TCP port 445 outbound activity from Change Auditor Coordinator
説明
Explanation regarding TCP port 445 activity
対策
The reason why the coordinator is continuing to poll on 445 is that the topology scan runs every couple of hours. If the topology scan is prevented from running (per the kb article), the coordinator will use the "TCP 445" polling method to collect up to date topology information about hosts that are involved in change events. This topology data in important to have correct for the audit event record (You would probably like to know that the event indeed happen on Host_X, rather than just assuming that it happened on Host_X because Host_X was at that IP address the last time we looked 3 weeks ago and we haven't been updated on its attributes since). A better approach likely would be to remove the roadblocks from the inhibited topology scan and allow that to function normally so the TCP 445 scans wouldn't need to happen.
"Is Administrator" is a new feature added to Change Auditor 7.x which checks to verify if the user account in the "Who" is the "Administrator" account or if it is directly or indirectly a member of "builtin\administrators", "domain admins", or "enterprise admins". The verification of group membership can cause increased network traffic or increased processing on Domain Controller is some environments. "Is Administrator" data is primarily used for the Change Auditor Threat Detection module
Administrators can prevent the Change Auditor agent from collecting "Is Administrator" data by setting the feature flag "DisableIsAdministratorLookups" To disable the collection "Is Administrator" data, take the following steps:
Update the required agent configuration(s) via the Set-CAAgentConfigurationSetting script
Use the following setting name and setting value when prompted: - SettingName: DisableIsAdministratorLookups - SettingValue: 0 - Do not disable (default) - SettingValue: 1 – Disable the collection of "Is Administrator" data
追加情報
To disabled or modify the frequency of the Coordinator Topology Task then you have to perform the steps mentioned in the below link.
- https://support.quest.com/change-auditor/kb/4233514/disable-or-modify-the-frequency-of-the-coordinator-topology-task