AuditIng-Related Objects and Properties
Most Audit Module for PowerShell cmdlets return object instances either directly or as properties of other objects. This section provides an alphabetical listing of the objects and the properties of each object defined in the Audit Module for PowerShell. Note that not all properties are available as parameters in the PowerShell cmdlets.
CdaAccessAccount
Represents a Windows user or SQL Server login account with access to auditing components. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| AccountName | String | Name of the Windows user or SQL Server login account. |
| Type | Enum | Account type. The valid values are: 1 if the account is a Windows account that uses Windows authentication. 2 if the account is a Microsoft SQL Server login account that uses SQL Server authentication. |
CdaAdPrincipal
Represents an Active Directory principal. The principal can be an Active Directory user, group, or computer account. You can use the Class property to identify the type of principal. Only the account name for the principal is stored in the database. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Class | String | Principal type of the Active Directory object. |
| DistinguishedName | String | Distinguished name of the Active Directory object. |
| Domain | String | Domain name for the Active Directory principal. |
| GUID | Guid | Globally unique identifier (GUID) for the Active Directory object. |
| Name | String | Name of the Active Directory object. |
| SamAccountName | String | The sAMAccountName attribute for the Active Directory principal. |
| SID | Security identifier | The security identifier (SID) for the Active Directory principal. |
CdaAgent
Represents an audited computer where the auditing service is enabled. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| AuditedSystemType | Enum | Specifies whether the audited systems are system-based ("SystemBased") or vault-based ("VaultBased"). This parameter is optional. If you do not specify this parameter, the results include a list of both types of audited systems. System-based describes a Windows or UNIX computer that is running an agent. You can access these systems either directly or from the Privileged Access Service Admin Portal. Vault-based describes a Windows or UNIX computer or a network device that is not running an agent (agentless). You can access these systems from the Privileged Access Service Admin Portal. Note: Some properties display different values for vault-based systems: * Version: this property is empty because vault-based systems are agentless * Status: this property displays as none * StartupTime: this property displays as a default date-time value of "1/1/0001 12:00:00 AM" * UpTime: this property displays as 00:00:00 |
| LastUpdateTime | DateTime | Time at which the auditing service agent was last updated. |
| MachineAddress | String | IP address of the computer hosting the auditing service. |
| MachineName | String | Name of the computer hosting the auditing service. |
| MachineSid | String | Security identifier string for the computer hosting the auditing service. |
| StartupTime | DateTime | Time at which the auditing service agent first started. |
| Status | Enum | Status of the auditing service. The valid values are: Connected Disconnected |
| Type | Enum | Type of operating system running on the computer hosting the auditing service. The valid values are: 0 — Unknown 1 — UNIX 2 — Windows |
| UpTime | TimeSpan | Total time the auditing service agent was connected time from the startup time to the last update time. |
| Version | String | Auditing service agent version number. |
CdaAuditEvent
Represents an audit trail event. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Description | String | Description of the audit trail event. |
| EventId | Integer | Event identifier for the audit trail event. Event instances that share the same event type will also have the same EventId. |
| EventName | String | Name of the audit trail event. |
| Machine | String | Computer name associated with the audit trail event. |
| Parameters | String Array | List of parameters for this audit trail event. |
| Result | String | Result returned by the audit trail event. |
| SessionId | String | Identifying string for the session associated with the audit trail event, if there is one. |
| SessionUri | String | The uniform resource identifier (URI) for the session associated with the audit trail event, if there is one. |
| Time | DateTime | Date and time the audit trail event occurred. |
| UniqueId | Long | Unique identifier for the event instance. |
| User | String | User name associated with the audit trail event. |
CdaAuditRole
Represents an audit role. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Definition | String | String that defines the criteria used in the audit role to specify the sessions to include. |
| Description | String | Description of the audit role. |
| Name | String | Name of the audit role. |
| Privilege | Enum array | User privileges for the audited sessions that match the criteria specified for this audit role. |
CdaAuditRoleAssignment
Represents an audit role assignment. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Assignee | CdaAdPrincipal | User, group, or computer account assigned to the audit role. |
| AuditRole | CdaAuditRole | Name of the audit role being assigned. |
CdaAuditRoleRight
This object represents the rights granted to a trustee on the audit role. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| AuditRole | CdaAuditRole | The audit role |
| Trustee | String | Trustee name in format <DOMAIN>\<User account name> Note: The consistent name format is shown in the Audit Manager console. For an orphan trustee, it shows SID in SDDL format. |
| TrusteeType | String | Indicate the type of the trustee,for example Active Directory User or Group |
| Rights | string[] | The collection of rights granted to the trustee on the audit role. Possible rights: Full Control Change Permissions Change Role Membership Change Role Definition |
CdaAuditScope
Represents the audit scope for an audit store. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Definition | String | String that defines the audit scope. If the audit scope is an Active Directory site, this property is the site name. If the scope is a subnet, this property is the IP address and subnet mask. |
| Type | Enum | The type of audit scope. The valid values are: 1 if the audit scope is an Active Directory site. 2 if the audit scope is a network subnet segment. |
CdaAuditSession
Represents an audited user session. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| AuditStore | String | Name of the audit store. |
| ClientAddress | String | Client IP address. |
| ClientName | String | Client name. |
| Comment | String array | Comments that have been added by reviewers to the session. |
| EndTime | DateTime | Session end time. |
| IsADUser | Boolean | Indicates whether the user is an Active Directory user. |
| Machine | String | Host name of the computer where the session ran. |
| MachineAddress | String | Computer IP address of the computer where the session ran. |
| MachinePrincipal | String | Computer principal name of the computer where the session ran. |
| ReviewedBy | ADUser | Name of the user who last updated the review status for the session. |
| ReviewStatus | Enum | Session review status. The valid values are: 0 for None 1 for ToBeReviewed 2 for Reviewed 3 for PendingForAction 4 for KeepForever 5 for ToBeDeleted |
| ReviewTime | DateTime | Date and time of the last review status update for the session. |
| SessionID | String | Globally unique identifier (GUID) for the object. |
| Size | Integer | Total size of the session in KB. |
| StartTime | DateTime | Session start time. |
| State | Enum | Status of the session. The valid values are: -1 for Unknown 0 for InProgress 1 for Terminated 2 for Disconnected 3 for Completed |
| Tags | String | The tags associated with the audit session |
| Type | Enum | Session type. The valid values are: 1 if the session is a Windows session 2 if the session is a UNIX session |
| Uri | String | The uniform resource identifier (URI) for replaying the session in the session player. |
| User | String | User name associated with the session. |
| UserDisplayName | String | User display name associated with the session. |
| Zone | String | Verify Privilege Server Suite zone name. |
CdaAuditSessionTag
Represents the keyword tag that is associated with an audited session. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| AuditStoreDatabaseId | int | The ID of the audit store database |
| Id | long | The ID of the tag |
| Mode | string | The mode of the tag, which indicates if the session was tagged by an automatic process or manually tagged. The possible values are: Manual Automatic |
| ReplayTimestamp | DateTime | The session replay time of the tag in the audit session |
| Session | CdaAuditSession | The audit session(s) that the tag is associated with |
| Tag | string | The tag |
| Tagger | string | The user name of the auditor who tagged the audit session |
| TagTimestamp | DateTime | The timestamp when the audit session was tagged |
CdaAuditSessionDataIntegrityStatus
If you’ve enabled the audit store database for data integrity checking, this object refers to the session’s data integrity status. Data integrity checking provides the ability to detect if auditing data has been tampered. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Session | CdaAuditSession | The audited user session |
| Status | Integer | Unknown = -1 Passed = 0 Not Enabled = 1 Session Not Found = 2 Missing Final Thumbprint = 3 Invalid Final Thumbprint = 4 Missing Thumbprint = 5 Invalid Thumbprint = 6 Failed = 7 |
| StatusMessage | String | The friendly display message of the status |
| Source | String | The source name of the audit session data (which contains the database table name and record Id) |
CdaAuditStore
Represents an audit store. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Affinity | AffinityType enum | The type agents that the audit store serves, either Windows, UNIX, or both. The possible values are: WindowsAndUnix - 0 Windows - 1 Unix - 2 |
| Name | String | Name of the audit store. |
| Scopes | CdaAuditScope[] | Audit store scopes. |
| TrustedAgentEnabled | Boolean | Whether the trusted agent filter is enabled or not. |
