Chat now with support

Live-Hilfe anfordern
Registrierung abschließen

Anmelden

Preisinformationen anfragen

Vertrieb kontaktieren

Change Auditor Threat Detection 7.5 - Deployment Guide

Inhaltsnavigation

Deploying Threat Detection

Introduction to Change Auditor Threat Detection

Who should have input on the deployment plan? Components and workflow

Requirements and prerequisites Events to configure Port Requirements Maintaining the Change Auditor database size Deploying a Threat Detection server on ESX Deploying a Threat Detection server on Hyper-V

Hyper-V resource control settings

Upgrading the Threat Detection server

Upgrade from Change Auditor version 7.0.2

Update-CAThreatDetectionServer

Upgrade from Change Auditor version 7.0 and 7.0.1

Upload the update package to the Threat Detection server Upgrade the Threat Detection server Join the Threat Detection server to the coordinator's domain Configure the service account

Creating a Threat Detection configuration Reviewing configuration status

Configured server deployment details

Removing a configuration Historical events and your baseline calculations

Threat Detection configuration commands

Adding the PowerShell module Viewing available commands and help Threat Detection sample scripts Connecting to Change Auditor

Connect-CAClient

Managing a Threat Detection configuration

New-CAThreatDetectionConfiguration Get-CAThreatDetectionConfiguration Set-CAThreatDetectionConfiguration Remove-CAThreatDetectionConfiguration

Appendix: System Architecture

Threat Detection system overview Our brand, our vision. Together. Contacting Quest Technical support resources

Requirements and prerequisites

For a successful deployment, ensure that your environment meets the minimum system requirements.

The Threat Detection server deployed on VMWare ESX is available in both 8 and 16 cores versions.
For a Hyper-v deployment, a single server is available and you select the number of cores during the deployment.


	NOTE: The number of cores impact the length of time it takes to process historical audit data and build the baseline. 16 cores is recommended, 8 cores can be used if processing less than 5 million events per day.

Deployment on VMWare ESX

•

VMWare ESXI version 5.5 and above which is managed by VMware Vcenter 5.5 and above

•

The following vSphere clients are supported:

•

With ESX 5.5 - vSphere Windows client.

•

With ESX 6.0 - vSphere Flash client.

•

With ESX 6.5 - vSphere Flex client, vSphere HTML5 client.

•

Small and medium sized enterprise edition OVA:

•

OVA file size: ~10GB

•

CPU: 8 cores, Minimal 2.3 GHz, Recommended 2.4 GHz

•

•

I/O: 500 MB/sec

•

Disk: SAS 320 GB, SAS 930 GB

•

Large sized enterprise edition OVA:

•

OVA file size: ~10GB

•

CPU: 16 cores, Minimal 2.3 GHz, Recommended 2.4 GHz

•

•

I/O: 500 MB/sec

•

Disk: SAS 320 GB, SAS 930 GB

Deployment on Microsoft Hyper-V

•

Hyper-V host which running on Windows server 2016

•

Threat Detection server requirements:

•

Template size: ~10 GB

•

CPU: 8 or 16 cores, Minimal 2.3 GHz, Recommended 2.4 GHz.

•

•

I/O: 500 MB/sec

•

Disk: SAS 320 GB, SAS 930 GB.

For all deployments:

•

Obtain a static IP address for Threat Detection server and add DNS (A) record for it.

•

Determine the number of historical days to use for your activity baseline. For information on how to determine the best amount for you, see Historical events and your baseline calculations.

Events to configure

Events to configure


	NOTE: Consider Maintaining the Change Auditor database size when adding events for Threat Detection auditing.

Events from the following modules are used to build models and generate alerts:

Table 1. Events used for modeling and alerts
Module	Events
Change Auditor for Logon Activity	Authentication Activity events – these are the successful and failed interactive and remote interactive events (all enabled by default). Domain Controller Authentication events – Ensure that you enable the ‘User authenticated through Kerberos” event. By default, it is disabled.
Change Auditor for Active Directory	User and group events (all enabled by default).
Change Auditor for Windows File Servers Change Auditor for EMC Change Auditor for NetApp	For optimal Threat Detection results, Quest recommends that you select file, folder, and share events that audit permission changes, create, delete, rename, and open actions during the template creation.

Port Requirements

The following ports are required for Threat Detection server operation:

Table 2. Port requirements

Coordinator to Threat Detection server

•

SSH TCP 22 - Facilitates Threat Detection server upgrades and maintenance.

•

HTTPS TCP 443 - Creation, removal, and operation of Threat Detection subscription.

Change Auditor client and Chrome web browser to Threat Detection server

•

HTTPS TCP 443 - Threat Detection dashboard and interface.

Threat Detection server to Active Directory

•

LDAP TCP/UDP 389 - Active Directory services.

•

Global Catalog (GC) TCP 3268 - Active Directory services.

•

DNS UDP 53 - Name resolution.

•

Kerberos TCP 88 - Kerberos authenticated connections.

Maintaining the Change Auditor database size

Some of the events required for Threat Detection can be very noisy and take up significant space in the Change Auditor database. Once the events are sent to the Threat Detection server for analysis storage in the Change Auditor database is no longer needed.

To ensure the database maintains a manageable size, Quest recommends that you purge events older than 30 days.

Particularly noisy events are:

•

User authenticated through Kerberos

•

File and folder open

Verwandte Dokumente

Change Auditor Threat Detection - 7.5
Deployment Guide
User Guide

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen

© 2025 Quest Software Inc. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center