policy Link Added to Site;
Group Policy Link Removed from Site
Group Policy Item facility; Group Policy Object
facility
ALL IP SECURITY EVENTS
Who = All Users What = IP Security facility Where = All When = Last 7 days
sources
ALL LDAP EVENTS
Who = All Users What = LDAP Query facility Where = All When = Last 7 days
sources
ALL NETAPP EVENTS
Who = All Users What = NetApp facility Where = All When = Last 7 days
sources
ALL NETLOGON EVENTS
Who = All Users What = NETLOGON Service facility Where = All When = Last 7 days
sources
ALL NTDS EVENTS
Who = All Users What = NTDS Service facility Where = All When = Last 7 days
sources
ALL OBJECT RESTORE EVENTS
Who = All Users What = Computer Added; Domain Added; Where = All When = Last 7 days
Exchange Group Added; Group Object Added; sources
Group Policy Object Added; Subordinate OU
Added; User Object Added
ALL OU EVENTS
Who = All Users What = OU facility Where = All When = Last 7 days
sources
7
ALL REGISTRY EVENTS
Who = All Users What = Registry subsystem Where = All When = Last 7 days
sources
ALL REPLICATION EVENTS
Who = All Users What = Replication Transport facility Where = All When = Last 7 days
sources
ALL SCHEMA CONFIGURATION EVENTS
Who = All Users What = Schema Configuration facility Where = All When = Last 7 days
Schema FSMO Role Owner Moved; Schema sources
Modifications Allowed Flag Changed
ALL SERVICES EVENTS
Who = All Users What = Service Monitoring facility Where = All When = Last 7 days
sources
ALL SITE EVENTS
Who = All Users What = Site Added; Site Removed; Site Where = All When = Last 7 days
Renamed; Site Link Added; Site Link Removed; sources
Site Link Bridge Added; Site Link Bridge Removed
Site Configuration facility; Site Link Bridge
Configuration facility; Site Link Configuration
facility; Subnets facility; Connection Object
facility
ALL SYSTEM EVENTS
Who = All Users What = System Events facility Where = All When = Last 7 days
sources
ALL SYSVOL EVENTS
Who = All Users What = SYSVOL facility Where = All When = Last 7 days
SYSVOL Location Changed sources
ALL USER EVENTS
Who = All Users What = Custom User Monitoring facility Where = All When = Last 7 days
sources
8
Quest ChangeAuditor
LDAP Query Reports

By default, the LDAP Query reports contain the following additional information when displayed on a
Search Results page: Origin, LDAP Attributes, LDAP Scope, LDAP Filter, LDAP Type, LDAP Occurrences,
LDAP Elapsed, LDAP Since, and LDAP Results.
ALL LDAP QUERIES GROUPED BY AD STARTING POINT
Who = All Users What = LDAP Query Performed Where = All When = N/A
sources
Advanced Tab - Order By: Time Detected (Not Grouped); LDAP Object Canonical (Grouped)
ALL LDAP QUERIES GROUPED BY LDAP SEARCH FILTER
sources
Advanced Tab - Order By: Time Detected (Not Grouped); LDAP Filter (Grouped)
ALL LDAP QUERIES GROUPED BY NUMBER OF RESULTS
Who = All Users What = UNIX-Enabled Changed for Group Where = All When = Last 7 days
Restriction = To: Enabled sources
Advanced Tab - Order By: Time Detected (Not Grouped); LDAP Results (Grouped)
ALL LDAP QUERIES GROUPED BY ORIGINATING HOSTNAME\IP ADDRESS
sources
Advanced Tab - Order By: Time Detected (Not Grouped); Origin (Grouped)
ALL LDAP QUERIES GROUPED BY TIME ELAPSED (QUERY RUN TIME)
Who = All Users What = LDAP Query Performed Where = All When = Last 7 days
sources
Advanced Tab - Order By: Time Detected (Not Grouped); LDAP Elapsed (Grouped)
ALL LDAP QUERIES IN THE LAST 1 WEEK
sources
ALL LDAP QUERIES IN LAST 30 DAYS
sources
9
Quest Authentication Services (QAS)

ALL QAS EVENTS IN LAST 30 DAYS
Who = All Users What = QAS Monitoring facility Where = All When = Last 30 days
sources
GROUPS SET TO UNIX-DISABLED IN LAST 30 DAYS
Restriction = To: Disabled sources
GROUPS SET TO UNIX-ENABLED IN LAST 30 DAYS
NIS OBJECT AUDITING IN LAST 30 DAYS
Who = All Users What = NIS Object Added; NIS Object Attribute Where = All When = Last 30 days
Changed; NIS Object Deleted; NIS Object Moved; sources
NIS Object Renamed
PERSONALITY OBJECT AUDITING IN LAST 30 DAYS
Who = All Users What = Personality Object Added; Personality Where = All When = Last 30 days
Object Attribute Changed; Personality Object sources
Deleted; Personality Object Moved; Personality
Object Renamed
QAS COMPUTER OBJECT AUDITING IN LAST 30 DAYS
Who = All Users What = QAS Computer Object Added; QAS Where = All When = Last 30 days
Computer Object Attribute Changed; QAS sources
Computer Object Deleted; QAS Computer Object
Moved; QAS Computer Object Renamed
QAS COMPUTERS ADDED IN LAST 30 DAYS
Who = All Users What = QAS Computer Object Added Where = All When = Last 30 days
sources
QAS COMPUTERS DELETED IN LAST 30 DAYS
Who = All Users What = QAS Computer Object Deleted Where = All When = Last 30 days
sources
QAS GPO SETTINGS CHANGES IN LAST 30 DAYS
Who = All Users What = QAS GPO Setting Changed Where = All When = Last 30 days
sources
UNIX HOME DIRECTORY CHANGED IN LAST 30 DAYS
Who = All Users What = UNIX Home Directory Changed Where = All When = Last 30 days
sources
UNIX LOGIN SHELL CHANGED IN LAST 30 DAYS
Who = All Users What = UNIX Login Shell Changed Where = All When = Last 30 days
sources
10
Quest ChangeAuditor
UNIX-ENABLED GROUPS DELETED IN LAST 30 DAYS
Who = All Users What = UNIX-Enabled Group Deleted Where = All When = Last 30 days
sources
UNIX-ENABLED USERS DELETED IN LAST 30 DAYS
Who = All Users What = UNIX-Enabled User Deleted Where = All When = Last 30 days
sources
USERS SET TO UNIX-DISABLED IN LAST 30 DAYS
Who = All Users What = UNIX-Enabled Changed for User Where = All When = Last 30 days
Restriction = To: Disabled sources
USERS SET TO UNIX-ENABLED IN LAST 30 DAYS
Who = All Users What = UNIX-Enabled Changed for User Where = All When = Last 30 days
Quest Defender
ALL DEFENDER EVENTS IN LAST 30 DAYS
Who = All Users What = Defender facility Where = All When = Last 30 days
sources
DEFENDER – MEMBER ADDED TO ACCESS NODE IN LAST 30 DAYS
Who = All Users What = Member Added to Access Node Where = All When = Last 30 days
sources
DEFENDER – MEMBER REMOVED FROM ACCESS NODE IN LAST 30 DAYS
Who = All Users What = Member Removed from Access Node Where = All When = Last 30 days
sources
DEFENDER ACCESS NODE ADDED IN LAST 30 DAYS
Who = All Users What = Defender Access Node Added Where = All When = Last 30 days
sources
DEFENDER ACCESS NODE REMOVED IN LAST 30 DAYS
Who = All Users What = Defender Access Node Removed Where = All When = Last 30 days
sources
DEFENDER PASSWORD EVENTS IN LAST 30 DAYS
Who = All Users What = Defender Password Changed; Defender Where = All When = Last 30 days
Password Cleared; Defender Password Expiry sources
Cleared; Defender Password Expiry Set;
Defender Password Set
DEFENDER POLICY ADDED IN LAST 30 DAYS
Who = All Users What = Defender Policy Added Where = All When = Last 30 days
sources
11
DEFENDER POLICY CHANGE EVENTS IN LAST 30 DAYS
Who = All Users What = Defender Policy Changed for Access Where = All When = Last 30 days
Node; Defender Policy Changed for Group; sources
Defender Policy Changed for Security Server;
Defender Policy Changed for User
DEFENDER POLICY REMOVED IN LAST 30 DAYS
Who = All Users What = Defender Policy Removed Where = All When = Last 30 days
sources
DEFENDER RADIUS PAYLOAD ADDED IN LAST 30 DAYS
Who = All Users What = Defender RADIUS Payload Added Where = All When = Last 30 days
sources
DEFENDER RADIUS PAYLOAD CHANGE EVENTS IN LAST 30 DAYS
Who = All Users What = Defender RADIUS Payload Changed for Where = All When = Last 30 days
Access Node; Defender RADIUS Payload sources
Changed for Group; Defender RADIUS Payload
Changed for Security Server; Defender RADIUS
Payload Changed for User
DEFENDER RADIUS PAYLOAD REMOVED IN LAST 30 DAYS
Who = All Users What = Defender RADIUS Payload Removed Where = All When = Last 30 days
sources
DEFENDER SECURITY SERVER ADDED IN LAST 30 DAYS
Who = All Users What = Defender Security Server Added Where = All When = Last 30 days
sources
DEFENDER SECURITY SERVER ASSIGNED TO ACCESS NODE IN LAST 30 DAYS
Who = All Users What = Defender Security Server Assigned to Where = All When = Last 30 days
Access Node sources
DEFENDER SECURITY SERVER REMOVED IN LAST 30 DAYS
Who = All Users What = Defender Security Server Removed Where = All When = Last 30 days
sources
DEFENDER SECURITY SERVER UNASSIGNED FROM ACCESS NODE IN LAST 30 DAYS
Who = All Users What = Defender Security Server Unassigned Where = All When = Last 30 days
from Access Node sources
DEFENDER TEMPORARY RESPONSE EVENTS IN LAST 30 DAYS
Who = All Users What = Defender Token Temporary Response Where = All When = Last 30 days
Cleared; Defender Token Temporary Response sources
Set; Defender Token Temporary Response
Usage Changed
DEFENDER TOKEN ADDED IN LAST 30 DAYS
Who = All Users What = Defender Token Added Where = All When = Last 30 days
sources
12
Quest ChangeAuditor
DEFENDER TOKEN ASSIGNED IN LAST 30 DAYS
Who = All Users What = Defender Token Assigned Where = All When = Last 30 days
sources
DEFENDER TOKEN PIN EVENTS IN LAST 30 DAYS
Who = All Users What = Defender Token PIN Changed; Defender Where = All When = Last 30 days
Token PIN Cleared; Defender Token PIN Expiry sources
Cleared; Defender Token PIN Expiry Set;
Defender Token PIN Set
DEFENDER TOKEN REMOVED IN LAST 30 DAYS
Who = All Users What = Defender Token Removed Where = All When = Last 30 days
sources
DEFENDER TOKEN UNASSIGNED IN LAST 30 DAYS
Who = All Users What = Defender Token Unassigned Where = All When = Last 30 days
sources
Recommended Best Practice Reports