| TrustedAgents | CdaComputer[] | Trusted agent computers. |
| TrustedCollectorEnabled | Boolean | Whether the trusted collector filter is enabled or not. |
| TrustedCollectors | CdaComputer[] | Trusted collector service computers. |
CdaAuditStoreRight
This object represents the rights granted to a trustee on the audit store. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| AuditStore | CdaAuditStore | The audit store |
| Trustee | String | Trustee name in format <DOMAIN>\<User account name> Note: The consistent name format is shown in the Audit Manager console. For an orphan trustee, it shows SID in SDDL format. |
| TrusteeType | String | Indicate the type of the trustee,for example Active Directory User or Group |
| Rights | string[] | The collection of rights granted to the trustee on the auditstore. Possible rights: Full Control Change Permissions Modify Name Manage Scopes Manage SQL Logins Manage Collectors Manage Audited Systems Manage Databases Manage Database Trace |
CdaCollector
Represents a collector service computer. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| AuditStoreDatabase | String | The audit store database the collector connects to. |
| LastUpdateTime | DateTime | The date and time at which the collector received the last update. |
| MachineAddress | String | IP address of the computer hosting the collector service. |
| MachineName | String | Name of the computer hosting the collector service. |
| PortNumber | Integer | Collector connection port number. |
| Sid | String | Security identifier string for the computer hosting the collector service. |
| StartupTime | DateTime | The date and time at which the collector first connected to the audit store database. |
| Status | Enum | Status of the collector service. The valid values are: Connected Disconnected |
| UpTime | TimeSpan | Total time the collector was connected time from startup to the last update time. |
| Version | String | Collector service version number. |
CdaDatabase
Represents an audit store database. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| ActiveEndTime | DateTime | The date and time at which the database stopped being the active database. |
| ActiveStartTime | DateTime | The date and time this database became the active database. |
| AllowedCollectors | CdaAccessAccount[] | Allowed collector accounts. |
| AllowedManagementServers | CdaAccessAccount[] | Allowed management database accounts. |
| AuditStore | CdaAuditStore | The audit store object instance for the database. |
| CollectorCount | Integer | Number of collectors connected to the database. |
| Database | String | Microsoft SQL Server database name for the audit store database. |
| DiskUsage | Integer | Database file size, in 8KB pages. |
| IsActive | Boolean | Specifies whether this is the active database for the audit store. |
| Name | String | Display name of the audit store database. |
| RecordCount | Integer | Number of session records in the database. |
| Server | String | Microsoft SQL Server host name and instance. |
| Status | Enum | Database status. The valid values are: Connected Disconnected |
| Version | String | Database version number. |
CdaDetailedExecution
Represents detailed command execution details, if advanced monitoring is enabled. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| User | String | The user name associated with the event |
| Machine | String | The computer name associated with the event |
| Time | DateTime | The date and time when the command was executed |
| EnteredCommand | String | The name of the entered command |
| ExecutedCommand | String | The name of the executed command |
| CommandArguments | String | The command arguments |
| RunAsUser | String | The run as user name |
| AccessStatus | String | The access status: Succeeded or Failed |
| AccessStatusDetails | String | The detailed message about the status |
| CurrentDirectory | String | The current directory of the command execution |
| ProcessId | String | The process ID of the command execution |
| ParentProcessId | String | The process ID of the parent process of the command execution |
CdaInstallation
Represents an audit installation. The installation defines the scope of the auditing infrastructure and audit data available for review and play back. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| DisableSelfDelete | Boolean | Indicates whether users can delete their own sessions. This installation-wide option takes precedence over the permissions granted to a user account. If you set this option to be True, users cannot delete their own sessions regardless of the rights granted to their audit roles. |
| DisableSelfReview | Boolean | Indicates whether users can update the review status or the comments on their own sessions. This installation-wide option takes precedence over the permissions granted to a user account. If you set this option to be True, users cannot update the review status or add comments for their own sessions regardless of the rights granted to their audit roles. |
| EnableVideoCapture | Boolean | Indicates whether the video capture auditing of user activity is enabled or not. |
| ManagementDatabase | CdaManagementDatabase | The default connected management database for the installation. |
