サポートと今すぐチャット
サポートとのチャット

Change Auditor Threat Detection 7.0.3 - Deployment Guide

Connect-CAClient

Most Change Auditor commands require a connection to a coordinator. You can make multiple connections to different coordinators or deployments in the same script as long as the version of Change Auditor is the same.

This connection can be assigned to a variable and used for any command that requires it. Use this command to search for a suitable coordinator in a Change Auditor installation and create a connection. Suitable coordinators are those which you have access to and can be located by searching through Active Directory service connection points.

* 
NOTE: Connections are closed when the PowerShell session is ended or disconnected.
Table 1. Available parameters
Parameter
Description

-Credential (Optional)

Windows credentials specifying the user to connect to the Change Auditor installation. All operations using this connection will be authorized as this user. When not specified, the current client running PowerShell is used.

-CoordinatorConnectionPoint (Optional)

Specify to use a specific coordinator found from a previous call to Find-CACoordinators.

-SelectLocalCoordinator (Optional)

Create a connection to the local coordinator.

-InstallationName (Optional)

The installation name to connect to. If an installation cannot be found with this name, no connection is made.

If more than one Change Auditor installation exists in the current forest, this parameter is mandatory. Omitting it results in a connection failure due to ambiguity.

-DomainName (Optional)

The name of the domain where the Change Auditor installation exists.

-ComputerName (Optional)

The computer to connect to.

-Port (Optional)

The port to connect to.

-WaitForServiceReady (Optional)

The number of seconds to wait for the connected coordinator service to be ready.

NOTE: If not specified, when the Change Auditor coordinator is not ready for connections due to an in-progress install or upgrade, an error is returned. The maximum is 144,000 seconds, or 10 hours.
Example: Connect to the installation “XYZ” in the specified domain

Connect-CAClient –InstallationName ‘XYZ’ -DomainName 'DomainName.com'

Managing a Threat Detection configuration
New-CAThreatDetectionConfiguration
Get-CAThreatDetectionConfiguration
Set-CAThreatDetectionConfiguration
Remove-CAThreatDetectionConfiguration

New-CAThreatDetectionConfiguration

Use this command to create a Threat Detection configuration.

* 
NOTE: When a configuration is created, the Threat Detection server is automatically joined to your coordinator's domain and an associated service account is created. This is required to enable single-sign on to the Threat Detection dashboard.
* 
NOTE: Quest recommends that you use the sample script CreateThreatDetectionConfiguration.ps from Program Files\Quest\ChangeAuditor\Client\PowerShell Sample Scripts.
* 
NOTE: When you create a new configuration, the underlying webhook subscription that is generated is marked as internal. This ensures that the required subscription cannot be removed from an existing configuration.
Table 2. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command. See Connecting to Change Auditor.

-TDServer

The Threat Detection server fully qualified domain name.

-TDPassword

The password used to access the Threat Detection server. Use the integration password that was specified during the Threat Detection server deployment.

-DomainAdminCredential

The credentials required to join the Threat Detection server to your coordinator’s domain to enable access to the dashboard using windows integrated authentication.

NOTE: The user must be a domain administrator or have been delegated the following tasks using the Active Directory Delegation Control wizard:
Create, delete, and manage user account.
Join a computer to the domain.

-HistoricalDays (Optional)

The number of days of historical events to send to the Threat Detection server. For details, see Historical events and your baseline calculations.

-AllowedCoordinators (Optional)

The DNS or NetBIOS name of the coordinators permitted to send events. If none are specified, all coordinators installed at the time of configuration are permitted to send events.

NOTE: The list order does not determine which coordinator is selected to send events.

Example: Creating a configuration

New-CAThreatDetectionConfiguration -Connection $connection -TDServer ‘ServerName.Domain.Com’ -TDPassword $TDPassword -DomainAdminCredential $DomainAdminCredential -HistoricalDays 30
-AllowedCoordinators @('machine1.domain.com','machine2.domain.com')

Get-CAThreatDetectionConfiguration

Use this command to view the Threat Detection configuration information and information about the associated subscription.

Table 3. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command. See Connecting to Change Auditor.

Example: Review Threat Detection configuration details

Get-CAThreatDetectionConfiguration -Connection $connection

Command output

The command returns the following information. For more information about some of these settings see the Change Auditor SIEM Integration Guide.

Table 4. Available configuration information
Setting
Description

TDServer

The Threat Detection server fully qualified domain name.

ConfigurationState

State of the configuration:
Configured: Threat Detection has been configured
Unconfigured: Threat Detection has not been configured
A valid Change Auditor Threat Detection license is required

HistoricalDays

How many days of historical events have been sent to Threat Detection server.

TDServerStatus

Status of the Threat Detection server:
Online
Offline

DataProcessingStatus

Status of the data processing. For example, building baseline.

TDServerVersion

Threat Detection server version.

TDSubscriptionId

Threat Detection subscription ID.

StartTime

Starting point in time for events to send.

Subsystems

Subsystems that have been selected for event sending.

TDSubscriptionEnabled

Whether the Threat Detection subscription is enabled.

NotificationInterval

How often how often (in milliseconds) events are sent.

HeartbeatInterval

Interval (in milliseconds) that a heartbeat check is made for the configuration.

BatchSize

Batch size. The maximum number of events to include in a single notification message.

NotificationUrl

Url for notifications.

HeartbeatUrl

Url for heartbeat notifications.

LastEventTime

When the last event was sent.

LastEventResponse

Last event response (For example OK, HTTP 429 - Too many events being sent, and HTTP 401 - Unauthorized access.)

LastHeartbeatTime

When the last heartbeat was sent.

LastHeartbeatResponse

The last heartbeat response. (For example OK, HTTP 429 - Too many events being sent, and HTTP 401 - Unauthorized access.)

EventsSent

Number of events sent.

BatchesSent

Number of batches sent.

HeartbeatsSent

Number of heartbeats sent.

BookmarkTime

Time the last event was sent.

AllowedCoordinators

List of coordinators permitted to send events.

LastCoordinator

The coordinator that is sending events. If the subscription is disabled, this is the last coordinator that sent events.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択