Auditing Service Administrator Activity
Domain Wide Configuration Activity | Domain Admins
ALL DOMAIN CHANGES PERFORMED IN LAST 14 DAYS
Search generated for each domain in forest:
Who = All Users What = Domain Configuration facility; Where = All When = Last 14 days
Domain Controller Configuration facility sources
Forest Changes by Activity
ALL REPLICATION CHANGES PERFORMED IN LAST 30 DAYS
sources
ALL SCHEMA CHANGES PERFORMED IN LAST 30 DAYS
Schema FSMO Role Owner Moved; Schema sources
13
ALL SITE CHANGES PERFORMED IN LAST 30 DAYS
Site Link Bridge Added; Site Link Bridge
Removed
Configuration facility; Connection Object
facility; Site Link Configuration facility; Subnets
facility
Forest Wide Configuration Activity | Enterprise Admins
ALL DOMAIN CHANGES PERFORMED IN LAST 14 DAYS
Who = All Users What = Domain Configuration facility; Where = All When = Last 14 days
Domain Controller Configuration facility sources
ALL FOREST CHANGES PERFORMED IN LAST 14 DAYS
sources
ALL REPLICATION CHANGES PERFORMED IN LAST 14 DAYS
sources
ALL SITE CHANGES PERFORMED IN LAST 14 DAYS
Site Link Bridge Added; Site Link Bridge
Removed
facility; Connection Object facility; Subnets
facility
Forest Wide Configuration Activity | Schema Admins
ALL SCHEMA CHANGES PERFORMED IN LAST 14 DAYS
Schema FMSO Role Owner Moved; Schema sources
Service Admins Group Membership
MEMBERSHIP CHANGED IN CRITICAL GROUPS IN LAST 7 DAYS
Group; Member Removed from Critical sources
Enterprise Group
14
Quest ChangeAuditor
Domain Controller Changes
CHANGES IN DOMAIN CONTROLLER SERVICES
sources
CHANGES IN DOMAIN CONTROLLER SYSTEM STATE, REGISTRY AND CONFIGURATION FILES
Who = All Users What = Custom File System Monitoring facility; Where = All When = Last 7 days
Custom Registry Monitoring facility; System sources
Events facility; Service Monitoring facility
Domain-Level Changes
CHANGES IN DOMAIN-WIDE OPERATIONS MASTER ROLES
Who = All Users What = RID FSMO Role Owner Moved; PDC Where = All When = Last 7 days
FSMO Role Owner Moved; Infrastructure FSMO sources
Role Owner Moved
CHANGES IN THE GPO ASSIGNMENTS
Who = All Users What = Group Policy Block Inheritance Setting Where = All When = Last 7 days
Changed on OU; Group Policy Disabled Setting sources
on Domain Changed; Group Policy Disabled
Setting on OU Changed; Group Policy
Inheritance Blocked Setting Changed; on
Domain; Group Policy Link Added to OU; Group
Policy Link Removed from OU; Group Policy Link
Settings Modified; Group Policy Linked; Group
Policy No Override Setting Changed on Domain;
Group Policy Unlinked; Group Policy No Override
Setting Changed on OU
CHANGES IN THE LINKED GPOS
Who = All Users What = Linked Group Policy on Domain Where = All When = Last 7 days
Changed; Linked Group Policy on OU Changed sources
CHANGES IN THE MEMBERSHIP OF BUILT-IN GROUPS
Enterprise Group
CHANGES IN TRUST
Who = All Users What = Cross-forest Trust Added; Cross-forest Where = All When = Last 7 days
Trust Removed; Trust Added; Trust Removed sources
15
CHANGES TO THE AUDIT POLICY SETTINGS
Who = All Users What = Audit Account Logon Events Policy Where = All When = Last 7 days
Changed; Audit Account Management Policy sources
Changed; Audit Directory Service Access Policy
Changed; Audit Logon Events Policy Changed;
Audit Object Access Policy Changed; Audit
Policy Change Policy Changed; Audit Privilege
Use Policy Changed; Audit Process Tracking
Policy Changed; Audit System Events Policy
Changed
Exchange
ADDRESS LIST ADDED TO THE ORGANIZATION CONFIGURATION
Who = All Users What = Address List Added to Organization Where = All When = Last 7 days
Configuration sources
ALL ACTIVESYNC MAILBOX POLICY EVENTS
Who = All Users What = ActiveSync Mailbox Policy Added to Where = All When = Last 7 days
Organization Client Access Configuration; sources
ActiveSync Mailbox Policy Allow Attachments to
be Downloaded Option Changed; ActiveSync
Mailbox Policy Allow Non-Provisionable Devices
Options Changed; ActiveSync Mailbox Policy
Allow Simple Password Option Changed;
ActiveSync Mailbox Policy Enable Password
Recovery Option Changed; ActiveSync Mailbox
Policy Maximum Attachment Size Changed;
ActiveSync Mailbox Policy Minimum Password
Length Changed; ActiveSync Mailbox Policy
Password Expiration Changed; ActiveSync
Mailbox Policy Password History Changed;
ActiveSync Mailbox Policy Password Required
Option Changed; ActiveSync Mailbox Policy
Removed from Organization Client Access
Configuration; ActiveSync Mailbox Policy
Renamed; ActiveSync Mailbox Policy Require
Alphanumeric Password Option Changed;
ActiveSync Mailbox Policy Require Encryption On
Device Option Changed; ActiveSync Mailbox
Policy User Idle Timeout Changed; ActiveSync
Mailbox Policy Windows File Shares Access
Option Changed; ActiveSync Mailbox Policy
Windows SharePoint Services Access Option
Changed
ALL EMAIL ADDRESS POLICY EVENTS
Who = All Users What = Email Address Policy Added to Where = All When = Last 7 days
Organization Configuration; Email Address Policy sources
Email Address Filter List Changed; Email Address
Policy Priority Changed; Email Address Policy
Query Filter Changed; Email Address Policy
Removed from Organization Configuration;
Email Address Policy Renamed; Email Address
Policy Storage Filter Changed
16
Quest ChangeAuditor
ALL EXCHANGE ADMINISTRATIVE GROUP EVENTS
Who = All Users What = Exchange Administrative Group facility Where = All When = Last 7 days
sources
ALL EXCHANGE DISTRIBUTION LIST (GROUP) EVENTS
Who = All Users What = Exchange Distribution List facility Where = All When = Last 7 days
sources
ALL EXCHANGE EVENTS IN THE LAST 24 HOURS
Who = All Users What = Exchange subsystem Where = All When = Last 24 hours
sources
ALL EXCHANGE ORGANIZATION EVENTS
Who = All Users What = Exchange Organization facility Where = All When = Last 7 days
sources
ALL EXCHANGE PERMISSION TRACKING CHANGES
Who = All Users What = Exchange Permission Tracking facility Where = All When = Last 7 days
sources
ALL EXCHANGE SECURITY GROUP EVENTS
Who = All Users What = Exchange Security Group facility Where = All When = Last 7 days
sources
ALL JOURNALING RULE CHANGE EVENTS
Who = All Users What = Journaling Rule Added to Organization Where = All When = Last 7 days
Configuration; Journaling Rule Changed; sources
Journaling Rule Removed from Organization
Configuration; Journaling Rule Renamed
ALL SEND CONNECTOR CHANGE EVENTS
Who = All Users What = Mutual Auth TLS Option Changed on Where = All When = Last 7 days
Send Connector; Send Connector Added to sources
Organization Configuration; Send Connector
Protocol Logging Changed; Send Connector
Removed from Organization Configuration; Send
Connector Renamed; Send Connector Response
FQDN Changed; Send Connector Status
Changed
ALL TRANSPORT RULE CHANGE EVENTS
Who = All Users What = Transport Rule Added to Organization Where = All When = Last 7 days
Configuration; Transport Rule Changed; sources
Transport Rule Priority Changed; Transport Rule
Removed from Organization Configuration;
Transport Rule Renamed
17
ALL UNIFIED MESSAGING (UM) DIAL PLAN CHANGE EVENTS
Who = All Users What = Allow Announcement Interruption Where = All When = Last 7 days
Option Changed in UM Dial Plan; Allow Callers To sources
Send Voice Message Option Changed in UM Dial
Plan; Allow Callers to Transfer Option Changed in
UM Dial Plan; Allow Faxes Option Changed in UM
Dial Plan; Announcement Changed in UM Dial
Plan; Audio Codec Changed in UM Dial Plan;
Callers Can Contact Address List Changed in UM
Dial Plan; Callers Can Contact Auto Attendant
Changed in UM Dial Plan; Callers Can Contact
Extension Changed in UM Dial Plan; Callers Can
Contact Option Changed in UM Dial Plan;
Country Code Changed in UM Dial Plan; Default
Language Changed in UM Dial Plan; Greeting
Changed in UM Dial Plan; In-Country Number
Format Changed in UM Dial Plan; In-Country
Rule Group Added to UM Dial Plan; In-Country
Rule Group Removed From UM Dial Plan; Input
Failures Before Disconnect Changed in UM Dial
Plan; Input Idle Timeout Changed in UM Dial
Plan; Input Retries Changed in UM Dial Plan;
International Access Code Changed in UM Dial
Plan; International Number Format Changed in
UM Dial Plan; International Rule Group Added to
UM Dial Plan; International Rule Group Removed
from UM Dial Plan; Logon Failure Count Changed
in UM Dial Plan; Maximum Call Duration
Changed in UM Dial Plan; Maximum Recording
Duration Changed in UM Dial Plan; Name Match
Option Changed in UM Dial Plan; National
Number Prefix Changed in UM Dial Plan;
Non-Delivery Report Option Changed in UM Dial
Plan; Operator Extension Changed in UM Dial
Plan; Outside Line Access Code Changed in UM
Dial Plan; Primary Dialing Methods Changed in
UM Dial Plan; Prompt Publishing Point Changed
for UM Dial Plan; Recording Idle Timeout
Changed in UM Dial Plan; Secondary Dialing
Method Changed in UM Dial Plan; Subscriber
Access Number Added to UM Dial Plan;
Subscriber Access Number Removed from UM
Dial Plan; UM Dial Plan Added to Organization
Configuration; UM Dial Plan Removed from
Organization Configuration; UM Dial Plan
Renamed
18
Quest ChangeAuditor
ALL UNIFIED MESSAGING (UM) POLICY CHANGE EVENTS
Who = All Users What = Allow Calls to Extensions Option Where = All When = Last 7 days
Changed in UM Mailbox Policy; Allow Calls to sources
Same-Plan Users Option Changed in UM Mailbox
Policy; Allow Common PIN Pattern Option
Changed in UM Mailbox Policy; Fax Identity
Changed in UM Mailbox Policy; Fax Message Text
Changed in UM Mailbox Policy; Incorrect PIN
Mailbox Lockout Setting Changed in UM Mailbox
Policy; Incorrect PIN Reset Setting Changed in
UM Mailbox Policy; In-Country Rule Group Added
to UM Mailbox Policy; In-Country Rule Group
Removed From UM Mailbox Policy; International
Rule Group Added to UM Mailbox Policy;
International Rule Group Removed from UM
Mailbox Policy; Mailbox Enabled Text Changed in
UM Mailbox Policy; Maximum Greeting Duration
Changed in UM Mailbox Policy; Maximum
Greeting Duration Enabled Option Changed in
UM Mailbox Policy; Minimum PIN Length
Changed in UM Mailbox Policy; PIN History
Length Changed in UM Mailbox Policy; PIN
Lifetime Changed in UM Mailbox Policy; PIN
Reset Text Changed in UM Mailbox Policy; UM
Mailbox Policy Added to Organization
Configuration; UM Mailbox Policy Removed from
Organization Configuration; UM Mailbox Policy
Renamed; Voice Message Text Changed in UM
Mailbox Policy
DELETED ITEMS RETENTION PERIOD CHANGED FOR A USER
Who = All Users What = Deleted Item Retention Period Changed Where = All When = Last 7 days
sources
EXCHANGE DATABASE LOCATION CHANGED FOR MAILBOX STORE
Who = All Users What = Exchange Database Location Changed Where = All When = Last 7 days
for Mailbox Store sources
EXCHANGE DATABASE LOCATION CHANGED FOR PUBLIC STORE
Who = All Users What = Exchange Database Location Changed Where = All When = Last 7 days
for Public Store sources
EXCHANGE DATABASE STREAMING LOCATION CHANGED FOR MAILBOX STORE
Who = All Users What = Exchange Database Streaming Location Where = All When = Last 7 days
Changed for Mailbox Store sources
EXCHANGE ORGANIZATION OPERATING MODE CHANGED
Who = All Users What = Organization Operating Mode Changed Where = All When = Last 7 days
sources
EXCHANGE SERVER ADDED TO AN ADMINISTRATIVE GROUP
Who = All Users What = Exchange Server Added to Where = All When = Last 7 days
Administrative Group sources
19
EXCHANGE SERVER REMOVED FROM ADMINISTRATIVE GROUP
Who = All Users What = Exchange Server Removed from Where = All When = Last 7 days
EXCHANGE SERVER RENAMED IN ADMINISTRATIVE GROUP
Who = All Users What = Exchange Server Renamed in Where = All When = Last 7 days
GLOBAL ADDRESS LIST ADDED TO THE ORGANIZATION CONFIGURATION
Who = All Users What = Global Address List Added to Where = All When = Last 7 days
Organization Configuration sources
GLOBAL ADDRESS LIST REMOVED FROM THE ORGANIZATION CONFIGURATION
Who = All Users What = Global Address List Removed from Where = All When = Last 7 days
Organization sources
MAIL ENABLED FOR GROUP
Who = All Users What = Mail Enabled for Group Where = All When = Last 7 days
sources
MAILBOX STORE DISMOUNTED
Who = All Users What = Mailbox Store Dismounted Where = All When = Last 7 days
sources
MAILBOX STORE MOUNTED
Who = All Users What = Mailbox Store Mounted Where = All When = Last 7 days
sources
MESSAGE TRACKING OPTIONS CHANGED ON AN EXCHANGE 2003 SERVER
Who = All Users What = Message Tracking Option Changed on Where = All When = Last 7 days
Server (Exchange 2003) sources
MESSAGE TRACKING OPTIONS CHANGED ON AN EXCHANGE 2007 SERVER
Who = All Users What = Message Tracking Option Changed on Where = All When = Last 7 days
Server sources
OUTLOOK ANYWHERE ENABLED OR DISABLED FOR A SERVER
Who = All Users What = Outlook Anywhere Disabled for Server; Where = All When = Last 7 days
Outlook Anywhere Enabled for Server sources
OWA WEBSITE ADDED TO SERVER
Who = All Users What = OWA Web Site Added to Server Where = All When = Last 7 days
sources
OWA WEBSITE REMOVED FROM THE SERVER
Who = All Users What = OWA Web Site Removed from Server Where = All When = Last 7 days
sources
20
Quest ChangeAuditor
OWA WEBSITE RENAMED
Who = All Users What = OWA Web Site Renamed on Server Where = All When = Last 7 days
sources
PERMISSION CHANGE IN EXCHANGE SERVER OBJECT
Who = All Users What = Permission Change in Exchange Service Where = All When = Last 7 days
Object sources
PUBLIC FOLDER CREATED
Who = All Users What = Public Folder Store Created in Server Where = All When = Last 7 days
Storage Group sources
PUBLIC FOLDER REMOVED
Who = All Users What = Public Folder Store Removed from Where = All When = Last 7 days
Server Storage Group sources
PUBLIC FOLDER RENAMED
Who = All Users What = Public Folder Store Renamed in Server Where = All When = Last 7 days
Storage Group sources
PUBLIC STORE DISMOUNTED
Who = All Users What = Public Store Dismounted Where = All When = Last 7 days
sources
PUBLIC STORE MOUNTED
Who = All Users What = Public Store Mounted Where = All When = Last 7 days
sources
STORAGE GROUP ADDED TO EXCHANGE SERVER
Who = All Users What = Storage Group Added to Exchange Where = All When = Last 7 days
Server sources
STORAGE GROUP REMOVED FROM EXCHANGE SERVER
Who = All Users What = Storage Group Removed from Exchange Where = All When = Last 7 days
Server sources
STORAGE GROUP RENAMED IN EXCHANGE SERVER
Who = All Users What = Storage Group Renamed in Exchange Where = All When = Last 7 days
Server sources
Forest-Level Changes
CHANGES IN FOREST-WIDE OPERATIONS MASTER ROLES
Who = All Users What = Domain FSMO Role Owner Moved; Where = All When = Last 7 days
Schema FSMO Role Owner Moved sources
21
CHANGES IN LDAP POLICIES
Who = All Users What = Default Site Query Policy Object Where = All When = Last 7 days
Changed; Linked Query Policy Object for sources
Domain Controller Changed; Linked Query
Policy for Site Changed; Query Policy Added;
Query Policy Link for Domain Controller
Changed; Query Policy Removed; Query Policy
Setting Changed
CHANGES IN REPLICATION TOPOLOGY
Who = All Users What = Replication Transport facility; Site Where = All When = Last 7 days
Configuration facility; Site Link Bridge sources
facility; Subnets facility
CHANGES IN THE GPO ASSIGNMENTS FOR ALL SITES
Who = All Users What = Group Policy Link Added to Site; Group Where = All When = Last 7 days
Policy Link Removed from Site; Group Policy sources
Block Inheritance Setting Changed on Site;
Group Policy No Override Setting Changed on
Site; Group Policy Disabled Setting on Site
Changed
CHANGES IN THE GPOS LINKED TO ALL SITES
Who = All Users What = Linked Group Policy on Site Changed Where = All When = Last 7 days
sources
PROMOTION OR DEMOTION OF DOMAIN CONTROLLERS
Who = All Users What = Domain Controller Added to Domain; Where = All When = Last 7 days
Domain Controller Removed from Domain; sources
Domain Controller Renamed; GC Added; GC
Removed
SCHEMA CHANGES
sources
Severity Based Changes
HIGH SEVERITY CHANGES IN LAST 30 DAYS
Who = All Users What = High severity Where = All When = Last 30 days
sources
LOW SEVERITY CHANGES IN LAST 30 DAYS
Who = All Users What = Low severity Where = All When = Last 30 days
sources
MEDIUM SEVERITY CHANGES IN LAST 30 DAYS
Who = All Users What = Medium severity Where = All When = Last 30 days
sources
22
Quest ChangeAuditor
SQL
ALL SQL ADD ROLES, USER, AND LOGIN EVENTS IN THE LAST 24 HOURS
Who = All Users What = Audit Add DB User; Audit Add Login; Where = All When = Last 24 Hours
Audit Add Login to Server Role; Audit Add sources
Member to DB Role; Audit Add Role
ALL SQL BROKER EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Broker Event facility Where = All When = Last 24 Hours
sources
ALL SQL SLR EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL CLR Event facility Where = All When = Last 24 Hours
sources
ALL SQL CURSORS EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Cursors Event facility Where = All When = Last 24 Hours
sources
ALL SQL DATABASE EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Database Event facility Where = All When = Last 24 Hours
sources
ALL SQL DEPRECATION EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Deprecation Event facility Where = All When = Last 24 Hours
sources
ALL SQL ERRORS AND WARNING EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Errors and Warnings Event facility Where = All When = Last 24 Hours
sources
ALL SQL EVENTS
Who = All Users What = SQL subsystem Where = All When = Last 7 Days
sources
ALL SQL EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL subsystem Where = All When = Last 24 Hours
sources
ALL SQL FULL TEXT EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Full Text Event facility Where = All When = Last 24 Hours
sources
23
ALL SQL INTERNAL AUDITING EVENTS IN THE LAST 24 HOURS
Who = All Users What = Auditing Disabled for SQL Instance; Where = All When = Last 24 Hours
Auditing Enabled for SQL Instance; SQL sources
Auditing Template Added; SQL Auditing
Template Added to Agent Configuration; SQL
Auditing Template Changed; SQL Auditing
Template Disabled; SQL Auditing Template
Enabled; SQL Auditing Template Removed; SQL
Auditing Template Removed from Agent
Configuration; SQL Instance Added; SQL
Instance Changed; SQL Instance Removed; SQL
Reporting Services Template Added; SQL
Reporting Services Template Changed; SQL
Reporting Services Template Disabled; SQL
Reporting Services Template Enabled; SQL
Reporting Services Template Removed
ALL SQL LOCK EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Locks Event facility Where = All When = Last 24 Hours
sources
ALL SQL OBJECTS EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Objects Event facility Where = All When = Last 24 Hours
sources
ALL SQL OLEDB EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL OLEDB Event facility Where = All When = Last 24 Hours
sources
ALL SQL PERFORMANCE EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Performance Event facility Where = All When = Last 24 Hours
sources
ALL SQL PROGRESS REPORT EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Progress Report Event facility Where = All When = Last 24 Hours
sources
ALL SQL QUERY NOTIFICATION EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Query Notifications Event facility Where = All When = Last 24 Hours
sources
ALL SQL SCAN EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Scans Event facility Where = All When = Last 24 Hours
sources
ALL SQL SECURITY AUDIT EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Security Audit Event facility Where = All When = Last 24 Hours
sources
ALL SQL SERVER EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Server Event facility Where = All When = Last 24 Hours
sources
24
Quest ChangeAuditor
ALL SQL SESSION EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Session Event facility Where = All When = Last 24 Hours
sources
ALL SQL STORED PROCEDURES EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Stored Procedures Event facility Where = All When = Last 24 Hours
sources
ALL SQL TRANSACTION EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL Transactions Event facility Where = All When = Last 24 Hours
sources
ALL SQL TSQL EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL TSQL Event facility Where = All When = Last 24 Hours
sources
ALL SQL USER-CONFIGURATION EVENTS IN THE LAST 24 HOURS
Who = All Users What = SQL User-Configurable Event facility Where = All When = Last 24 Hours
sources
AUDIT ACCESS DB OBJECT CHANGED
Who = All Users What = Audit Access Database Object Where = All When = Last 7 Days
sources
AUDIT ADD DB USER
Who = All Users What = Audit Add DB User Where = All When = Last 7 Days
sources
AUDIT ADD LOGIN
Who = All Users What = Audit Add Login Where = All When = Last 7 Days
sources
AUDIT ADD LOGIN TO SERVER ROLE
Who = All Users What = Audit Add Login to Server Role Where = All When = Last 7 Days
sources
AUDIT ADD MEMBER TO DB ROLE
Who = All Users What = Audit Add Member to DB Role Where = All When = Last 7 Days
sources
AUDIT ADD ROLE
Who = All Users What = Audit Add Role Where = All When = Last 7 Days
sources
AUDIT ALTER DATABASE
Who = All Users What = Audit Alter Database Where = All When = Last 7 Days
sources
25
AUDIT ALTER DATABASE OBJECT
Who = All Users What = Audit Alter Database Object Where = All When = Last 7 Days
sources
AUDIT ALTER DATABASE PRINCIPAL
Who = All Users What = Audit Alter Database Principal Where = All When = Last 7 Days
sources
AUDIT ALTER OBJECT DERIVED PERMISSION
Who = All Users What = Audit Alter Object Derived Permission Where = All When = Last 7 Days
sources
AUDIT ALTER SCHEMA OBJECT
Who = All Users What = Audit Alter Schema Object Where = All When = Last 7 Days
sources
AUDIT ALTER SERVER OBJECT
Who = All Users What = Audit Alter Server Object Where = All When = Last 7 Days
sources
AUDIT ALTER SERVER PRINCIPAL
Who = All Users What = Audit Alter Server Principal Where = All When = Last 7 Days
sources
AUDIT DROP DATABASE
Who = All Users What = Audit Drop Database Where = All When = Last 7 Days
sources
AUDIT DROP DB USER
Who = All Users What = Audit Drop DB User Where = All When = Last 7 Days
sources
DATA FILE AUTO GROW CHANGED
Who = All Users What = Data File Auto Grow Where = All When = Last 7 Days
sources
DATABASE MIRRORING STATE CHANGED
Who = All Users What = Database Mirroring State Changed Where = All When = Last 7 Days
sources
FULL TEXT CRAWL ABORTED
Who = All Users What = FT: Crawl Aborted Where = All When = Last 7 Days
sources
FULL TEXT CRAWL STARTED
Who = All Users What = FT: Crawl Started Where = All When = Last 7 Days
sources
26
Quest ChangeAuditor
FULL TEXT CRAWL STOPPED
Who = All Users What = FT: Crawl Stopped Where = All When = Last 7 Days
sources
SQL DATA FILE AUTO SHRINK CHANGED
Who = All Users What = Data File Auto Shrink Where = All When = Last 7 Days
sources
SQL ERROR LOGGED
Who = All Users What = Error Logged Where = All When = Last 7 Days
sources
SQL EVENT LOGGED
Who = All Users What = Event Logged Where = All When = Last 7 Days
sources
SQL LOCK CANCELLED
Who = All Users What = Lock: Cancel Where = All When = Last 7 Days
sources
SQL LOCK RELEASED
Who = All Users What = Lock: Released Where = All When = Last 7 Days
sources
SQL LOCKED ACQUIRE
Who = All Users What = Lock: Acquired Where = All When = Last 7 Days
sources
SQL TRANSACTION BEGIN
Who = All Users What = SQL Transaction Begin Where = All When = Last 7 Days
sources
SQL TRANSACTION COMMIT
Who = All Users What = SQL Transaction Commit Where = All When = Last 7 Days
sources
SQL TRANSACTION ROLLBACK
Who = All Users What = SQL Transaction Rollback Where = All When = Last 7 Days
sources
27
Regulatory Compliance Reports