| Name | String | Name of the installation. |
| NotificationImage | String | Name of the notification banner image file in base64 string format. |
| NotificationMessage | String | Name of the file containing the notification message text. |
| PublishLocations | String Array | One or more Active Directory locations where the installation service connection point is published. |
CdaInstallationRight
This object represents the rights granted to a trustee on the DA Installation. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Trustee | String | Trustee name in format <DOMAIN>\<User account name> Note: The consistent name format is shown in the Audit Manager console. For an orphan trustee, it shows SID in SDDL format. |
| TrusteeType | String | Indicate the type of the trustee,for example Active Directory User or Group |
| Rights | string[] | The collection of rights granted to the trustee on the DA Installation. Possible rights: Full Control Change Permissions Modify Name Manage Management Database List Manage Audit Store List Manage Collectors Manage Audited Systems Manage Audit Role Manage Queries Manage Publications Manage Licenses Manage Notification Manage Audit Option View |
CdaManagementDatabase
Represents an audit management database. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| AllowedIncomingUsers | CdaUser[] | Allowed incoming users of the management database. |
| Database | String | Microsoft SQL Server database name for the management database. |
| Name | String | Display name of the management database. |
| OutgoingAccount | CdaAccessAccount | Outgoing account of the management database. |
| Scope | CdaAuditScope[] | Audit store scopes defined for the management database. |
| Server | String | Microsoft SQL Server host name and instance name. |
| Status | Enum | Status of the management database. The valid values are: Connected Disconnected |
CdaManagementDatabaseRight
This object represents the rights granted to a trustee on the management database. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| ManagementDatabase | CdaManagementDatabase | The management database |
| Trustee | String | Trustee name in format <DOMAIN>\<User account name> Note: The consistent name format is shown in the Audit Manager console. For an orphan trustee, it shows SID in SDDL format. |
| TrusteeType | String | Indicate the type of the trustee,for example Active Directory User or Group |
| Rights | string[] | The collection of rights granted to the trustee on the management database. Possible rights: Full Control Change Permissions Modify Name Manage Scopes Remove Database Manage SQL Logins Manage Database Trace |
CdaMonitoredExecution
Represents monitored command execution details, if advanced monitoring is enabled. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| User | String | The user name associated with the event |
| Machine | String | The computer name associated with the event |
| Time | DateTime | The date and time when the command was executed |
| Command | String | The name of the executed command |
| CommandArguments | String | The command arguments |
| RunAsUser | String | The run as user name |
| AccessStatus | String | The access status: Succeeded or Failed |
| AccessStatusDetails | String | The detailed message about the status |
| CurrentDirectory | String | The current directory of the command execution |
| ProcessId | String | The process ID of the command execution |
| ParentProcessId | String | The process ID of the parent process of the command execution |
CdaMonitoredFile
Represents monitored file details, if advanced monitoring is enabled. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| User | String | The user name associated with the event |
| Machine | String | The computer name associated with the event |
| Time | DateTime | The date and time when the command was executed |
| FileName | String | The filename of the file being accessed |
| Command | String | The name of the executed command |
| RunAsUser | String | The run as user name |
| SystemCallName | String | The name of the system call |
| AccessType | String | The type of the file access: Write or ChangeAttribute |
| AccessStatus | String | The access status: Succeeded or Failed |
| AccessStatusDetails | String | The detailed message about the status |
| CurrentDirectory | String | The current directory of the command execution |
| ProcessId | String | The process ID of the command execution |
| ParentProcessId | String | The process ID of the parent process of the command execution |
CdaQuery
This object represents a query. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Name | String | The query name |
| Description | String | The query description |
| IsPredefined | boolean | Whether this query is predefined or not |
CdaQueryRight
This object represents the rights granted to a trustee on the query. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Query | CdaQuery | The query |
| Trustee | String | Trustee name in format <DOMAIN>\<User account name> Note: The consistent name format is shown in the Audit Manager console. For an orphan trustee, it shows SID in SDDL format. |
