Chatee ahora con Soporte

Obtener ayuda en vivo
Completar registro

Iniciar sesión

Solicitar precios

Comuníquese con Ventas

Change Auditor Threat Detection 7.0.3 - Deployment Guide

Navegación de contenido

Deploying Threat Detection

Introduction to Change Auditor Threat Detection

Who should have input on the deployment plan? Components and workflow

Requirements and prerequisites Events to configure Maintaining the Change Auditor database size Deploying a Threat Detection server on ESX Deploying a Threat Detection server on Hyper-V

Hyper-V resource control settings

Upgrading the Threat Detection server

Upgrade from Change Auditor version 7.0.2

Update-CAThreatDetectionServer

Upgrade from Change Auditor version 7.0 and 7.0.1

Upload the update package to the Threat Detection server Upgrade the Threat Detection server Join the Threat Detection server to the coordinator's domain Configure the service account

Creating a Threat Detection configuration Reviewing configuration status

Configured server deployment details

Removing a configuration Historical events and your baseline calculations

Threat Detection configuration commands

Adding the PowerShell module Viewing available commands and help Threat Detection sample scripts Connecting to Change Auditor

Connect-CAClient

Managing a Threat Detection configuration

New-CAThreatDetectionConfiguration Get-CAThreatDetectionConfiguration Set-CAThreatDetectionConfiguration Remove-CAThreatDetectionConfiguration

Appendix: System Architecture

Threat Detection system overview

Set-CAThreatDetectionConfiguration

Use this command to modify the list of allowed coordinators for the Threat Detection configuration.

Table 5. Available parameters


Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command. See Connecting to Change Auditor.
-AllowedCoordinators (Optional)	The DNS or NetBIOS name of the coordinators permitted to send events. If none are specified, all coordinators installed at the time of configuration are permitted to send events. NOTE: The list order does not determine which coordinator is selected to send events.

Example: Modifying a configuration

Set-CAThreatDetectionConfiguration -Connection $connection -AllowedCoordinators @('machine1.domain.com','machine2.domain.com')

Example: To clear a previous list of allowed coordinators

Set-CAThreatDetectionConfiguration -Connection $connection -AllowedCoordinators @()

Remove-CAThreatDetectionConfiguration

Use this command to remove a Threat Detection configuration.

NOTE:

Deleting the configuration only removes configuration information from Change Auditor. It does not remove data or configuration on the Threat Detection server.

•

If you are removing the configuration as a part of a clean up process, you can delete the Threat Detection server after removing configuration.

•

If you are removing the configuration and plan to start over, you can either revert to a snapshot from a previously deployed (but not configured) Threat Detection server or deploy a new Threat Detection server.

•

When you join the server to the domain during configuration, Change Auditor creates a computer and service account in the domain required for Integrated Windows Authentication. The computer and service account must be removed from the domain when a configuration is removed.

Table 6. Available parameters


Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command. See Connecting to Change Auditor.

Example: Remove the Threat Detection configuration

Remove-CAThreatDetectionConfiguration -Connection $connection

Appendix: System Architecture

•

Threat Detection system overview

Threat Detection system overview

The integration process to analyze events includes the following:

1

Change Auditor agents collect events from various systems and the coordinator writes the events into the database.

2

Users create a Threat Detection configuration using the Change Auditor client.

3

As part of the configuration, the coordinator creates the webhook subscription to send events to the Threat Detection server. The subscription contains information such as where to send events (the URL of the webhook receiver in the Threat Detection server), which events to include, and the coordinator responsible for event forwarding.

4

The designated coordinator continually queries events from the Change Auditor database and sends them to the webhook receiver in the Threat Detection server.

5

Threat Detection server performs event modeling and scoring.

6

Threat indicators, alerts, and risky users are displayed in the Threat Detection dashboard.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación

© ALL RIGHTS RESERVED. Feedback Términos de uso Privacidad Cookie Preference Center