FISMA (Federal Information Security Management Act)
NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A01
– User Association
(EXECUTIVE SUMMARY) A01-USER ASSOCIATIONS
A summary report containing events from all of the following reports.
A01- DETAILED LIST OF AUDIT POLICY MODIFICATIONS
Changed; Audit The Access of Global System
Objects Policy Changed; Audit: Audit the Use of
Backup and Restore Privilege Policy Changed;
Audit: Shut Down System Immediately if
Unable to Log Security Audits Policy Changed;
Shut Down the Computer when the Security
Audit Log is Full Policy Changed
A01- DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Who = All Users What = Agent Service Has More Than 100 Where = All When = Last 7 days
Events Waiting; Agent Service Has Reached a sources
Critical Load; Agent Service Has Returned to
Normal Operations; Quest ChangeAuditor Agent
Connected; Quest ChangeAuditor Agent
Disconnected; Quest ChangeAuditor Agent
Uninstalled
A01- DETAILED LIST OF SECURITY LOG MODIFICATIONS
Privilege Use Policy Changed; Audit Process
Tracking Policy Changed; Audit System Events
Policy Changed; Audit: Audit The Access of
Global System Objects Policy Changed; Audit:
Audit The Use of Backup and Restore Privilege
Policy Changed; Audit: Shut Down System
Immediately if Unable to Log Security Audits
Policy Changed; Security Audit Log Rolled Over;
Crash on Audit Fail Policy Changed; Shut Down
the Computer When the Security Audit Log is
Full Policy Changed
28
Quest ChangeAuditor

– Content of Audit Records
(EXECUTIVE SUMMARY) A02-CONTENT OF AUDIT RECORDS
A02 – DETAILED LIST OF AUDIT POLICY MODIFICATIONS
Changed; Audit Object Access Policy Changed;
Audit Policy Change Policy Changed; Audit
Privilege Use Policy Changed; Audit Process
Tracking Policy Changed; Audit System Events
Policy Changed; Audit: Audit the Access of
Global System Objects Policy Changed; Audit:
Audit the Use of Backup and Restore Privilege
Policy Changed; Audit: Shut Down System
Policy Changed
A02 – DETAILED LIST OF SECURITY LOG MODIFICATIONS
Changed; Audit: Audit The Access of Global
System Objects Policy Changed; Audit: Audit
The Use of Backup and Restore Privilege Policy
Changed; Audit: Shut Down System
Policy Changed; Security Audit Log Rolled Over;
the Computer When the Security Audit Log is
Full Policy Changed

– Auditable Events
(EXECUTIVE SUMMARY) A03-AUDITABLE EVENTS
29
A03 – DETAILED LIST OF AUDIT POLICY MODIFICATIONS
Changed; Audit: Audit the Access of Global
System Objects Policy Changed; Audit: Audit
the Use of Backup and Restore Privilege Policy
Changed; Audit: Shut Down System
Policy Changed
A03 – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Uninstalled; Quest ChangeAuditor Agent
Connected

– Audit Processing
(EXECUTIVE SUMMARY) A04-AUDIT PROCESSING
A04 – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Connected
NIST SP 800-53 | Technical Controls | Identification and Authentication | IA02 –

Remote, Privileged Access Authentication
IA02 – DETAILED LIST OF DIAL-IN MODIFICATIONS
Who = All Users What = User Dial-in Static Route Added; User Where = All When = Last 7 days
Dial-in Static Route Removed; User Dial-in sources
Callback Options Changed; User Dial-in Static IP
Address Changed; User Dial-in Remote Access
Permission Changed; User Dial-in Verify Caller
ID Changed
30
Quest ChangeAuditor

Password Protection Mechanisms
(EXECUTIVE SUMMARY) IA03-PASSWORD PROTECTION MECHANISMS
IA03 – DETAILED LIST OF ACCOUNT LOCKOUT POLICY MODIFICATIONS
Who = All Users What = Account Lockout Threshold Policy Where = All When = Last 7 days
Changed sources
IA03 – DETAILED LIST OF LOCKOUT DURATION POLICY MODIFICATIONS
Who = All Users What = Account Lockout Duration Policy Where = All When = Last 7 days
Changed sources
IA03 – DETAILED LIST OF PASSWORD AGE POLICY MODIFICATIONS
Who = All Users What = Maximum Password Age Policy Changed Where = All When = Last 7 days
sources
IA03 – DETAILED LIST OF PASSWORD COMPLEXITY POLICY MODIFICATIONS
Who = All Users What = Password Must Meet Complexity Where = All When = Last 7 days
Requirements Policy Changed sources
IA03 – DETAILED LIST OF PASSWORD HISTORY POLICY MODIFICATIONS
Who = All Users What = Enforce Password History Policy Where = All When = Last 7 days
Changed sources
IA03 – DETAILED LIST OF STORING PASSWORD POLICY MODIFICATIONS
Who = All Users What = Store Passwords Using Reversible Where = All When = Last 7 days
Encryption Policy Changed sources

Password Life
Who = All Users What = Minimum Password Age Policy Changed; Where = All When = Last 7 days
Maximum Password Age Policy Changed sources

Password Content
(EXECUTIVE SUMMARY) IA05-PASSWORD CONTENT
31
Changed sources

Remote Access Identification Authentication
IA12 – DETAILED LIST OF DIAL-IN MODIFICATIONS
Callback Options Changed; User Dial-in Static
IP Address Changed; User Dial-in Remote
Access Permission Changed; User Dial-in Verify
Caller ID Changed

Password Management
(EXECUTIVE SUMMARY) IA016-PASSWORD MANAGEMENT
IA16 – DETAILED LIST OF ACCOUNT LOCKOUT POLICY MODIFICATIONS
Who = All Users What = Account Lockout Threshold Policy Where = All When = Last 7 days
Changed sources
IA16 – DETAILED LIST OF LOCKOUT DURATION POLICY MODIFICATIONS
Changed sources
Who = All Users What = Minimum Password Age Policy Changed; Where = All When = Last 7 days
Maximum Password Age Policy Changed sources
Changed sources
IA16 – DETAILED LIST OF STORING PASSWORDS POLICY MODIFICATIONS
Who = All Users What = Store Passwords Using Reversible Where = All When = Last 7 days
Encryption Policy Changed sources
32
Quest ChangeAuditor
NIST SP 800-53 | Technical Controls | Logical Access Control | AC01 - Remote Access
Restrictions
AC01 – DETAILED LIST OF DIAL-IN MODIFICATIONS
ID Changed
NIST SP 800-53 | Technical Controls | Logical Access Control | AC02 - Logon

Notification Message
AC02 – DETAILED LIST OF INTERACTIVE LOGIN POLICY MODIFICATIONS
Who = All Users What = Interactive Logon: Message Title for Where = All When = Last 7 days
Users Attempting to Log On Changed; sources
Interactive Logon: Do Not Require
CTRL+ALT+DEL Policy Changed; Interactive
Logon: Message Text for Users Attempting to
Log On Policy Changed; Interactive Logon: Do
Not Display Last User Name Policy Changed
NIST SP 800-53 | Technical Controls | Logical Access Control | AC05 - Session

Inactivity
(EXECUTIVE SUMMARY) AC05-SESSION INACTIVITY
AC05 – DETAILED LIST OF IDLE TIME POLICY MODIFICATIONS
Who = All Users What = Microsoft Network Server: Amount of Where = All When = Last 7 days
Idle Time Required Before Suspending Session sources
Policy Changed
AC05 – DETAILED LIST OF TIME EXPIRES POLICY MODIFICATIONS
Who = All Users What = Network Security: Force Logoff When Where = All When = Last 7 days
Logon Hours Expire Policy Changed sources
NIST SP 800-53 | Technical Controls | Logical Access Control | AC06 - Limited

Connection Time
AC06 – DETAILED LIST OF LOGON TIME POLICY MODIFICATIONS
Who = All Users What = User logonHours Changed Where = All When = Last 7 days
sources
33
NIST SP 800-53 | Technical Controls | Logical Access Control | AC09 - Enforcement

Mechanisms
AC09 – DETAILED LIST OF USER LOGON RESTRICTIONS POLICY MODIFICATIONS
Who = All Users What = Enforce User Logon Restrictions Policy Where = All When = Last 7 days
Changed sources
NIST SP 800-53 | Technical Controls | Logical Access Control | AC10 - Automated

Account Controls
(EXECUTIVE SUMMARY) AC10-AUTOMATED ACCOUNT CONTROLS
AC10 – DETAILED LIST OF ACCOUNT EXPIRES MODIFICATIONS
Who = All Users What = User accountExpires Changed Where = All When = Last 7 days
sources
AC10 – DETAILED LIST OF WORKSTATION RESTRICTIONS
Who = All Users What = User userWorkstations Added; Where = All When = Last 7 days
User userWorkstations Removed sources
NIST SP 800-53 | Technical Controls | Logical Access Control | AC12 - Supervision

and Review
AC12 – DETAILED LIST OF RENAME ADMINISTRATOR AND GUEST POLICY MODIFICATIONS
Who = All Users What = Accounts: Rename Guest Account Policy Where = All When = Last 7 days
Changed; Accounts: Rename Administrator sources
Account Policy Changed
NIST SP 800-53 | Technical Controls | Logical Access Control | AC14 - Authorization

Procedures
AC14 – DETAILED LIST OF ENFORCE LOGON POLICY MODIFICATIONS
Changed sources
NIST SP 800-53 | Technical Controls | System and Communications Protection |

SP02 - Information System Partitioning
SP02 – DETAILED LIST OF TRUST POLICY MODIFICATIONS
Who = All Users What = Cross-forest Trust Removed; Where = All When = Last 7 days
Cross-forest Trust Added; Trust Removed; Trust sources
Added
34
Quest ChangeAuditor

SP04 - Denial of Service Protection
(EXECUTIVE SUMMARY) SP04-DENIAL OF SERVICE PROTECTION
SP04 – DETAILED LIST OF GLOBAL CATALOG MODIFICATIONS
Who = All Users What = GC Removed; GC Added Where = All When = Last 7 days
sources
SP04 – DETAILED LIST OF NETLOGON SERVICE MODIFICATIONS
sources

SP05 - Resource Priority
SP05 – DETAILED LIST OF HIGH SEVERITY CHANGES
sources

SP06 - Boundary Protection
SP06 – DETAILED LIST OF TRUST MODIFICATIONS
Added

SP07 - Network Segregation
SP07 – DETAILED LIST OF IP SECURITY AND CONFIGURATION MODIFICATIONS
sources

SP09 - Network Disconnect
SP09 – DETAILED LIST OF FORCED LOGOUT POLICY MODIFICATIONS
Who = All Users What = Microsoft Network Server: Amount of Where = All When = Last 7 days
Idle Time Required Before Suspending Sessions sources
Policy Changed; Network Security: Force Logoff
When Logon Hours Expire Policy Changed
35

SP11 - Trust Path
SP11 – DETAILED LIST OF TRUST MODIFICATIONS
Added

SP16 - Use of Encryption
SP16 – DETAILED LIST OF PUBLIC KEY MODIFICATIONS
Who = All Users What = Computer Public Key Policies Where = All When = Last 7 days
Autoenrollment Settings Changed; Computer sources
Public Key Policies Automatic Certificate Request
Added; Computer Public Key Policies Automatic
Certificate Request Removed; Computer Public
Key Policies Encrypting File System DRA Added;
Computer Public Key Policies Encrypting File
System DRA Changed; Computer Public Key
Policies Encrypting File System DRA Removed;
Computer Public Key Policies Enterprise Trust List
Added; Computer Public Key Policies Enterprise
Trust List Changed; Computer Public Key Policies
Enterprise Trust List Removed; Computer Public
Key Policies Trusted Root Certification Authority
Added; Computer Public Key Policies Trusted
Root Certification Authority Changed; Computer
Public Key Policies Trusted Root Certification
Authority Removed
GLBA (Gramm-Leach-Bliley Act)

6801 – Protection of Non Public Personal Information | 6801(a) – Privacy Obligation
Policy
(EXECUTIVE SUMMARY) - 6801(A) PRIVACY OBLIGATION POLICY
6801(A) – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Connected
36
Quest ChangeAuditor
6801(A) – DETAILED LIST OF CRITICAL GROUP MEMBERSHIP MODIFICATIONS
Who = All Users What = Nested Member Added to Critical Where = All When = Last 7 days
Enterprise Group; Nested Member Removed sources
from Critical Enterprise Group; Member Added to
Critical Enterprise Group; Member Removed
from Critical Enterprise Group
6801(A) – DETAILED LIST OF FILE SYSTEM PERMISSION MODIFICATIONS
Who = All Users What = File Access Rights Changed; Folder Where = All When = Last 7 days
Access Rights Changed; Local Share Permissions sources
Changed; SYSVOL Folder Access Rights Changed
6801(A) – DETAILED LIST OF GPO MODIFICATIONS
Who = All Users What = Group Policy Item facility; Where = All When = Last 7 days
Group Policy Object facility sources
6801(A) – DETAILED LIST OF INTERACTIVE LOGIN POLICY MODIFICATIONS
6801(A) – DETAILED LIST OF SECURITY LOG MODIFICATIONS
Audit Object Access Policy Changed; Audit Policy
Change Policy Changed; Audit Privilege Use
Policy Changed; Audit Process Tracking Policy
Changed; Audit System Events Policy Changed;
Audit: Audit the Access of Global System Objects
Policy Changed; Audit: Audit the Use of Backup
and Restore Privilege Policy Changed; Audit:
Shut Down System Immediately if Unable to Log
Security Audit Policy Changed; Security Audit
Log Rolled Over; Security Audit Log Rolled Over;
The Computer When The Security Log is Full
Policy Changed
6801(A) – DETAILED LIST OF SHARE MODIFICATIONS
Who = All Users What = Active Directory Shared Added; Active Where = All When = Last 7 days
Directory Shared Removed; Local Share Added; sources
Local Share Folder Path Changed; Local Share
Permissions Changed; Local Share Removed;
SYSVOL Folder Access Rights Changed; SYSVOL
Folder Auditing Changed; SYSVOL Folder
Ownership Changed
37
6805 – Enforcement | 6805(b) – Enforcement of Section 6801
(EXECUTIVE SUMMARY) - 6805(B) ENFORCEMENT OF SECTION 6801
6805(B) – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Connected
6805(B) – DETAILED LIST OF CHANGEAUDITOR INTERNAL CONTROLS MODIFICATIONS
sources
6805(B) – DETAILED LIST OF CRITICAL GROUP MEMBERSHIP MODIFICATIONS
6805(B) – DETAILED LIST OF FILE SYSTEM PERMISSION MODIFICATIONS
6805(B) – DETAILED LIST OF GPO MODIFICATIONS
Who = All Users What = Group Policy Item facility; Group Policy Where = All When = Last 7 days
Object facility sources
6805(B) – DETAILED LIST OF INTERACTIVE LOGIN POLICY MODIFICATIONS
38
Quest ChangeAuditor
6805(B) – DETAILED LIST OF SECURITY LOG MODIFICATIONS
Policy Changed; Audit: Audit Use of Backup and
Restore Privilege Policy Changed; Audit: Shut
Down System Immediately if Unable to Log
Log Rolled Over; Crash on Audit Fail Policy
Changed; Shut Down The Computer When The
Security Audit Log is Full Policy Changed
HIPAA (Health Insurance Portability and Accountability

Act)
164.308 – Administrative Procedures | 164.308(d) – Formal Mechanism for
Processing Records
(EXECUTIVE SUMMARY) - 164.308(D) FORMAL MECHANISM FOR PROCESSING RECORDS
164.308(D) – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Who = All Users What = Agent Service Has More Than 100 Events Where = All When = Last 7 days
Waiting; Agent Service Has Reached a Critical sources
Load; Agent Service Has Returned to Normal
Operations; Quest ChangeAuditor Agent
Connected
164.308(D) – DETAILED LIST OF SECURITY LOG MODIFICATIONS
Audit: Audit the Access of Global System Object
Policy Changed; Audit: Audit the use of Backup
Changed; Shut Down the Computer When the
39
164.308 – Administrative Procedures | 164.308(e) – Information Access Control
164.308(E) – DETAILED LIST OF CRITICAL GROUP MEMBERSHIP MODIFICATIONS
Enterprise Group; Nested Member Removed from sources
Critical Enterprise Group; Member Added to
Critical Enterprise Group; Member Removed from
164.308 – Administrative Procedures | 164.308(f) – Internal Audit
(EXECUTIVE SUMMARY) - 164.308(F) INTERNAL AUDIT
164.308(F) – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Who = All Users What = Agent Service Has More Than 100 Events Where = All When = Last 7 days
Waiting; Agent Service Has Reached a Critical sources
Load; Agent Service Has Returned to Normal
Operations; Quest ChangeAuditor Agent
Connected
164.308(F) – DETAILED LIST OF SECURITY EVENT LOG MODIFICATIONS
Changed
164.308 – Administrative Procedures | 164.308(g) – Security Configuration

Management
(EXECUTIVE SUMMARY) - 164.308(G) – SECURITY CONFIGURATION MANAGEMENT
40
Quest ChangeAuditor
164.308(G) – DETAILED LIST OF DACL MODIFICATIONS
Who = All Users What = DACL Changed on OU Object; DACL Where = All When = Last 7 days
Changed on User Object; DACL Changed on sources
AdminSDHolder Object; DACL Changed on
Exchange Group Object; DACL Changed on
Domain Object; DACL Changed on Group Object;
DACL Changed on Group Policy Object
164.308(G) – DETAILED LIST OF FILE SYSTEM PERMISSION MODIFICATIONS
164.308(G) – DETAILED LIST OF SHARE MODIFICATIONS
Who = All Users What = Active Directory Share Added; Active Where = All When = Last 7 days
Directory Share Removed; Local Share Added; sources
Removed; Local Share Permissions Changed;
Ownership Changed
164.308 – Administrative Procedures | 164.308(h) – Security Incident Procedures
(EXECUTIVE SUMMARY) - 164.308(H) – SECURITY INCIDENT PROCEDURES
164.308(H) – DETAILED LIST OF DACL MODIFICATIONS
Who = All Users What = DACL Changed on Group Object; DACL Where = All When = Last 7 days
Changed on OU Object; DACL Changed on User sources
Object; DACL Changed on AdminSDHolder
Object; DACL Changed on Exchange Group
Object; DACL Changed on Domain Object; DACL
Changed on Group Policy Object
164.308(H) – DETAILED LIST OF FILE SYSTEM PERMISSION MODIFICATIONS
164.308(H) – DETAILED LIST OF SHARE PERMISSION MODIFICATIONS
Who = All Users What = Local Share Added; Local Share Folder Where = All When = Last 7 days
Path Changed; Local Share Removed; SYSVOL sources
Folder Access Rights Changed; SYSVOL Folder
Auditing Changed; SYSVOL Folder Ownership
Changed
41
164.308 – Administrative Procedures | 164.308(j) – Termination Procedures
(EXECUTIVE SUMMARY) – 164.308(J) – TERMINATION PROCEDURES
164.308(J) – DETAILED LIST OF DELETED USER MODIFICATIONS
Who = All Users What = User Object Removed Where = All When = Last 7 days
sources
164.308(J) – DETAILED LIST OF DISABLED USER MODIFICATIONS
Who = All Users What = User Account Disabled Where = All When = Last 7 days
sources
164.310 – Physical Safeguards | 164.310(b) – Media Controls
(EXECUTIVE SUMMARY) – 164.310(B) – MEDIA CONTROLS
164.310(B) – DETAILED LIST OF GPO DISK ACCESS MODIFICATIONS
Who = All Users What = Devices: Restrict CD-ROM Access to Where = All When = Last 7 days
Locally Logged-on User Only Policy Changed; sources
Devices: Allowed to Format and Eject
Removable Media Policy Changed; Devices:
Restrict Floppy Access to Locally Logged-Out
User Only Policy Changed
164.310(B) – DETAILED LIST OF HARD DISK MODIFICATIONS
Who = All Users What = Disk Size Changed Where = All When = Last 7 days
sources
164.310 – Physical Safeguards | 164.310(d) – Policy on Workstation Use
164.310(D) – DETAILED LIST OF GPO WORKSTATION ACCESS MODIFICATIONS
Who = All Users What = Deny Access to this Computer from the Where = All When = Last 7 days
Network Policy Changed; Access this Computer sources
from the Network Policy Changed
164.310 – Physical Safeguards | 164.310(e) – Secure Workstation Location
(EXECUTIVE SUMMARY) – 164.310(E) – SECURE WORKSTATION LOCATION
164.310(E) – DETAILED LIST OF GPO WORKSTATION ACCESS MODIFICATIONS
42
Quest ChangeAuditor
164.310(E) – DETAILED LIST OF USER WORKSTATION ACCESS MODIFICATIONS
164.312 – Technical Security Services | 164.312(a) – Access Control
(EXECUTIVE SUMMARY) – 164.312(A) – ACCESS CONTROL
164.312(A) – DETAILED LIST OF GPO WORKSTATION ACCESS MODIFICATIONS
164.312(A) – DETAILED LIST OF LOGON HOURS MODIFICATIONS
sources
164.312(A) – DETAILED LIST OF USER ACCOUNT POLICY MODIFICATIONS
Who = All Users What = Maximum Password Age Policy Changed; Where = All When = Last 7 days
Enforce Password History Policy Changed; sources
Account Lockout Threshold Policy Changed;
Account Lockout Duration Policy Changed;
Enforce User Logon Restrictions Policy Changed
164.312(A) – DETAILED LIST OF USER WORKSTATION ACCESS MODIFICATIONS
164.312 – Technical Security Services | 164.312(b) – Audit Controls
(EXECUTIVE SUMMARY) – 164.312(B) – AUDIT CONTROLS
164.312(B) – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Connected
164.312(B) – DETAILED LIST OF CRITICAL GROUP MEMBERSHIP MODIFICATIONS
43
164.312(B) – DETAILED LIST OF SECURITY LOG MODIFICATIONS
164.312 – Technical Security Services | 164.312(c) – Authorization Control
(EXECUTIVE SUMMARY) – 164.312(C) – AUTHORIZATION CONTROL
164.312(C) – DETAILED LIST OF ACCOUNT EXPIRATION MODIFICATIONS
sources
164.312(C) – DETAILED LIST OF DIAL-IN MODIFICATIONS
ID Changed
164.312(C) – DETAILED LIST OF ENABLE USER MODIFICATIONS
Who = All Users What = User Account Enabled Where = All When = Last 7 days
sources
164.312(C) – DETAILED LIST OF NEW USER CREATED MODIFICATIONS
Who = All Users What = User Object Added Where = All When = Last 7 days
sources
164.312(C) – DETAILED LIST OF USER WORKSTATION RESTRICTION MODIFICATIONS
164.312 – Technical Security Services | 164.312(f) – Entity Authentication
(EXECUTIVE SUMMARY) 164.312(F) – ENTITY AUTHENTICATION
44
Quest ChangeAuditor
164.312(F) – DETAILED LIST OF AUTHENTICATION MODIFICATIONS
Who = All Users What = Deny Log On Locally Policy Changed; Where = All When = Last 7 days
Deny Log On As a Service Policy Changed; Deny sources
Access to this Computer from the Network Policy
Changed; Allow Log On Through Terminal
Services Policy Changed; Allow Log On Locally
Policy Changed; Deny Log On as a Batch Job
Policy Changed; Deny Log On Through Terminal
Services/Remote Desktop Services Policy
Changed
164.312(F) – DETAILED LIST OF DIAL-IN MODIFICATIONS
Permission Changed; User Dial-in Verify Caller ID
Changed
164.312(F) – DETAILED LIST OF FORCED LOGOFF MODIFICATIONS
Who = All Users What = Network Security: Force Logoff When Where = All When = Last 7 days
Logon Hours Expire Policy Changed sources
PCI (Payment Card Industry)

Build and Maintain a Secure Network
R1 – DETAILED LIST OF AUDIT POLICY MODIFICATIONS
Security Audit Policy Changed
R1 – DETAILED LIST OF COMPUTER MODIFICATIONS
Who = All Users What = Computer Account Disabled; Computer Where = All When = Last 7 days
Account Enabled; Computer Added; Computer sources
Moved; Computer Removed; Computer
Renamed; Computer Service Pack Applied;
Computer Service Pack Rolled Back
R1 – DETAILED LIST OF COMPUTERS ADDED
Who = All Users What = Computer Added Where = All When = Last 7 days
sources
45
R1 – DETAILED LIST OF DNS MODIFICATIONS
sources
R1 – DETAILED LIST OF DOMAIN CONTROLLER MODIFICATIONS
sources
R1 – DETAILED LIST OF DOMAIN CONTROLLERS REMOVED
Who = All Users What = Domain Controller Removed from OU Where = All When = Last 7 days
sources
R1 – DETAILED LIST OF FILE SYSTEM MODIFICATIONS
sources
R1 – DETAILED LIST OF INTERACTIVE LOGIN POLICY MODIFICATIONS
Who = All Users What = Interactive Logon: Do Not Display Last Where = All When = Last 7 days
Name Policy Changed; Interactive Logon: Do Not sources
Require CTRL+ALT+DEL Policy Changed;
Interactive Logon: Message Text for Users
Attempting to Log on Policy Changed;
Interactive Logon: Message Title for Users
Attempting to Log On Changed
R1 – DETAILED LIST OF NETLOGON MODIFICATIONS
Who = All Users What = NETLOGON Services facility Where = All When = Last 7 days
sources
R1 – DETAILED LIST OF SERVICE CHANGES
sources
R1 – DETAILED LIST OF SOFTWARE INSTALLATIONS VIA GPO ADDED
Who = All Users What = Computer Software Installation Policy Where = All When = Last 7 days
Added sources
R1 – DETAILED LIST OF SOFTWARE INSTALLATIONS VIA GPO MODIFIED
Changed sources
R1 – DETAILED LIST OF SOFTWARE INSTALLATIONS VIA GPO REMOVED
Removed sources
46
Quest ChangeAuditor
R2 – DETAILED LIST OF DACL MODIFICATIONS
Who = All Users What = DACL Changed on AdminSDHolder Where = All When = Last 7 days
Object; DACL Changed on Domain Object; DACL sources
Changed on Exchange Group Object; DACL
Changed on Group Object; DACL Changed on
Group Policy Object; DACL Changed on OU
Object; DACL Changed on User Object
R2 – DETAILED LIST OF GPO MODIFICATIONS
Who = All Users What = Accounts: Administrator Account Status Where = All When = Last 7 days
Policy Changed; Accounts: Guest Account Status sources
Policy Changed; Accounts: Limit Local Account
Use of Blank Passwords to Console Only Policy
Changed; Accounts: Rename Administrator
Account Policy Changed; Accounts: Rename
Guest Account Policy Changed; Audit: Audit the
Access of Global System Objects Policy Changed;
Audit: Audit the user of Backup and Restore
Privilege Policy Changed; Audit: Shut Down
System Immediately if Unable to Log Security
Audits Policy Changed; Devices: Allow Undock
Without Having to Logon Policy Changed;
Devices: Allowed to Format and Eject Removable
Media Policy Changed; Devices: Prevent Users
from Installing Printer Drivers Policy Changed;
Devices: Restrict CD-ROM Access to Locally
Logged-on User Only Policy Changed; Devices:
Restrict Floppy Access to Locally Logged-on User
Only Policy Changed; Devices: Unsigned Driver
Installation Behavior Policy Changed; Domain
Controller: Allow Server Operators to Schedule
Tasks Policy Changed; Domain Controller: LDAP
Server Signing Requirements Policy Changed;
Domain Controller: Refuse Machine Account
Password Changes Policy Changed; Domain
Member: Digitally Encrypt or Sign Secure
Channel Data (Always) Policy Changed; Enforce
Password History Policy Changed; Enforce User
Logon Restrictions Policy Changed; Maximum
Lifetime for Service Ticket Policy Changed;
Maximum Lifetime for User Ticket Policy
Changed; System Objects: Strengthen Default
Permissions of Global System Objects Policy
Changed
47
Implement Strong Access Control Measures
R7 – DETAILED LIST OF CRITICAL GROUP MEMBERSHIP MODIFICATIONS
Enterprise Group; Nested Member Added to
Critical Enterprise Group; Nested Member
Removed from Critical Enterprise Group
R7 – DETAILED LIST OF DACL (PERMISSION) MODIFICATIONS
Changed on Group Object; DACL Changed on OU
R7 – DETAILED LIST OF DISABLED USER ACCOUNTS
sources
R7 – DETAILED LIST OF ENABLED USER ACCOUNTS
sources
R7 – DETAILED LIST OF EXCHANGE PERMISSION MODIFICATIONS
Who = All Users What = Permission Change in Exchange Service Where = All When = Last 7 days
Object; Permission Change in Exchange System sources
Object; Permission Change Inherited into
Exchange Service; Permission Change Inherited
into Exchange System Object
R7 – DETAILED LIST OF EXPIRED USER ACCOUNTS
sources
R7 – DETAILED LIST OF FILE SYSTEM PERMISSION MODIFICATIONS
48
Quest ChangeAuditor
R7 – DETAILED LIST OF GROUP MODIFICATIONS
Who = All Users What = Custom Group Monitoring facility Where = All When = Last 7 days
sources
R7 – DETAILED LIST OF NESTED GROUP MEMBERSHIP MODIFICATIONS
Who = All Users What = Nested Member Added to Group; Nested Where = All When = Last 7 days
Member Removed from Group; Nested Member sources
Added to Critical Enterprise Group; Nested
Member Removed from Critical Enterprise Group
R7 – DETAILED LIST OF SHARE MODIFICATIONS
Ownership Changed
R7 – DETAILED LIST OF TRUST MODIFICATIONS
R7 – DETAILED LIST OF USER PERMITTED LOGON HOUR MODIFICATIONS
sources
R7 – DETAILED LIST OF USER WORKSTATION RESTRICTION MODIFICATIONS
Maintain a Vulnerability Management Program
R5 – DETAILED LIST OF SERVICE CHANGES
sources
R6 – DETAILED LIST OF ALL HOT FIXES APPLIED
Who = All Users What = Hotfix Applied Where = All When = Last 7 days
sources
R6 – DETAILED LIST OF DISABLED ACCOUNTS
sources
R6 – DETAILED LIST OF HOT FIXES ROLLED BACK
Who = All Users What = Hotfix Rolled Back Where = All When = Last 7 days
sources
49
R6 – DETAILED LIST OF SERVICE PACKS APPLIED
Who = All Users What = Computer Service Pack Applied; Where = All When = Last 7 days
Domain Controller Service Pack Applied sources
R6 – DETAILED LIST OF SERVICE PACKS ROLLED BACK
Who = All Users What = Domain Controller Service Pack Rolled Where = All When = Last 7 days
Back sources
Protect Card Holder Data
Group Policy Object; DACL Changed on OU
R4 – DETAILED LIST OF COMPUTER MODIFICATIONS
Who = All Users What = Computer Account Disabled; Computer Where = All When = Last 7 days
Account Enabled; Computer Added; Computer sources
Moved; Computer Removed; Computer
Renamed; Computer Service Pack Applied;
Computer Service Pack Rolled Back
Regularly Monitor and Test Networks
50
Quest ChangeAuditor
R10 – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Uninstalled
R10 – DETAILED LIST OF CHANGEAUDITOR SECURITY GROUP MODIFICATIONS
R10 – DETAILED LIST OF CRITICAL GROUP MEMBERSHIP MODIFICATIONS
Group Policy Object;DACL Changed on OU
R10 – DETAILED LIST OF NESTED GROUP MEMBERSHIP MODIFICATIONS
from Critical Enterprise Group; Nested Member
Added to Group; Nested Member Removed from
Group
51
R10 – DETAILED LIST OF SECURITY LOG MODIFICATIONS
and Restore Privilege Policy Changed; Crash on
Audit Fail Policy Changed; Security Audit Log
Rolled Over; Shut Down the Computer When the
R11 – DETAILED LIST OF ACCOUNT LOCKOUTS
Who = All Users What = User Account Locked Where = All When = Last 7 days
sources
R11 – DETAILED LIST OF DISABLED ACCOUNTS
sources
R11 – DETAILED LIST OF SERVICE MODIFICATIONS
Who = All Users What = Service Account Changed; Service Where = All When = Last 7 days
Dependencies Changed; Service Paused; Service sources
Recovery Actions Changed; Service Resumed;
Service Start Type Changed; Service Started;
Service Stopped
R11 – DETAILED LIST OF TRUST MODIFICATIONS
SAS 70 (Statement on Auditing Standards, Service

Organizations)
Service Auditor’s Reports: Type I
(EXECUTIVE SUMMARY) – SERVICE AUDITOR’S REPORT TYPE I
SERVICE AUDITOR’S REPORT TYPE I – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Uninstalled
52
Quest ChangeAuditor
SERVICE AUDITOR’S REPORT TYPE I – DETAILED LIST OF CHANGEAUDITOR INTERNAL CONTROLS

MODIFICATIONS
sources
SERVICE AUDITOR’S REPORT TYPE I – DETAILED LIST OF CRITICAL GROUP MEMBERSHIP

MODIFICATIONS
SERVICE AUDITOR’S REPORT TYPE I – DETAILED LIST OF FILE SYSTEM PERMISSION MODIFICATIONS
SERVICE AUDITOR’S REPORT TYPE I – DETAILED LIST OF GPO MODIFICATIONS
SERVICE AUDITOR’S REPORT TYPE I – DETAILED LIST OF INTERACTIVE LOGIN POLICY