| TrusteeType | String | Indicate the type of the trustee,for example Active Directory User or Group |
| Rights | string[] | The collection of rights granted to the trustee on the query. Here are the possible rights: Full Control Change Permissions Read Delete Modify |
CdaSearchCriteria
Represents a search criteria object that defines the filters to use to find sessions that can be passed to other cmdlets. For example, you can create a search criteria object to define the sessions that are applicable for a given audit role. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Application | String array | Filter sessions by using the Windows application name used. |
| AuditStore | String | Filter sessions by using the name of the audit store. |
| ClientName | String | Filter sessions by using the client name of the session. |
| Comment | String array | Filter sessions by using the comments that have been added by reviewers to the session. |
| Group | String array | Filter sessions by using the session owner's Active Directory security group. |
| Installation | String | Filter sessions by using the name of the audit installation. |
| Machine | String | Filter sessions by using the host name of the computer where the session ran. |
| ReviewStatus | Enum | Filter sessions by using the session review status. The valid values are: 0 for None 1 for ToBeReviewed 2 for Reviewed 3 for PendingForAction 4 for KeepForever 5 for ToBeDeleted |
| State | Enum | Filter sessions by using the status of the session. The valid values are: 0 for InProgress 1 for Terminated 2 for Disconnected 3 for Completed |
| TimeAfter | DateTime | Filter sessions that ran after a specific date and time. |
| TimeBefore | DateTime | Filter sessions that ran before a specific date and time. |
| TimeBetween | DateTime | Filter sessions that ran between a start time and an end time. |
| Type | Enum | Filter sessions by using the session type. The valid values are: 1 if the session is a Windows session 2 if the session is a UNIX session |
| UnixCommand | String array | Filter sessions by using the UNIX command line input and output. |
| UnixCommandName | String array | Filter sessions by the UNIX command name only. |
| UnixCommandTimeAfter | DateTime | Filter sessions that ran after a specific date and time based on the UNIX command input time. |
| UnixCommandTimeBefore | DateTime | Filter sessions that ran before a specific date and time based on the UNIX command input time. |
| UnixCommandTimeBetween | DateTime | Filter sessions that ran between a start and end time based on the UNIX command input time. |
| UnixOutput | Text | Filter sessions by using the UNIX terminal output text captured in the session. |
| User | String | Filter sessions by using the user name associated with the session. |
CdaUnixCommand
Represents an indexed UNIX command captured in an audited session. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Command | String | Text of the UNIX command line that was executed. |
| Sequence | Integer | Sequence number that identifies where in the indexed list of events this event occurs. |
| Session | CdaAuditSession | The session object. |
| Time | DateTime | Date and time when the command was executed. |
CdaUnixCommandTranscript
Represents the UNIX command input and output captured in an audited session. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| EndTime | DateTime | The time at which the capture of this command ended. |
| LineNumber | Integer | The line number at which the text displayed in the terminal. |
| Role | String | The DirectAuthorize role assigned to this command. |
| Session | CdaAuditSession | The session object. |
| StartTime | DateTime | The time at which the capture of this command started. |
| Text | String | The text displayed in the terminal. |
| Ticket | String | The trouble ticket assigned to this command. |
| Type | Enum | Indicates whether the captured text was input or output. |
CdaUserEvent
Represents a user event. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| User | String | User name associated with the user event. |
| Machine | String | Computer name associated with the audit trail event. |
| Time | DateTime | The date and time when the command was executed. |
| Activity | String | A brief description of the user event. |
CdaWindowsEvent
Represents an indexed Windows event captured in an audited session. The following properties are defined for this object.
| Property | Type | Description |
|---|---|---|
| Application | String | Application name associated with the event. |
| Desktop | String | Desktop name associated with the event if the event occurred when using a desktop access right. |
| IsAudited | Boolean | Indicates whether this event occurred when using an audited role with a desktop right. |
| Sequence | Integer | Sequence number that identifies where in the indexed list of events this event occurs. |
| Time | DateTime | Date and time when the event occurred. |
| Title | String | Windows title bar text for the application when the event occurred. |
| Type | Enum | Type of event. The most common event types indicate when a new window or a new application starts or when the title of an existing windows changes. |