サポートと今すぐチャット
サポートとのチャット

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Configured server deployment details

Previous Next

Configured server deployment details

For a configured server, the following deployment details are displayed:
State of the configuration.
How many historical events have been sent to Threat Detection server.
Status of the Threat Detection server.
Status of the data processing. For example, building baseline.
Threat Detection server version.
Threat Detection subscription ID.
Starting point in time for events to send.
Subsystems that contain the event data that is being sent.
Whether the Threat Detection subscription is enabled.
How often how often (in milliseconds) events are sent.
Interval (in milliseconds) that a heartbeat check is made for the configuration.
Batch size. (The maximum number of events to include in a single notification message.)
Url for notifications.
Url for heartbeat notifications.
When the last event was sent.
Last event response (For example OK, HTTP 429 - Too many events being sent, and HTTP 401 - Unauthorized access.)
When the last heartbeat was sent.
When the last heartbeat response. (For example OK, HTTP 429 - Too many events being sent, and HTTP 401 - Unauthorized access.)
Number of events sent.
Number of batches sent.
Number of heartbeats sent.
Time of the event that was last sent.
List of coordinators permitted to send events.
The coordinator that is sending events. If the subscription is disabled, this is the last coordinator that sent events.

Removing a configuration

Previous Next

Removing a configuration

Deleting the configuration only removes configuration information from Change Auditor. It does not remove data or configuration on the Threat Detection server.

If you are removing the configuration as a part of a clean up process, you can delete the Threat Detection server after removing configuration.

If you are removing the configuration and plan to start over, you can either revert to a snapshot from a previously deployed (but not configured) Threat Detection server or deploy a new Threat Detection server.

 

* 
NOTE: When you join the server to the domain during configuration, Change Auditor creates a computer and service account in the domain required for Integrated Windows Authentication. The computer and service account must be removed manually from the domain when a configuration is removed.
To remove a Threat Detection configuration
1
Select Administration Tasks | Configuration | Threat Detection.
2
Click Remove Configuration.

This removes the Threat Detection configuration from Change Auditor.

Historical events and your baseline calculations

Previous Next

Historical events and your baseline calculations

Before the Threat Detection server can generate alerts, it needs to establish user behavior baseline. The baseline is built by processing 30 days of historical or real time events. Refer to the Change Auditor Threat Detection User Guide for information about baseline modeling.

When you create the Threat Detection configuration, you can specify how many days of historical events should be sent to the Threat Detection server to create the baseline.

* 
NOTE: The baseline is more accurate if it is built using the exact configuration of events that you plan to analyze on an ongoing basis. If a new event is enabled after the initial baseline has been built (for instance, the User authenticated through Kerberos event) it may initially be treated as an anomaly as there is no history of it in the baseline.

Table 6. How to determine which type of events to use for a baseline

Type of events to use

When to use...

Real-time events (0 days)

NOTE: It will take at least 30 days before you start seeing alerts in the Threat Detection dashboard.
For a new installation of Change Auditor where no events have been collected.
If you just enabled events that need to be analyzed by Change Auditor Threat Detection.

Historical events (more than 0 days)
If you have been collecting all events supported by Change Auditor Threat Detection.
If you are not purging any of the events supported by Change Auditor Threat Detection.

Use the following as guidance on the number of days to specify when you create your Threat Detection configuration:

You should not specify more days than the number of days of events that exist in the Change Auditor database.
You can enter between 1 and 90 days.
If you specify less than 30 days, Threat Detection uses real time events to continue to build a baseline until 30 days of event have been analyzed.
If you specify more than 30 days, the Threat Detection server starts generating alerts for any abnormal activity that happened after 30 days.

Threat Detection configuration commands

Previous Next

Threat Detection configuration commands
Adding the PowerShell module
Viewing available commands and help
Connecting to Change Auditor
Managing a Threat Detection configuration

 

 

 

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択