MODIFICATIONS
SERVICE AUDITOR’S REPORT TYPE I – DETAILED LIST OF SECURITY LOG MODIFICATIONS
53
SOX (Sarbanes-Oxley General IT Controls Evidence

based on the COBIT Framework)
Section 404 | Acquisition and Implementation | AI01 – Identify automated solutions
(EXECUTIVE SUMMARY) AI01-IDENTITY AUTOMATED SOLUTIONS
AI01 – DETAILED LIST OF ALL REGISTRY CHANGES
sources
AI01 – DETAILED LIST OF SCHEMA CHANGES
sources
AI01 – DETAILED LIST OF SERVICE CHANGES
sources
Section 404 | Acquisition and Implementation | AI02 – Acquire and maintain

application software
(EXECUTIVE SUMMARY) AI02-ACQUIRE AND MAINTAIN APPLICATION SOFTWARE
AI02 – DETAILED LIST OF SOFTWARE INSTALLATIONS VIA GPO ADDED
Added sources
AI02 – DETAILED LIST OF SOFTWARE INSTALLATIONS VIA GPO MODIFIED
Changed sources
AI02 – DETAILED LIST OF SOFTWARE INSTALLATIONS VIA GPO REMOVED
Removed sources
Section 404 | Acquisition and Implementation | AI03 – Acquire and maintain

technology infrastructure
(EXECUTIVE SUMMARY) AI03-ACQUIRE AND MAINTAIN TECHNOLOGY INFRASTRUCTURE
54
Quest ChangeAuditor
AI03 – DETAILED LIST OF ALL HOT FIXES APPLIED
sources
AI03 – DETAILED LIST OF ALL REGISTRY CHANGES
sources
AI03 – DETAILED LIST OF HOT FIXES ROLLED BACK
sources
AI03 – DETAILED LIST OF SCHEMA MODIFICATIONS
sources
AI03 – DETAILED LIST OF SERVICE PACKS APPLIED
Who = All Users What = Computer Service Pack Applied Where = All When = Last 7 days
sources
AI03 – DETAILED LIST OF SERVICE PACKS ROLLED BACK
Who = All Users What = Computer Service Pack Rolled Back Where = All When = Last 7 days
sources
Section 404 | Acquisition and Implementation | AI04 – Develop and maintain

procedures
(EXECUTIVE SUMMARY) AI04 – DEVELOP AND MAINTAIN PROCEDURES
AI04 – DETAILED LIST OF AUTHORIZED CHANGES MADE DURING BUSINESS HOURS
Who = All Users What = All categories Where = All When = From 8:00
sources am
to 5:00 pm
AI04 – DETAILED LIST OF UNAUTHORIZED CHANGES MADE DURING BUSINESS AFTER HOURS
Who = All Users What = All categories Where = All When = From 5:00
sources pm
to 8:00 am
Section 404 | Acquisition and Implementation | AI05 – Install and accredit systems
(EXECUTIVE SUMMARY) AI05 – INSTALL AND ACCREDIT SYSTEMS
55
AI05 – DETAILED LIST OF SOFTWARE INSTALLATIONS VIA GPO ADDED
Added sources
AI05 – DETAILED LIST OF SOFTWARE INSTALLATIONS VIA GPO MODIFIED
Changed sources
Section 404 | Acquisition and Implementation | AI06 – Manage Changes
(EXECUTIVE SUMMARY) AI06 – MANAGE CHANGES
AI06 – DETAILED LIST OF GPO MODIFICATIONS
AI06 – DETAILED LIST OF COMPUTER MODIFICATIONS
sources
AI06 – DETAILED LIST OF DNS MODIFICATIONS
sources
AI06 – DETAILED LIST OF DOMAIN MODIFICATIONS
sources
AI06 – DETAILED LIST OF EXCHANGE MODIFICATIONS
Who = All Users What = Exchange Administrative Group facility; Where = All When = Last 7 days
Exchange Distribution List facility; Exchange sources
Organization facility; Exchange Permission
Tracking facility; Exchange Security Group
facility; Exchange User facility
AI06 – DETAILED LIST OF FILE SYSTEM MODIFICATIONS
sources
AI06 – DETAILED LIST OF GROUP MODIFICATIONS
sources
AI06 – DETAILED LIST OF REGISTRY MODIFICATIONS
sources
56
Quest ChangeAuditor
AI06 – DETAILED LIST OF SCHEMA MODIFICATIONS
sources
AI06 – DETAILED LIST OF SITE MODIFICATIONS
Who = All Users What = Site Configuration facility; Site Link Where = All When = Last 7 days
Configuration facility
AI06 – DETAILED LIST OF USER MODIFICATIONS
sources
Section 404 | Delivery and Support | DS01 – Define and manage service levels
(EXECUTIVE SUMMARY) DS01 – DEFINE AND MANAGE SERVICE LEVELS
DS01 – DETAILED LIST OF DNS MODIFICATIONS
sources
DS01 – DETAILED LIST OF DOMAIN CONTROLLER MODIFICATIONS
sources
DS01 – DETAILED LIST OF DOMAIN CONTROLLER REMOVED
Who = All Users What = Domain Controller Removed from Where = All When = Last 7 days
Domain sources
DS01 – DETAILED LIST OF NETLOGON MODIFICATIONS
sources
DS01 – DETAILED LIST OF NTDS MODIFICATIONS
Who = All Users What = NTDS Service facility Where = All When = Last 7 days
sources
DS01 – DETAILED LIST OF REPLICATION MODIFICATIONS
sources
Section 404 | Delivery and Support | DS02 – Manage Third Party Services
(EXECUTIVE SUMMARY) DS02 – MANAGE THIRD PARTY SERVICES
57
DS02 – DETAILED LIST OF SERVICE MODIFICATIONS
sources
Section 404 | Delivery and Support | DS03 – Manage performance and capacity
(EXECUTIVE SUMMARY) DS03 – MANAGE PERFORMANCE AND CAPACITY
DS03 – DETAILED LIST OF DISK SIZE MODIFICATIONS
sources
DS03 – DETAILED LIST OF MEMORY MODIFICATIONS
Who = All Users What = Memory Amount Changed Where = All When = Last 7 days
sources
sources
Section 404 | Delivery and Support | DS04 – Ensure Continuous Service
(EXECUTIVE SUMMARY) DS04 – ENSURE CONTINUOUS SERVICE
DS04 – DETAILED LIST OF FAULT TOLERANCE MODIFICATIONS
Who = All Users What = Fault Tolerance facility Where = All When = Last 7 days
sources
sources
DS04 – DETAILED LIST OF REPLICATION MODIFICATIONS
sources
DS04 – DETAILED LIST OF SERVICE MODIFICATIONS
sources
58
Quest ChangeAuditor
Section 404 | Delivery and Support | DS05 – Ensure Systems Security
(EXECUTIVE SUMMARY) DS05 – ENSURE SYSTEMS SECURITY
DS05 – DETAILED LIST OF AUDIT POLICY MODIFICATIONS
Changed; Audit: Shut Down System sources
Audit the Access of Global System Objects Policy
Changed; Audit Privilege Use Policy Changed;
Audit System Events Policy Changed; Audit
Process Tracking Policy Changed; Audit Directory
Service Access Policy Changed; Audit Logon
Events Policy Changed; Audit Object Access
Policy Changed; Audit Account Management
Policy Changed; Audit Policy Change Policy
Changed
DS05 – DETAILED LIST OF DACL (PERMISSIONS) MODIFICATIONS
Object; DACL Changed on Domain Object
DS05 – DETAILED LIST OF FILE SYSTEM PERMISSION MODIFICATIONS
DS05 – DETAILED LIST OF SECURITY LOG MODIFICATIONS
Security Audits Policy Changed; Security Audit
59
DS05 – DETAILED LIST OF SHARE MODIFICATIONS
Ownership Changed
DS05 – DETAILED LIST OF EXCHANGE PERMISSION MODIFICATIONS
Who = All Users What = Exchange Permission Tracking facility; Where = All When = Last 7 days
Mailbox Rights Changed for User sources
Section 404 | Delivery and Support | DS06 – Identify and allocate costs
(EXECUTIVE SUMMARY) DS06 – IDENTIFY AND ALLOCATE COSTS
DS06 – DETAILED LIST OF COMPUTERS ADDED
sources
DS06 – DETAILED LIST OF DOMAIN CONTROLLERS ADDED
Who = All Users What = Domain Controller Added to Domain Where = All When = Last 7 days
sources
Section 404 | Delivery and Support | DS09 – Manage the Configuration
(EXECUTIVE SUMMARY) DS09 – MANAGE THE CONFIGURATION
DS09 – DETAILED LIST OF ALL ACTIVE DIRECTORY MODIFICATIONS
Who = All Users What = Active Directory subsystem Where = All When = Last 7 days
sources
DS09 – DETAILED LIST OF ALL EXCHANGE MODIFICATIONS
Who = All Users What = Exchange Administrative Group facility; Where = All When = Last 7 days
Exchange Distribution List facility; Exchange sources
Organization facility; Exchange Permission
Tracking facility; Exchange Security Group
facility; Exchange User facility
DS09 – DETAILED LIST OF ALL FILE SYSTEM MODIFICATIONS
Who = All Users What = File System subsystem Where = All When = Last 7 days
sources
DS09 – DETAILED LIST OF ALL REGISTRY MODIFICATIONS
sources
60
Quest ChangeAuditor
Section 404 | Delivery and Support | DS10 – Manage Problems and Incidents
(EXECUTIVE SUMMARY) DS10 – MANAGE PROBLEMS AND INCIDENTS
DS10 – DETAILED LIST OF ALL HIGH SEVERITY MODIFICATIONS
sources
DS10 – DETAILED LIST OF ALL LOW SEVERITY MODIFICATIONS
Who = All Users What = Low severity Where = All When = Last 7 days
sources
DS10 – DETAILED LIST OF ALL MEDIUM SEVERITY MODIFICATIONS
Who = All Users What = Medium severity Where = All When = Last 7 days
sources
Section 404 | Delivery and Support | DS11 – Manage Data
(EXECUTIVE SUMMARY) DS11 – MANAGE DATA
DS11 – DETAILED LIST OF AUDIT POLICY MODIFICATIONS
Changed
DS11 – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Events Waiting; Agent Service has Reached a sources
Connected
61
DS11 – DETAILED LIST OF SECURITY LOG MODIFICATIONS
Section 404 | Delivery and Support | DS12 – Manage Facilities
(EXECUTIVE SUMMARY) DS12 – MANAGE FACILITIES
DS12 – DETAILED LIST OF CONNECTION OBJECT MODIFICATIONS
Who = All Users What = Connection Object facility Where = All When = Last 7 days
sources
DS12 – DETAILED LIST OF DNS MODIFICATIONS
sources
DS12 – DETAILED LIST OF DOMAIN CONTROLLER MODIFICATIONS
sources
DS12 – DETAILED LIST OF EXCHANGE INFRASTRUCTURE MODIFICATIONS
sources
DS12 – DETAILED LIST OF FOREST MODIFICATIONS
sources
DS12 – DETAILED LIST OF IP MODIFICATIONS
sources
DS12 – DETAILED LIST OF SITE MODIFICATIONS
Who = All Users What = Site Configuration facility; Site Link Where = All When = Last 7 days
Configuration facility
62
Quest ChangeAuditor
DS12 – DETAILED LIST OF SUBNET MODIFICATIONS
Who = All Users What = Subnets facility Where = All When = Last 7 days
sources
Section 404 | Delivery and Support | DS13 – Manage Operations
(EXECUTIVE SUMMARY) DS13 – MANAGE OPERATIONS
DS13 – DETAILED LIST OF COMPUTER MODIFICATIONS
sources
DS13 – DETAILED LIST OF DOMAIN MODIFICATIONS
sources
DS13 – DETAILED LIST OF EXCHANGE MODIFICATIONS
Who = All Users What = Exchange Distribution List facility; Where = All When = Last 7 days
Exchange Permission Tracking facility; Exchange sources
Security Group facility; Exchange Administrative
Group facility; Exchange User facility
DS13 – DETAILED LIST OF FILE SYSTEM MODIFICATIONS
sources
DS13 – DETAILED LIST OF GPO MODIFICATIONS
Who = All Users What = Group Policy Item facility; Group Policy Where = All When = Last 7 days
Object facility sources
DS13 – DETAILED LIST OF GROUP MODIFICATIONS
sources
DS13 – DETAILED LIST OF OU MODIFICATIONS
Who = All Users What = OU facility Where = All When = Last 7 days
sources
DS13 – DETAILED LIST OF USER MODIFICATIONS
sources
Section 404 | Monitoring | M01 – Monitor the Processes
(EXECUTIVE SUMMARY) M01 – MONITOR THE PROCESSES
63
M01 – DETAILED LIST OF AUDIT POLICY MODIFICATIONS
Changed
M01 – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Connected
M01 – DETAILED LIST OF DACL MODIFICATIONS
M01 – DETAILED LIST OF SECURITY LOG MODIFICATIONS
M01 – DETAILED LIST OF SERVICE MODIFICATIONS
sources
64
Quest ChangeAuditor
Section 404 | Monitoring | M02 – Assess Internal Control and Adequacy
(EXECUTIVE SUMMARY) M02 – ASSESS INTERNAL CONTROL AND ADEQUACY
M02 – DETAILED LIST OF ACCOUNT LOCKOUTS
Who = All Users What = User Account Locked; User Account Where = All When = Last 7 days
Unlocked sources
M02 – DETAILED LIST OF CRITICAL GROUP MEMBERSHIP MODIFICATIONS
M02 – DETAILED LIST OF DACL MODIFICATIONS
M02 – DETAILED LIST OF DISABLED ACCOUNTS
sources
M02 – DETAILED LIST OF NESTED GROUP MEMBERSHIP MODIFICATIONS
Enterprise Group; Nested Member Added to sources
Group; Nested Member Removed from Group;
Nested Member Removed from Critical
Enterprise Group
M02 – DETAILED LIST OF TRUST MODIFICATIONS
Added
Section 404 | Monitoring | M04 – Provide for Independent Audit
(EXECUTIVE SUMMARY) M04 – PROVIDE FOR INDEPENDENT AUDIT
M04 – DETAILED LIST OF CHANGEAUDITOR SECURITY GROUP MODIFICATIONS
65
Section 404 | Planning and Organization | PO02 – Define the Information

