Welcome. This is Quest Unscripted, a V-log series on trending topics and Quest solutions related to Active Directory, Office 365, oh, and don't forget Azure AD. You are here because you have questions. We're here because we have answers. I think. We will address questions that we've received from customers, experience the same challenges as you. All with the goal of helping you confidently move, manage, and secure your Microsoft environment. We call the show Quest Unscripted because, except for this intro, nothing we say is scripted or rehearsed. And we're pretty sure you'll notice that right away.
So, Ghazwan Khairi, systems consultants with Quest. Bryan Patton, same thing. Robert Tovar is our subject matter expert when it comes to everything compliance. And today we're going to talk about compliance solutions.
We have been getting a lot of questions from customers about how does Change Auditor family of products compare, competes, compliments Microsoft's ATP previously known as ATA. And also we get a lot of questions similar to that as to how Change Auditor competes, compares, works with SIEM Solutions. So that's what we're going to cover today. Hopefully this answers all the questions that come up now or in the future around these questions.
So I'm going to start with Robert Tovar. And before we get deeper into that subject, Rob, I'm just going to ask you a quick question. A high level question. What is Change Auditor overall value is for customers who may be hearing about Change Auditor for the first time?
OK. So Change Auditor is an agent based solution that audits many platforms. It's a multi module solution. And it focuses on, and in this case I'm going to focus on Active Directory, for example, because that's usually what most folks are interested in. So with native event logging, which everyone should be familiar with, you are relying on the operating system to provide the details for the changes that are occurring within the environment. So it's pretty hard to determine exactly what happened when you're relying on native event logs. And in most cases, you'll have audit policies enabled in order to get the additional information. And then you're overwhelmed with the number of events that are being produced. And the level of detail that you get from these native events are lacking.
So Change Auditor, on the other hand, does not rely on native event logs. So it doesn't require that additional footprint that you place on your servers when you do enable the native auditing policies. So it relies on the agent. The agent tracks exactly what's going on. I won't get into the details of how it does it just for the sake of time, but the point is that it can pinpoint exactly what's going on in the environment, determine who did it, what happened, where did it happen, on which domain controller the origin of the change, the before and after value. So you get a concise event with all of the details that are necessary to determine exactly what happened.
There is additional functionality like alerting. There's scheduled reporting that you can incorporate. And there's also the ability to protect objects. So although some third party tools out there can do some of this, Change Auditor can do all of it. So I think that's where the value is. The differences between auditing native events with third party tools versus Change Auditor is the ability to be able to produce concise events with details that you normally wouldn't get.
Got it. Bryan, anything you want to add?
Yeah, I like the normalization of the data, the who, what, when, where. So we have easier searchability over these events later on. Ghazwan, you mentioned the word SIEM, which stands for security incident management, and that's looking at a lot of different disparate systems. We really focus on the Microsoft ecosystem and giving you that rich view of that different data. So there is less volume you have to search through to find out what you're truly looking for.
Right. Well, let's take your point and address the SIEM solution talk for just a second. So Change Auditor is focused on Microsoft ecosystem. SIEM solutions are looking at that plus looking at everything else. So if I'm sitting in an Active Directory organization, that's my role, and I've got security involved. And you come and you pitch what you just pitched over to me and I say, you know what, I've got that covered with my SIEM solution. What's your value add? Can you talk a little bit more about the Microsoft ecosystem. What's your value add for me as an Active Directory administrator?
I'm thinking about--
Walk me through a SIEM solution.
I'm thinking about like a simple change such as adding and removing [INAUDIBLE] group. You know, that one change that you're making in Active Directory natively, you can turn on auditing to see that group membership was changed. But you can't necessarily see how it changed, who got it added in, who got removed, from where did that originate. So the fact that we can get you all that extra relevant information in a smaller number of events I think is vital because it's a lot less stuff that you have to search through after the fact.
Mm-hmm. Cool.
I'd like to add that with a SIEM solution-- well, let me just make something clear. Change Auditor does not compete with SIEM solutions, right. We compliment the SIEM solution. So it's not like you can choose Change Auditor over a SIEM solution. We don't claim to do all that a SIEM does. So I think the value add that we provide or the value that we add to the SIEM solution is that we can capture those normalized events, right. We can provide details that you wouldn't get from the native event logs and incorporate those with the SIEM solution.
Can you give me a couple of
14:10