Hi. My name is Mike Danseglio, and I'm an independent auditor and security expert for Next Direction Technologies.
And this is Tim Sedlack. I'm the product manager for Change Auditor from Quest.
And Tim and I have been working for a couple of different scenarios around auditing and compliance. And one common scenario that I seem to hear a lot from my clients is we need to stay in front of audits, to stay in front of security events. Right? It that the kind of thing you hear, as well?
Absolutely. I hear this quite a bit on the SharePoint site because if you're using just the native tools, there is no way to initiate any sort of notification alerts when things happen. Where with Change Auditor, you've got the capabilities to do something like that.
I guess the concern I would have is in the signal to noise ratio space. Am I going to tell the wrong people the wrong things? Or am I going to spam the heck out of an IT pro? Is there a way to kind of balance that with this tool, Tim?
Absolutely. So you bring up a great point. And let me show you here in Change Auditor one way that you can do this.
Now since we're talking about SharePoint data, I'll click on the SharePoint folder here. And I can look at all the events that have happened in the last seven days. Or if I'm interested in particular content changes, I can simply run this query and I can take a look at all the content changes for the last seven days. You can see I've been playing around. I've added some documents. I've removed some documents. I've checked things in and out.
Now this is all well and good. But you asked me specifically for how can I say ahead of this? Well you'll notice back on the Searches tab here, along the bottom, this is the search that I'm running.
I've gotten an Alert tab here. And that allows me to send alerts in a few different ways. I can send SNMP trap to whatever management product I have.
Do people still use SNMP, Tim?
Yeah. So I'm a little worried about that one. Is that the only trick in your bag?
No, no. We've also got the incredibly popular, and I'm being facetious here, WMI.
Ooh. That's probably-- wow. SNMP and WMI. Let me just shake those up, and see which one is least useless.
So the most common one that I see people using is, of course, SMTP. Just send me an email. Alert me when I have some document content changes.
Now to do this, I can configure my email to go to myself. Or if you've got say, a group of SharePoint admins at next direction dot com. And we want all those SharePoint admins to receive this. I'll just add them to the To line. And once I've clicked OK, you'll notice I can also define a number of particular events per email.
So if somebody's messing with a whole library and checking things in and out and updating metadata and doing things, it'll gather those in one email and say, in the last 15 seconds, here's everything that's happened. So you're not inundated with email and email and email and email. You get an alert about the document changes that have happened in a kind of concise and collected way so that you can really take action on what you're seeing.
And I think the key point to make, and the question you originally asked me was, let me stay ahead of this. And setting up this email alert really allows you to do that. So if you've got documents that are high business impact, or PCI compliance issues that you're worried about, and you've got a document store in SharePoint on this, you'll start to receive those emails once you enable and configure that email alert.
Nice. That's nice. And it looks like you can set up different alerts based on different queries, and then send those different alerts to different users in the groups so that I can alert, let's say, SharePoint admins group number one when some things happened. And a different set of admins, or maybe auditors or maybe first responders, IT responders, when a third set of things happen. Is that right?
That's exactly right. So things that are critical, like the permission changes, or somebody switching permission inheritance on and off, is probably something that a SharePoint administrator, and maybe a chief security officer, would be worried about.
Exactly. That's what I worry about.
Auditors might be interested, on the other hand, in document content changes or creation of new sites.
So that's really cool that you get to do that at an atomic level so that you can alert the right people to the right things quickly enought where they can respond before six months go by, and maybe there's not enough detail. Or maybe employees have left the company. Or maybe some nasty fraud has occurred, or something like that.
This could end up saving your job.
Cool. I like to saving my job, Tim.
Thank you, Tim.