Architecture
(EXECUTIVE SUMMARY) PO02 – DEFINE THE INFORMATION ARCHITECTURE
PO02 – DETAILED LIST OF EXCHANGE CONFIGURATION MODIFICATIONS
sources
PO02 – DETAILED LIST OF FOREST MODIFICATIONS
sources
PO02 – DETAILED LIST OF SCHEMA MODIFICATIONS
sources
Section 404 | Planning and Organization | PO07 – Manage Human Resources
(EXECUTIVE SUMMARY) PO07 – MANAGE HUMAN RESOURCES
PO07 – DETAILED LIST OF DISABLED USER ACCOUNTS
sources
PO07 – DETAILED LIST OF ENABLED USER ACCOUNTS
sources
PO07 – DETAILED LIST OF EXPIRED USER ACCOUNTS
sources
PO07 – DETAILED LIST OF USER DIAL-IN MODIFICATIONS
ID Changed
PO07 – DETAILED LIST OF USER EXCHANGE MAILBOX MODIFICATIONS
Who = All Users What = Mailbox Enabled for User; Mail Disabled Where = All When = Last 7 days
for User; Mailbox Rights Changed for User; sources
Mailbox Disabled for User; Mail Enabled for User;
Email Addresses Changed for User
66
Quest ChangeAuditor
PO07 – DETAILED LIST OF USER NAME MODIFICATIONS
Who = All Users What = User userPrincipalName Changed; Where = All When = Last 7 days
Display Name Changed on User Object; First sources
Name Changed on User Object; User
samAccountName Changed; Last Name Changed
on User Object; Domain User Renamed
PO07 – DETAILED LIST OF USER PERMITTED LOGON HOUR MODIFICATIONS
sources
PO07 – DETAILED LIST OF USER WORKSTATION RESTRICTION MODIFICATIONS
Who = All Users What = User userWorkstations Added; User Where = All When = Last 7 days
userWorkstations Removed sources
Section 404 | Planning and Organization | PO08 – Ensure compliance with external
requirements
(EXECUTIVE SUMMARY) PO08 – ENSURE COMPLIANCE WITH EXTERNAL REQUIREMENTS
PO08 – DETAILED LIST OF CHANGEAUDITOR AGENT MODIFICATIONS
Connected
PO08 – DETAILED LIST OF SECURITY AUDIT LOG MODIFICATIONS
Who = All Users What = Security Audit Log Rolled Over; Crash on Where = All When = Last 7 days
Audit Fail Policy Changed sources
Section 404 | Planning and Organization | PO09 – Assess Risks
(EXECUTIVE SUMMARY) PO09 – ASSESS RISKS
PO09 – DETAILED LIST OF DNS ZONE MODIFICATIONS
Who = All Users What = DNS Zone facility; Zone Added; Zone Where = All When = Last 7 days
Deleted; Zone Load Mode Changed sources
PO09 – DETAILED LIST OF HIGH SEVERITY MODIFICATIONS
sources
67
PO09 – DETAILED LIST OF IP SECURITY MODIFICATIONS
sources
PO09 – DETAILED LIST OF NETLOGON MODIFICATIONS
sources
PO09 – DETAILED LIST OF SCHEMA MODIFICATIONS
sources
PO09 – DETAILED LIST OF TRUST MODIFICATIONS
Added
Security Reports
Access Control - Administrator Account Activity
CRITICAL GROUP MEMBERSHIP CHANGES IN LAST 30 DAYS

Report generated for each domain
GROUP MEMBERSHIP CHANGES IN LAST 30 DAYS
Who = All Users What = Member Added to Group, Member Where = All When = Last 30 days
Removed from Group; Nested Member Added to sources
Group; Nested Member Removed from Group
PERMISSIONS TO ADMINSDHOLDER CHANGED IN LAST 30 DAYS
Object sources
Access Control - Administrator Group Activity
NESTED GROUP CHANGES IN LAST 30 DAYS
from Critical Enterprise Group; Nested Member
Added to Group; Nested Member Removed from
Group
68
Quest ChangeAuditor
PERMISSIONS ON GROUP CHANGES IN LAST 30 DAYS
Who = All Users What = DACL Changed on Group Object; Where = All When = Last 30 days
Active Directory subsystem sources
PERMISSIONS TO ADMINSDHOLDER IN LAST 30 DAYS
Object sources
Access Control – File System
CHANGES TO SYSVOL ON ALL DOMAIN CONTROLLERS IN LAST 30 DAYS
Who = All Users What = SYSVOL facility; SYSVOL Location Where = All When = Last 30 days
Changed sources
DIRECTORY SHARES ADDED IN LAST 30 DAYS
Who = All Users What = Active Directory Share Added Where = All When = Last 30 days
sources
DIRECTORY SHARES REMOVED IN LAST 30 DAYS
Who = All Users What = Active Directory Share Removed Where = All When = Last 30 days
sources
FILE/DIRECTORY ADDED IN LAST 30 DAYS
Who = All Users What = File Created; Folder Created Where = All When = Last 30 days
sources
FILE/DIRECTORY ATTRIBUTE CHANGED IN LAST 30 DAYS
Who = All Users What = File Attribute Changed; Folder Attribute Where = All When = Last 30 days
Changed sources
FILE/DIRECTORY AUDITING CHANGED IN LAST 30 DAYS
Who = All Users What = File Auditing Changed; Folder Auditing Where = All When = Last 30 days
Changed sources
FILE/DIRECTORY MODIFIED DATE CHANGED IN LAST 30 DAYS
Who = All Users What = File Last Write Changed Where = All When = Last 30 days
sources
FILE/DIRECTORY MOVED IN LAST 30 DAYS
Who = All Users What = File Moved; Folder Moved Where = All When = Last 30 days
sources
FILE/DIRECTORY OWNERSHIP CHANGED IN LAST 30 DAYS
Who = All Users What = File Ownership Changed; Folder Where = All When = Last 30 days
Ownership Changed sources
69
FILE/DIRECTORY PERMISSION CHANGED IN LAST 30 DAYS
Who = All Users What = File Access Rights Changed; Where = All When = Last 30 days
Folder Access Rights Changed sources
FILE/DIRECTORY REMOVED IN LAST 30 DAYS
Who = All Users What = File Deleted; Folder Deleted Where = All When = Last 30 days
sources
FILE/DIRECTORY RENAMED IN LAST 30 DAYS
Who = All Users What = File Renamed; Folder Renamed Where = All When = Last 30 days
sources
LOCAL SHARE ADDED IN LAST 30 DAYS
Who = All Users What = Local Share Added Where = All When = Last 30 days
sources
LOCAL SHARE AUDITING CHANGED IN LAST 30 DAYS
Who = All Users What = Local Share Auditing Changed Where = All When = Last 30 days
sources
LOCAL SHARE PERMISSION CHANGED IN LAST 30 DAYS
Who = All Users What = Local Share Permissions Changed Where = All When = Last 30 days
sources
LOCAL SHARE REMOVED IN LAST 30 DAYS
Who = All Users What = Local Share Removed Where = All When = Last 30 days
sources
SHARES ADDED IN LAST 30 DAYS
sources
SHARES REMOVED IN LAST 30 DAYS
Who = All Users What = Active Directory Share Removed Where = All When = Last 30 days
sources
Access Management
USERS ACCOUNT RESTRICTIONS CHANGED IN LAST 30 DAYS
Who = All Users What = User Account Enabled; User Account Where = All When = Last 30 days
Disabled; DACL Change on User Object; User sources
Member-of Added; User Member-of Removed;
User accountExpires Changed; User Password
Changed; User logonHours Changed; User
Account Locked; User Account Unlocked
USER LOGON HOURS CHANGED IN LAST 30 DAYS
sources
70
Quest ChangeAuditor
USERS WORKSTATION ACCESS RESTRICTIONS CHANGED IN LAST 30 DAYS
Computer Activity
COMPUTERS ADDED IN LAST 30 DAYS
sources
COMPUTERS DISABLED IN LAST 30 DAYS
Who = All Users What = Computer Account Disabled Where = All When = Last 30 days
sources
COMPUTERS ENABLED IN LAST 30 DAYS
Who = All Users What = Computer Account Enabled Where = All When = Last 30 days
sources
COMPUTERS MOVED IN LAST 30 DAYS
Who = All Users What = Computer Moved Where = All When = Last 30 days
sources
COMPUTERS REMOVED IN LAST 30 DAYS
Who = All Users What = Computer Removed Where = All When = Last 30 days
sources
COMPUTERS RENAMED IN LAST 30 DAYS
Who = All Users What = Computer Renamed Where = All When = Last 30 days
sources
COMPUTERS WITH A SERVICE PACK APPLIED IN LAST 30 DAYS
Who = All Users What = Computer Service Pack Applied Where = All When = Last 30 days
sources
COMPUTERS WITH A SERVICE PACK ROLLED BACK IN LAST 30 DAYS
Who = All Users What = Computer Service Pack Rolled Back Where = All When = Last 30 days
sources
71
Critical GPO Changes
DEFAULT DOMAIN AUDIT POLICY CHANGES IN LAST 30 DAYS

Changed; Audit System Event Policy Changed
Group Policy subsystem – Default Domain Policy
container
DEFAULT DOMAIN KERBEROS POLICY CHANGES IN LAST 30 DAYS

Changed; Maximum Lifetime for Service Ticket sources
Policy Changed; Maximum Lifetime for User
Ticket Policy Changed; Maximum Lifetime for
User Ticket Renewal Policy Changed; Maximum
Tolerance for Computer Clock Synchronization
Policy Changed
container
DEFAULT DOMAIN PASSWORD POLICY CHANGES IN LAST 30 DAYS

Changed; Maximum Password Age Policy sources
Changed; Minimum Password Age Policy
Changed; Minimum Password Length Policy
Changed; Password Must Meet Complexity
Requirements Policy Changed; Store Passwords
Using Reversible Encryption Policy Changed
container
DOMAIN CONTROLLER POLICY CHANGES IN LAST 30 DAYS

Who = All Users What = Linked Group Policy on OU Changed Where = All When = Last 30 days
sources
DOMAIN POLICY CHANGES IN LAST 30 DAYS

