Hi,
Please explain me the difference between change auditor and intrust.
Which tool I need to buy for active directory auditing.
Both can do AD auditing very well.
Change Auditor is the quickest to setup and get results from.
InTrust is more flexible than Change Auditor for certain use cases but this comes at the price of a steeper learning curve to take advantage of its more advanced capabilities.
To recommend one over the other, we would need to understand the specifics of your auditing (and perhaps reporting) needs including the need to archive native windows event log data. If this last point is not important at all, Change Auditor is definitely the better choice.
From audit solution standpoint CA and InTrust complement each other:
-First, buy CA for quick and solid win: known successful AD changes, Exchange Non-owner mailbox access, NTFS specified File Access etc. That is CA was designed and became an audit solution leader in the industry. (Note, CA “listens”, analyzes and produces own great logging events for specified platforms *without noise*)
-Second, regroup, and to improve and extend the audit solution, buy InTrust to collect and store *exact copy of native logs* with high volume of logging (like Logon Activity, Success/Failure etc.). Especially, in highly regulated industry, legal requirements might require to report on exact copy of native logs for 1y or more, even if 99% of the native logs is a *noise*
PS: in case you need assistance on technical side of the story you may contact Quest or One Identity consultants (my name, for example)
If my understanding is right,AD change auditor perform object level auditing and reporting.
Intrust also do AD auditing and additionally it can collect event logs for all servers and workstation and saved in a repository.
That's right, but InTrust is so much more. It collects and efficiently stores all the native logs, so that in case of bad actors trying to esteblish presense and steal your data it provides awesome repository of detailed log events which can help you perform the forensics and by idenitfying possible attack markers create rules which could prevent it from happening again using response actions. Some of such markers already built into the product.
CA helps you make sense of the real actions real people do in AD to track the audit more efficiently, InTrust colelcts all that is happening in between the lines to catch and protect agains the misuse which on serface may look like valid actions.
