サポートと今すぐチャット
サポートとのチャット

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Join the Threat Detection server to the coordinator's domain

Previous Next

Join the Threat Detection server to the coordinator’s domain
To join the server to the coordinator’s domain:
1
While logged on to the Threat Detection server, open a command prompt.
2
Run ‘cd /opt/quest/bin’ to change the directory to the Quest tools directory.
3
Run 'sudo ./vastool -u < User SamAccountName> join <domain FQDN>' to join the server to the coordinator’s domain.
* 
NOTE: The user must be a domain administrator or have been delegated the following tasks using the Active Directory Delegation Control wizard:
Create, delete, and manage user account.
Join a computer to the domain.
4
When prompted for the “Password for presidio”, enter the integration password.
5
When prompted for the password for the domain, enter the password of the user account specified in step 3.

The Threat Detection server will now be joined to the domain.

6
Run './vastool info domain’ to verify that the server is joined to the domain. The command will return the domain for the Threat Detection server.

Configure the service account

Previous Next

Configure the service account
To configure the service account:
1
While logged on to the Threat Detection server with the username ‘presidio’ and the integration password specified during the Threat Detection server configuration open a command prompt.
2
Run ‘cd /opt/quest/sbin’ to change the directory to the Quest sbin tools directory.
3
Run ‘sudo ./setup-mod_auth_vas4’ to create the service account.

You will now be prompted with a series of questions, accept the default answers for the prompts.

4
When prompted for a sufficiently privileged domain account, enter the domain administrator account (SAMAccountName).
5
Accept the default answer to change group of /etc/opt/quest/vas/HTTP.keytab to Apache.
6
Specify any SPN aliases (if required) or Enter to finish.
7
Run ‘sudo service httpd restart’ to restart the httpd service to finish the configuration.

The service account will now be created in Active Directory.

8
Verify that the service account has been created in the Computers container in the same domain as the Threat Detection server. The service account will be a user account with the same name as the Threat Detection server with “HTTP” appended to it.

Creating a Threat Detection configuration

Previous Next

Creating a Threat Detection configuration

A Threat Detection configuration must be created to view activity, receive alerts, and analyze anomalies on the dashboard.

When a configuration is created, the Threat Detection server is automatically joined to your coordinator's domain and an associated service account is created. This is required to enable single-sign on to the Threat Detection dashboard.

To create a Threat Detection configuration
1
From Change Auditor select Administration Tasks | Configuration | Threat Detection.
2
Enter the Threat Detection server fully qualified domain name and integration password you created when deploying the Threat Detection server.
3
Enter the account used to join the Threat Detection server to your coordinator’s domain. (Use this format for the account: <Domain>\<User Name>.)
* 
NOTE: The user must be a domain administrator or have been delegated the following tasks using the Active Directory Delegation Control wizard:
Create, delete, and manage user account.
Join a computer to the domain.
4
Select how many days of historical events should be sent to Threat Detection server. For information on how to determine the best amount for you, see Historical events and your baseline calculations.
5
Select Apply Changes.

Reviewing configuration status

Previous Next

Reviewing configuration status

The status of the Threat Detection configuration is displayed on the configuration page.

To see the Threat Detection configuration status
1
Select Administration Tasks | Configuration | Threat Detection.
2
Click Refresh.

 

Table 5. Available configuration states

State

Description

Configured

The Threat Detection server is properly configured.

Not configured

The Threat Detection server is not configured. See Creating a Threat Detection configuration.

NOTE: If you see this status after removing a configuration and want to configure Threat Detection again, see Removing a configuration for details.

Update is required

An update is required on the Threat Detection server. See Upgrading the Threat Detection server.

License required

A valid Threat Detection license has not been applied.

License expired

The Threat Detection license has expired.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択