Welcome. This is "Quest Unscripted"--
--a vlog series on trending topics--
--and Quest solutions related to Active Directory--
--oh, and don't forget Azure AD.
You are here because you have questions.
We're here because we have answers.
We will address questions we've received from customers--
--experiencing the same challenges as you--
--all with the goal of helping you confidently move--
--your Microsoft environment.
We call the show "Quest Unscripted" because--
--except for this intro--
--nothing we say is scripted or rehearsed.
And we're pretty sure you'll notice that right away.
Hey, folks. Thanks for joining. We're going to be talking about what's new in Change Auditor 7.3. Are you guys excited about the new release?
I'm excited about every release.
OK, well, speaking of every release, how long has Change Auditor been out there, Bryan?
So the Change Auditor brand name was taken from [INAUDIBLE] back in 2008. Quest had actually been working on technology-- it was called InTrust for AD for a while, going back to, I think, around 2004. In 2008, 2009, we blended them together and we retired the InTrust for AD capability. And now we have, with Change Auditor for AD today, the combination of both those products.
So where have you seen it shift from where it was to where it is today?
So originally, we were enriching the different data. It was from a compliance perspective. We wanted to be able to schedule reports, give an audit type needs. Over the last five-plus years, we're really focusing more on not just compliance, but really trying to get a lot more security capabilities out there because Active Directory has been constantly under attack. So we want to constantly or immediately be notified when something bad does happen.
Got you. And speaking of the last few years, in the last few months, we've obviously added one great new team member to the mix. Anna Malec, welcome to Unscripted.
And obviously, you've used Change Auditor as a customer. So speaking of what Bryan just talked about and where you are today, what's your perspective on working with Change Auditor from a customer standpoint versus now you basically deliver demos and presentations and you know the product in more details? What's the difference from where you sat before and what you are seeing in Change Auditor today?
OK, so, I mean, the product overall I love from every perspective, especially because going through a security event in an organization, a Change Auditor became the most critical tool, at least to me. And so we use it a ton for alerting since then, and then also protections. The difference between then and now is what I learned is we can do DCShadow searches, DCSync, AdminSDHolder, and then also, from the other perspective, from the protection.
I didn't know that I could protect the Active Directory dit file. And then also, which I found a really critical, was we can alert and protect the linking of gpos at the root of the domain or forest. So that would have been great to when I was a customer.
Yeah, that's great. Well, I think that 7.3, guys, has also some new enhancements around the dit file protection. But let's park that for now. Ian, so what's new in Change Audit 7.3?
There's a couple of brand new things. I think the first really new item is now publishing and forwarding events to Microsoft Sentinel. Sentinel is Microsoft's first foray into SIEM. It's hosted.
So in prior versions, we could publish to Splunk or to our ArcSight, QRadar. We now have Sentinel on that list, as well. All the events that we're doing can be that we're doing on prem could be pushed up into Sentinel and added to that SIEM solution, as well.
The development team is going to be doing a lot of work around modifying what we did with auditing SQL before. And they've just started to add in some previews of that with some new SQL auditing events that we've done. And again, we've improved security, the app, the Lava module. There's some PowerShell commands that you can use, as well. Some additional platform support you can run on server 22 now. Yeah, Bryan?
Yeah, I just wanted to talk about security. Go ahead.
Microsoft is deprecating RC4, a fantastic feature, as we can identify where RC4 is being used. So then you understand if something is going to break later on. Fortunately, we implemented this in our different labs beginning in November, it was middle of November that Microsoft, with one of the different updates, deprecated some different stuff. So I do have some audit events out there. Hopefully I never see RC4 again.
But some organizations had to revert that back to understand where it's being used. Use that change-up for log-on capability. Identify that so you know what may actually be impacted.
Yeah, good point, Bryan.
Talk to us about what is administrator in the whole field. What's that all about?
There's something else I love-- because you've heard me talk about BloodHound, Tier 0, all that other stuff. Then the searching under the who, we can actually search on who is administrator. There's a new is administrator, so we actually can look at all the activity from a person if that account has admin county claim one, they're nested domain admins, whatever, we can search off that instead of just particularly specifying domain admins, enterprise admins.
There's help desk nested in domain admins. They'll show up in that different search now, as well.
Yeah. And like Anna was talking about earlier, you obviously can set up an alert for that kind of search so that you are aware of these events as they happen. Ian, last question is, so for folks who want to upgrade to 7.3, what's the upgrade process look like?
The upgrade process hasn't really changed. It's a direct upgrade from a prior version. I think we can even go back as far as some of 6.8, 6.9 versions. If you're on 7, it's just a straight upgrade. You will upgrade your coordinators.
When you upgrade the first coordinator, it will also upgrade the database. So if you have more than one coordinator, you'll update the first one. That updates the database. Upgrade your second coordinator.
Then you need to upgrade the clients. The client version has to match the coordinator version. So upgrade your stat clients. Upgrade your web clients. And then, if you need to or want to, you can go into the client at that point and push the updated agents out to the machines that support the newer agents, as well. So very straightforward.
Great. Thank you guys so much. Anna, welcome to the team, and appreciate it. Talk to you later.