Chatta subito con l'assistenza
Chat con il supporto

Change Auditor Threat Detection 7.3 - Deployment Guide

Requirements and prerequisites

For a successful deployment, ensure that your environment meets the minimum system requirements.

The Threat Detection server deployed on VMWare ESX is available in both 8 and 16 cores versions.
For a Hyper-v deployment, a single server is available and you select the number of cores during the deployment.

For all deployments:

Events to configure

NOTE: Consider Maintaining the Change Auditor database size when adding events for Threat Detection auditing.

Events from the following modules are used to build models and generate alerts:

Change Auditor for Logon Activity

Authentication Activity events – these are the successful and failed interactive and remote interactive events (all enabled by default).

Domain Controller Authentication events – Ensure that you enable the ‘User authenticated through Kerberos” event. By default, it is disabled.

Change Auditor for Active Directory

User and group events (all enabled by default).

Change Auditor for Windows File Servers

Change Auditor for EMC

Change Auditor for FluidFS

Change Auditor for NetApp

For optimal Threat Detection results, Quest recommends that you select file, folder, and share events that audit permission changes, create, delete, rename, and open actions during the template creation.

Port Requirements

The following ports are required for Threat Detection server operation:

Coordinator to Threat Detection server

Change Auditor client and Chrome web browser to Threat Detection server

 

Threat Detection server to Active Directory

Maintaining the Change Auditor database size

Some of the events required for Threat Detection can be very noisy and take up significant space in the Change Auditor database. Once the events are sent to the Threat Detection server for analysis storage in the Change Auditor database is no longer needed.

To ensure the database maintains a manageable size, Quest recommends that you purge events older than 30 days.

Particularly noisy events are:

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione