One Identity Change Auditor¶
About¶
The company is listed as One Identity, which is part of Quest Software. Change Auditor is real-time IT auditing, in-depth forensics and comprehensive security monitoring on all key user and administrator changes for Microsoft Windows environments.
Product Details¶
Vendor URL: One Identity | Unified Identity Security
Additional URLs:Quest | IT Management | Mitigate Risk | Accelerate Results
Microsoft Windows IT Security Auditing Software | Change Auditor
Product Type: Identity and Access Management
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: CEF:0
Expected Normalization Rate: near 100%
Data Label: ONEIDENTITY_CHANGE_AUDITOR
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
eventID | metadata.product_log_id |
userPrincipalName | principal.user.userid |
userSid | principal.user.windows_sid |
computer | principal.hostname |
src | principal.ip |
domain | principal.administrative_domain |
object_name | target.user.userid |
origin | intermediary.intermediary.hostname |
osVersion | intermediary.platform_version |
platform | intermediary.intermediary.platform |
ipAddress | intermediary.ip |
attributeName | security_result.about.labels |
result | security_result.action |
severity | security_result.severity |
STATIC | metadata.vendor_name |
STATIC | metadata.product_name |
STATIC | metadata.event_type |
Product Event Types¶
Event | UDM Event Classification |
---|---|
All events | GENERIC_EVENT |
Log Sample¶
3271 <14>1 - CUSTBART - - - - Sep 22 2021 23:55:08 CUSTBART CEF:0|Quest Software|Change Auditor|7.0.14039.4|Active Directory|User password changed|Medium| categoryBehavior=Modify Attribute categoryOutcome=Success dvchost=hostname2.domain.com dvc=10.1.3.5 eventId=0x0000001900008FEA00000001 src=10.2.1.1 shost=hostname1.domain.com suid=S-1-5-21-4081090624-2963864240-3026879188-336520 suser=jdoe\\s-SPRINGFIELD.PAM.Reconcile msg=The password was changed for user CN\=doe-j,OU\=Enhanced,OU\=.Spec,OU\=Users,OU\=.Resources,DC\=domain,DC\=com. start=Sep 22 2021 23:55:08 end=Sep 22 2021 23:55:08 recordId=47568895 event=User password changed link=http://documents.quest.com/change-auditor-for-active-directory/7.0.4/event-reference-guide/ action=Modify Attribute facility=Custom User Monitoring severity=Medium subsystem=Active Directory result=Success eventID=001cec01-5284-5358-062c-73c5af33f1f2 agentID=abcde007-04f5-41b7-a9da-0256d0447762 eventClassID=fa9b7ec1-e285-4900-85a9-8ba72676c975 subsystemID=1 facilityID=25 valueTypeID=210 severityID=2 actionID=16 resultID=1 timeDetected=09/22/2021 23:55:08 timeZoneOffset=0 timeBatched=09/22/2021 23:55:17 timeOfDay=1435 timeReceived=09/22/2021 23:55:15 repositoryID=330f6f37-3e86-4022-8339-95540ec80817 userSid=S-1-5-21-4081090624-2963864240-3026879188-336520 userSIDHash=1541040488 user=jdoe\\s-SPRINGFIELD.PAM.Reconcile userNameHash=103638215 userDisplay=S-SPRINGFIELD.PAM.Reconcile, Service ID origin=hostname1.domain.com userAddressHash=602514452 originIPv4=10.2.1.1 userAddressIPv4Hash=-100000007 userAddressIPv6Hash=300000150 userMailHash=371857150 description=The password was changed for user CN\=doe-j,OU\=Enhanced,OU\=.Spec,OU\=Users,OU\=.Resources,DC\=domain,DC\=com. serverDn=CN\=VhostMPC001,OU\=Domain Controllers,DC\=domain,DC\=com serverFqdn=hostname1.domain.com serverFQDNHash=1856070000 computer=hostVMPC001 serverNameHash=1991341978 serverOu=OU\=Domain Controllers,DC\=domain,DC\=com osVersion=Windows Server 2016 Datacenter ipAddress=10.1.3.5 iPAddressHash=2100361863 dc=True exchange=False domainID=01b50709-2f61-4462-90b8-dd98c164b8c9 parentDomainID=00000000-0000-0000-0000-000000000000 domainDn=DC\=domain,DC\=com domainFqdn=domain.com domain=DOMAIN domainNameHash=989882270 siteID=2469ac09-10a6-4e61-845e-ba7916b29492 siteDn=CN\=C-US-M0-AzureEastUS,CN\=Sites,CN\=Configuration,DC\=domain,DC\=com site=C-US-M0-AzureEastUS siteNameHash=-2005305683 organizationalUnit=Enhanced organizationalUnitHash=-1411691096 parentObjectID=b5d26152-c35d-4a00-b704-8de1fbbe0c12 objectID=edf5dd7f-2402-47e0-9255-2d64079535f0 objectClass=user objectClassHash=164503593 objectName=doe-j objectNameHash=2101486463 attributeName=unicodePwd objectDn=CN\=doe-j,OU\=Enhanced,OU\=.Spec,OU\=Users,OU\=.Resources,DC\=domain,DC\=com objectCanonical=domain.com/.Resources/Users/.Spec/Enhanced/doe-j objectCanonicalHash=-317434839 sslTls=False kerberos=False adOriginatingObjectID=edf5dd7f-2402-47e0-9255-2d64079535f0 adUsnChangedPre=351176164 adUsnChangedPost=351176164 samAccountName=doe-j userPrincipalName=john.doe@domain.com administrator=True originAdSite=US-VA-place-7947 simpleBind=True authPort=464 id=0x0000001900008FEA00000001 eventID1=001cec01-5284-5358-062c-73c5af33f1f2
Sample Parsing¶
metadata.product_log_id = "f51cec01-719b-0c56-e4d6-4ea8245fd2d9"
metadata.event_timestamp = "2021-09-24T05:09:34Z"
metadata.event_type = "STATUS_UPDATE"
metadata.vendor_name = "Quest Software"
metadata.product_name = "Change Auditor"
metadata.ingested_timestamp = "2021-09-24T05:11:04.396662Z"
metadata.ingestion_labels.key = "cyderes.io/source/agent"
metadata.ingestion_labels.value = "cdp-syslog-forwarder@cyderes.io/latest"
metadata.ingestion_labels.key = "cyderes.io/source/path"
metadata.ingestion_labels.key = "cyderes.io/source/type"
metadata.ingestion_labels.key = "cyderes.io/persistent-object"
metadata.ingestion_labels.value = "cyderes-uap-stuff-production/ONEIDENTITY_CHANGE_AUDITOR/2021/09/24/05/1632460240_cdp-domain-cdp-azure-useast-cdp-syslog-forwarder-5bdb5969xztpq_0.gz"
principal.hostname = "hostname1"
principal.user.userid = "john.doe@domain.com"
principal.user.windows_sid = "S-1-5-21-4081090624-2963864240-3026879188-309948"
principal.ip = "10.1.3.4"
principal.administrative_domain = "domain"
principal.asset.ip = "10.1.3.4"
target.user.userid = "Joe.doe"
intermediary.hostname = "hostname2.domain.com"
intermediary.platform = "WINDOWS"
intermediary.ip = "10.1.4.6"
intermediary.platform_version = "Windows Server 2016 Datacenter"
security_result.about.labels.key = "AttributeName"
security_result.about.labels.value = "directReport"
security_result.action = "ALLOW"
security_result.severity = "MEDIUM"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming soon