This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Programmatically Retrieve Search Results

Howdy.   Curious if Change Auditor has a mechanism to programmatically retrieve search results.   The PowerShell module seems more for management of Change Auditor and I've not found any information on a REST or SOAP interface.   Wondering if this functionality exists?

Chad

  • Change Auditor now has the ability to export events to Splunk where they can then be programmatically acquired from that platform.

    Also, it can post events to a WMI interface on the Change Auditor Coordinator.  This is probably more practical for alerting type scenarios rather than bulk acquisition of Search results.

    Here's what a sample WMI-posted event looks like: (more comments below the sample event)

    __GENUS : 2
    __CLASS : CAAD_Event
    __SUPERCLASS :
    __DYNASTY : CAAD_Event
    __RELPATH : CAAD_Event.EventID="381de601-7cc4-a357-676a-786052653a12"
    __PROPERTY_COUNT : 124
    __DERIVATION : {}
    __SERVER : ARS69
    __NAMESPACE : ROOT\Dell\ChangeAuditor
    __PATH : \\ARS69\ROOT\Dell\ChangeAuditor:CAAD_Event.EventID="381de601-7cc4-a357-676a-786052653a12"
    Action : ActionModAttribute
    ADAMAttributeName :
    ADAMConfigurationSet :
    ADAMInstanceName :
    ADAMObjectCanonical :
    ADAMObjectClass :
    ADAMObjectName :
    ADAMObjectOU :
    ADAMPartitionName :
    Agent : COMPANYA-DC
    AgentID : 66c71eb5-a583-4421-9e3c-cf61bc67c14a
    AgentType : DC
    Attribute : mail
    Comment :
    Description :
    DirectoryObjectCanonical : companya.local/Train/Student11User
    DirectoryObjectID : 364b24f7-2922-4177-995c-5257a14395f7
    DirectoryObjectName : companya.local/Train/Student11User
    DirectorySignSeal : true
    DirectorySslTls : false
    DomainName : COMPANYA
    EventClassID : 345b9516-b56e-4c55-8046-ba7521e71048
    EventClassLink :
    EventID : 381de601-7cc4-a357-676a-786052653a12
    EventSource : Change Auditor
    Facility : FacilityCustomObjectMonitoring
    FileName :
    FileServer :
    FileSystemTypeID : 0
    FolderPath :
    ForestName : companya.local
    FromValue : student11@companya.local
    InitiatorSID :
    InitiatorUserName :
    LDAPQueryAttributes :
    LDAPQueryElapsed : 0
    LDAPQueryFilter :
    LDAPQueryObjectCanonical : compooanya.local/Train/Student11User
    LDAPQueryOccurrences : 0
    LDAPQueryResults : 0
    LDAPQueryScope :
    LDAPQuerySince :
    LDAPQueryType :
    LogonID :
    Message : mail attribute was changed for user companya.local/Train/Student11User
    MissingNew : False
    MissingOld : False
    ObjectClass : user
    ObjectName : companya.local/Train/Student11User
    OrganizationalUnit : Train
    OSVersion : Windows Server 2008 R2 Enterprise
    ParentDirectoryObjectID : 29c79a42-86f7-411f-ae47-0e211e48415f
    PolicyItem :
    PolicyName :
    Po
    licySection :
    PrimarySID :
    PrincipalName :
    PrincipalType : 0
    ProcessName :
    RegistryKey :
    RegistryValue :
    ResultID : 1
    ResultName : ResultSuccess
    SamAccountName :
    SCOMSeverity : 1
    ServiceDisplayName :
    ServiceName :
    SeverityName : SeverityMedium
    ShareName :
    SharePointFarmName :
    SharePointItemName :
    SharePointItemURL :
    SharePointListName :
    SharePointListPath :
    SharePointWebName :
    SharePointWebURL :
    SiteName : Default-First-Site-Name
    SQLApplicationName :
    SQLClientProcessID : 0
    SQLDatabaseID : 0
    SQLDatabaseName :
    SQLEventClass : 0
    SQLEventSubClass : 0
    SQLHostName :
    SQLInstanceName :
    SQLIsSystem : 0
    SQLLinkedServerName :
    SQLObjectID : 0
    SQLObjectID2 : 0
    SQLObjectType : 0
    SQLOwnerID : 0
    SQLOwnerName :
    SQLParentName :
    SQLProviderName :
    SQLRowCounts : 0
    SQLSessionLoginName :
    SQLSPID : 0
    SQLSuccess : 0
    SQLTextData :
    SubSystem : Directory
    TimeDetected : 2016-05-18T20:40:33.308Z
    TimeOfDay : 1240
    TimeReceived : 2016-05-18T20:40:41.630Z
    TimeZoneOffset : -420
    ToValue : student11a@companya.local
    TransactionID :
    TransactionStatus :
    UserAccount :
    UserAddress : ARS69
    UserAddressIPv4 : 192.168.1.40
    UserAddressIPv6 : fe80::7161:2645:c8ae:98ba
    UserDisplay : ActiveRoles Mailbox
    UserDomain :
    UserName : COMPANYA\svc_ars
    UserPrincipalName :
    UserSID : S-1-5-21-3587032830-3613793534-2785258752-3403
    VMWareComputeResource :
    VMWareDataCenter :
    VMWareDS :
    VMWareDVS :
    VMWareHost :
    VMWareNet :
    VMWareVM :
    VMWareVMWareHostName :
    PSComputerName : ARS69

    If you describe your use case in a bit more detail, perhaps other suggestions can be provided.

  • Thanks for the quick response Johnny.   

    Here's a little background on the specific use case.  We have a custom web portal for our Service Desk and Deskside teams which provides various tools and reporting in once place with a consistent user interface.   The goal is to add a page which allows these teams to enter a username to query Change Auditor for the origin of recent account lockouts. 

    Chad

  • Hmmm... do you have strong objections to creating a shared query in the CA web client and then just put a link to this in your portal? 

  • I'm not familiar with the terminology but there was a custom dashboard created on the CA website which provided the desired information but there were some reservations that having to login in CA, maximize query window and filter the results would hinder adoption.  Running the traps to vet all the options.

    Chad