Who = All Users What = Linked Group Policy on Domain Changed Where = All When = Last 30 days
sources
72
Quest ChangeAuditor
Domain Controller Security
CHANGES TO DNS SETTINGS IN LAST 30 DAYS
Who = All Users What = DHCP Enabled; DHCP Disabled; Static IP Where = All When = Last 30 days
Address Changed; Subnet Mask Changed; sources
Default Gateway Changed; Contents of DNS
Server List Changed; Use Primary and
Connection Specific Suffixes Flag Changed;
Append Parent Suffixes Option Changed;
Connection Specific DNS Suffix Changed;
Contents of DNS Suffix List Changed; Use
Connection Suffix in DNS Registration Option
Changed; Connection DNS Registration Option
Changed
CHANGES TO IP DENY FILTER CHANGES IN LAST 30 DAYS
Who = All Users What = IP Deny List Entry Added; IP Deny List Where = All When = Last 30 days
Entry Removed sources
DOMAIN CONTROLLERS MOVED IN LAST 30 DAYS
Who = All Users What = Domain Controller Moved to Another OU Where = All When = Last 30 days
sources
DOMAIN CONTROLLERS RENAMED IN LAST 30 DAYS
Who = All Users What = Domain Controller Renamed Where = All When = Last 30 days
sources
GLOBAL CATALOG ADDED TO DOMAIN CONTROLLER IN LAST 30 DAYS
Who = All Users What = GC Added Where = All When = Last 30 days
sources
GLOBAL CATALOG REMOVED FROM DOMAIN CONTROLLER IN LAST 30 DAYS
Who = All Users What = GC Removed Where = All When = Last 30 days
sources
HOT FIXES APPLIED IN LAST 30 DAYS
sources
HOT FIXES ROLLED BACK IN LAST 30 DAYS
sources
SERVICE PACKS APPLIED IN LAST 30 DAYS
Who = All Users What = Domain Controller Service Pack Applied Where = All When = Last 30 days
sources
SERVICE PACKS ROLLED BACK IN LAST 30 DAYS
Who = All Users What = Domain Controller Service Pack Rolled Where = All When = Last 30 days
Back sources
73
SHARES ADDED IN LAST 30 DAYS
sources
SHARED REMOVED IN LAST 30 DAYS
Who = All Users What = Active Directory Shared Removed Where = All When = Last 30 days
sources
Domain Controller Configuration Changes
ALL BASIC DOMAIN CONTROLLER CHANGES IN LAST 30 DAYS
Who = All Users What = Append Parent Suffixes Option Changed; Where = All When = Last 30 days
Connection DNS Registration Option Changed; sources
Connection-Specific DNS Suffixes Changed;
Contents of DNS Server List Changed; Contents
of DNS Suffix List Changed; Default Gateway
Changed; DHCP Enabled; DHCP Disabled; Disk
Size Changed; IP Deny List Entry Added; IP
Deny List Entry Removed; IPSEC Settings
Changed; Memory Amount Changed; NIC
Added; NIC Removed; Processor Speed
Changed; Raw IP Allowed Protocols List
Changed; Static IP Address Changed; Subnet
Mask Changed; Use Connection Suffix in DNS
Registration Option Changed; Use of Dynamic
DNS Changed; Use Primary and Connection
Specific Suffixes Flag Changed
ALLOW RAW IP ALLOWED PROTOCOLS LIST CHANGED IN LAST 30 DAYS
Who = All Users What = Raw IP Allowed Protocols List Changed Where = All When = Last 30 days
sources
CHANGES TO IP SETTINGS IN LAST 30 DAYS
Who = All Users What = Append Parent Suffixes Option Changed; Where = All When = Last 30 days
Connection DNS Registration Option Changed; sources
Connection-Specific DNS Suffix Changed;
Contents of DNS Server List Changed; Contents
of DNS Suffix List Changed; Default Gateway
Changed; DHCP Enabled; DHCP Disabled; Static
IP Address Changed; Subnet Mask Changed; Use
Primary and Connection-Specific Suffixes Flag
Changed;
Use Connection Suffix in DNS Registration
Option Changed
DEFAULT GATEWAY CHANGES IN LAST 30 DAYS
Who = All Users What = Default Gateway Changed Where = All When = Last 30 days
sources
DHCP DISABLED IN LAST 30 DAYS
Who = All Users What = DHCP Disabled Where = All When = Last 30 days
sources
74
Quest ChangeAuditor
DHCP ENABLED IN LAST 30 DAYS
Who = All Users What = DHCP Enabled Where = All When = Last 30 days
sources
DISK SIZE CHANGES IN LAST 30 DAYS
sources
DNS SERVER LIST CHANGES IN LAST 30 DAYS
Who = All Users What = Contents of DNS Server List Changed Where = All When = Last 30 days
sources
IPSEC CHANGES IN LAST 30 DAYS
Who = All Users What = IPSEC Settings Changed Where = All When = Last 30 days
sources
MEMORY SIZE CHANGES IN LAST 30 DAYS
Who = All Users What = Memory Amount Changed Where = All When = Last 30 days
sources
NIC ADDED/REMOVED IN LAST 30 DAYS
Who = All Users What = NIC Added; NIC Removed Where = All When = Last 30 days
sources
PROCESSOR CHANGES IN LAST 30 DAYS
Who = All Users What = Processor Speed Changed Where = All When = Last 30 days
sources
STATIC IP ADDRESS CHANGES IN LAST 30 DAYS
Who = All Users What = Static IP Address Changed Where = All When = Last 30 days
sources
SUBNET MASK CHANGES IN LAST 30 DAYS
Who = All Users What = Subnet Mask Changed Where = All When = Last 30 days
sources
TCP/IP ALLOWED IN LAST 30 DAYS
Who = All Users What = IP Deny List Entry Added; Where = All When = Last 30 days
IP Deny List Entry Removed sources
USE OF DYNAMIC DNS CHANGES IN LAST 30 DAYS
Who = All Users What = Use of Dynamic DNS Changed Where = All When = Last 30 days
sources
75
Domain Security
CHANGES TO DOMAIN ACCOUNT POLICIES (GPO FILTER) IN LAST 30 DAYS
Changed; Account Lockout Threshold Policy sources
Changed; Enforce Password History Policy
Changed; Enforce User Logon Restrictions Policy
Changed; Maximum Lifetime for Service Ticket
Password Age Policy Changed; Maximum
Policy Changed; Minimum Password Age Policy
Changed; Minimum Password Length Policy
Changed; Password Must Meet Complexity
Requirements Policy Changed; Store Passwords
Using Reversible Encryption Policy Changed;
Reset Account Lockout Counter After Change
Policy Changed
CHANGES TO DOMAIN AUDIT POLICIES (GPO FILTER) IN LAST 30 DAYS
Changed; Audit System Event Policy Changed
CHANGES TO DOMAIN KERBEROS POLICIES (GPO FILTER) IN LAST 30 DAYS
Changed; Maximum Lifetime for Service Ticket sources
Policy Changed
GPO LINK CHANGES ON DOMAIN OBJECTS IN LAST 30 DAYS
Who = All Users What = DACL Changed on Group Policy Object; Where = All When = Last 30 days
Group Policy Linked; Group Policy Unlinked; sources
Group Policy Block Inheritance Setting Changed
on Domain; Group Policy No Override Setting
Changed on Domain; Group Policy Disabled
Setting on Domain Changed; Owner Changed on
Group Policy Object
PERMISSION CHANGES ON DOMAINS IN LAST 30 DAYS
Who = All Users What = DACL Changed on Domain Object Where = All When = Last 30 days
sources
PERMISSIONS TO ADMINSDHOLDER CHANGED IN LAST 30 DAYS
Object sources
76
Quest ChangeAuditor
Exchange
ALL EXCHANGE ADMINISTRATIVE GROUP EVENTS IN LAST 30 DAYS
Who = All Users What = Exchange Administrative Group facility Where = All When = Last 30 days
sources
ALL EXCHANGE DISTRIBUTION LIST EVENTS IN LAST 30 DAYS
Who = All Users What = Exchange Distribution List facility Where = All When = Last 30 days
sources
ALL EXCHANGE ORGANIZATION EVENTS IN LAST 30 DAYS
sources
ALL EXCHANGE PERMISSION TRACKING EVENTS IN LAST 30 DAYS
Who = All Users What = Exchange Permission Tracking facility Where = All When = Last 30 days
sources
ALL EXCHANGE SECURITY GROUP EVENTS IN LAST 30 DAYS
Who = All Users What = Exchange Security Group facility Where = All When = Last 30 days
sources
ALL EXCHANGE USER EVENTS IN LAST 30 DAYS
Who = All Users What = Exchange User facility Where = All When = Last 30 days
sources
Group Activity
CRITICAL GROUP MEMBERSHIP CHANGES IN LAST 30 DAYS
Group; Member Removed from Critical Enterprise sources
Group; Nested Member Added to Critical
Enterprise Group; Nested Member Removed from
GROUP MEMBERSHIP CHANGES IN LAST 30 DAYS
Who = All Users What = Member Added to Group; Member Where = All When = Last 30 days
Removed from Group; Nested Member Added to sources
Group; Nested Member Removed from Group
Group Management
GROUP ADDED IN LAST 30 DAYS
Who = All Users What = Group Object Added Where = All When = Last 30 days
sources
77
GROUP DELETED IN LAST 30 DAYS
Who = All Users What = Group Object Removed Where = All When = Last 30 days
sources
GROUP MEMBER ADDED CHANGES IN LAST 30 DAYS
Who = All Users What = Member Added to Group Where = All When = Last 30 days
sources
GROUP MEMBER REMOVED CHANGES IN LAST 30 DAYS
Who = All Users What = Member Removed from Group Where = All When = Last 30 days
sources
GROUP MOVED IN LAST 30 DAYS
Who = All Users What = Group Object Moved Where = All When = Last 30 days
sources
GROUP NESTED MEMBER ADDED CHANGES IN LAST 30 DAYS
Who = All Users What = Nested Member Added to Group Where = All When = Last 30 days
sources
GROUP NESTED MEMBER REMOVED CHANGES IN LAST 30 DAYS
Who = All Users What = Nested Member Removed from Group Where = All When = Last 30 days
sources
GROUP PERMISSIONS CHANGED IN LAST 30 DAYS
Who = All Users What = DACL Changed on Group Object Where = All When = Last 30 days
sources
GROUP RENAMED (SAM ACCOUNT NAME) CHANGES IN LAST 30 DAYS
Who = All Users What = Group samAccountName Changed Where = All When = Last 30 days
sources
GROUP RENAMED IN LAST 30 DAYS
Who = All Users What = Group Renamed Where = All When = Last 30 days
sources
GROUP TYPE CHANGES IN LAST 30 DAYS
Who = All Users What = Group Type Changed Where = All When = Last 30 days
sources
Organizational Unit Management
ORGANIZATIONAL UNITS ADDED IN LAST 30 DAYS
Who = All Users What = Subordinate OU Added Where = All When = Last 30 days
sources
ORGANIZATIONAL UNITS DELETED IN LAST 30 DAYS
Who = All Users What = Subordinate OU Removed Where = All When = Last 30 days
sources
78
Quest ChangeAuditor
ORGANIZATIONAL UNITS RENAMED IN LAST 30 DAYS
Who = All Users What = Subordinate OU Renamed Where = All When = Last 30 days
sources
ORGANIZATIONAL UNITS SET TO BLOCK GPO INHERITANCE IN LAST 30 DAYS
Changed on OU sources
Group Policy Changed last 30 days
GROUP POLICY BLOCK INHERITANCE CHANGES
Changed on OU; Group Policy Block Inheritance sources
Setting Changed on Site; Group Policy Block
Inheritance Setting Changed on Domain
GROUP POLICY DISABLED SETTING CHANGES
Who = All Users What = Group Policy Disabled Setting on OU Where = All When = Last 30 days
Changed; Group Policy Disabled Setting on Site sources
Changed; Group Policy Disabled Setting on
Domain Changed
GROUP POLICY NO OVERRIDE CHANGES
Who = All Users What = Group Policy No Override Setting Where = All When = Last 30 days
Changed on OU; Group Policy No Override sources
Setting Changed on Site; Group Policy No
Override Setting Changed on Domain
Severity Based Changes
HIGH SEVERITY CHANGES IN LAST 30 DAYS
Who = All Users What = High Severity Where = All When = Last 30 days
sources
LOW SEVERITY CHANGES IN LAST 30 DAYS
Who = All Users What = Low Severity Where = All When = Last 30 days
sources
MEDIUM SEVERITY CHANGES IN LAST 30 DAYS
Who = All Users What = Medium Severity Where = All When = Last 30 days
sources
79
Trust Activity
CROSS FOREST LEVEL TRUST ADDED IN LAST 30 DAYS
Who = All Users What = Cross-forest Trust Added Where = All When = Last 30 days
sources
CROSS FOREST LEVEL TRUST DELETED IN LAST 30 DAYS
Who = All Users What = Cross-forest Trust Removed Where = All When = Last 30 days
sources
TRUSTS ADDED IN LAST 30 DAYS
Who = All Users What = Trust Added Where = All When = Last 30 days
sources
TRUSTS DELETED IN LAST 30 DAYS
Who = All Users What = Trust Removed Where = All When = Last 30 days
sources
User Activity
USERS DISABLED IN LAST 30 DAYS
sources
USERS EXPIRATION DATE CHANGED IN LAST 30 DAYS
sources
USERS LOCKED IN LAST 30 DAYS
sources
USERS UNLOCKED IN LAST 30 DAYS
Who = All Users What = User Account Unlocked Where = All When = Last 30 days
sources
User Management
PERMISSIONS ON USER ACCOUNTS CHANGED IN LAST 30 DAYS
Who = All Users What = DACL Changed on User Object Where = All When = Last 30 days
sources
USERS ADDED IN LAST 30 DAYS
Who = All Users What = User Object Added Where = All When = Last 30 days
sources
80
Quest ChangeAuditor
USERS ADDED TO GROUP IN LAST 30 DAYS
Who = All Users What = User Member-of Added Where = All When = Last 30 days
sources
USERS DELETED IN LAST 30 DAYS
Who = All Users What = User Object Removed Where = All When = Last 30 days
sources
USERS DISABLED IN LAST 30 DAYS
sources
USERS DISPLAY NAME CHANGED IN LAST 30 DAYS
Who = All Users What = Display Name Changed on User Object Where = All When = Last 30 days
sources
USERS ENABLED IN LAST 30 DAYS
sources
USERS FIRST NAME CHANGED IN LAST 30 DAYS
Who = All Users What = First Name Changed on User Object Where = All When = Last 30 days
sources
USERS LAST NAME CHANGED IN LAST 30 DAYS
Who = All Users What = Last Name Changed on User Object Where = All When = Last 30 days
sources
USERS LOCKED OUT IN LAST 30 DAYS
sources
USERS LOGON HOURS CHANGES IN LAST 30 DAYS
sources
USERS MOVED IN LAST 30 DAYS
Who = All Users What = User Object Moved Where = All When = Last 30 days
sources
USERS NAME(S) CHANGED IN LAST 30 DAYS
Who = All Users What = Display Name Changed on User Object; Where = All When = Last 30 days
First Name Changed on User Object; User sources
samAccountName Changed; Last Name Changed
on User Object; User userPrincipal Name
Changed
USERS PRINCIPAL NAME CHANGED IN LAST 30 DAYS
Who = All Users What = User userPrincipalName Changed Where = All When = Last 30 days
sources
81
USERS REMOVED FROM GROUP IN LAST 30 DAYS
Who = All Users What = User Member-of Removed Where = All When = Last 30 days
sources
USERS RENAMED IN LAST 30 DAYS
Who = All Users What = Domain User Renamed Where = All When = Last 30 days
sources
USERS SAM ACCOUNT NAME CHANGED IN LAST 30 DAYS
Who = All Users What = User samAccountName Changed Where = All When = Last 30 days
sources
USERS STATUS CHANGES IN LAST 30 DAYS (ENABLED, DISABLED, CREATED, DELETED, LOCKED,
UNLOCKED)
Who = All Users What = User Account Enabled; User Account Where = All When = Last 30 days
Disabled; User Object Added; User Object sources
Removed; User Account Locked; User Account
Unlocked
USERS UNLOCKED IN LAST 30 DAYS
Who = All Users What = User Account Unlocked Where = All When = Last 30 days
sources
USERS WORKSTATION ACCESS RESTRICTIONS CHANGED IN LAST 30 DAYS
82

Change Auditor Built-In Reports

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Change Auditor Built-In Reports

Uploaded by

Copyright:

Available Formats

ChangeAuditor 5.

Built-in Reports Reference Guide

Quest Software World Headquarters

Third Party Contributions

Quest ChangeAuditor Built-in Reports Reference Guide

To execute a built-in search:

All Events Reports

ALL ACTIVE DIRECTORY EVENTS

ALL CHANGEAUDITOR INTERNAL AUDITING EVENTS

ALL COMPUTER EVENTS

ALL CONNECTION OBJECT EVENTS

ALL DNS EVENTS

ALL DOMAIN CONTROLLER EVENTS

ALL DOMAIN EVENTS

ALL EMC EVENTS

ALL EVENTS IN THE PAST 24 HOURS

ALL EXCHANGE EVENTS

ALL FAULT TOLERANCE EVENTS

ALL FILE SYSTEM/MISC. EVENTS

ALL FILE SYSTEM EVENTS

ALL FOREST CONFIGURATION EVENTS

ALL FRS EVENTS

ALL GROUP EVENTS

ALL GROUP POLICY EVENTS

ALL IP SECURITY EVENTS

ALL LDAP EVENTS

ALL NETAPP EVENTS

ALL NETLOGON EVENTS

ALL NTDS EVENTS

ALL OBJECT RESTORE EVENTS

ALL REGISTRY EVENTS

ALL REPLICATION EVENTS

ALL SCHEMA CONFIGURATION EVENTS

ALL SERVICES EVENTS

ALL SITE EVENTS

ALL SYSTEM EVENTS

ALL SYSVOL EVENTS

ALL USER EVENTS

LDAP Query Reports

ALL LDAP QUERIES GROUPED BY AD STARTING POINT

ALL LDAP QUERIES GROUPED BY LDAP SEARCH FILTER

ALL LDAP QUERIES GROUPED BY NUMBER OF RESULTS

ALL LDAP QUERIES GROUPED BY ORIGINATING HOSTNAME\IP ADDRESS

ALL LDAP QUERIES GROUPED BY TIME ELAPSED (QUERY RUN TIME)

ALL LDAP QUERIES IN THE LAST 1 WEEK

ALL LDAP QUERIES IN LAST 30 DAYS

Quest Authentication Services (QAS)

GROUPS SET TO UNIX-DISABLED IN LAST 30 DAYS

GROUPS SET TO UNIX-ENABLED IN LAST 30 DAYS

NIS OBJECT AUDITING IN LAST 30 DAYS

PERSONALITY OBJECT AUDITING IN LAST 30 DAYS

QAS COMPUTER OBJECT AUDITING IN LAST 30 DAYS

QAS COMPUTERS ADDED IN LAST 30 DAYS

QAS COMPUTERS DELETED IN LAST 30 DAYS

QAS GPO SETTINGS CHANGES IN LAST 30 DAYS

UNIX HOME DIRECTORY CHANGED IN LAST 30 DAYS

UNIX LOGIN SHELL CHANGED IN LAST 30 DAYS

UNIX-ENABLED GROUPS DELETED IN LAST 30 DAYS

UNIX-ENABLED USERS DELETED IN LAST 30 DAYS

USERS SET TO UNIX-DISABLED IN LAST 30 DAYS

USERS SET TO UNIX-ENABLED IN LAST 30 DAYS

DEFENDER – MEMBER ADDED TO ACCESS NODE IN LAST 30 DAYS

DEFENDER – MEMBER REMOVED FROM ACCESS NODE IN LAST 30 DAYS