지금 지원 담당자와 채팅
지원 담당자와 채팅

Change Auditor Threat Detection 7.1.1 - User Guide

Accessing the dashboard

Once you have deployed the Threat Detection server, configured Change Auditor for Threat Detection, and the system has analyzed 30 days of historical data to create a baseline of user behavior, you can access the Threat Detection dashboard.

To allow access to the Threat Detection dashboard in the Change Auditor client or through Chrome using single-sign on, the Threat Detection server is joined to the coordinator’s domain during the initial Threat Detection configuration or manually during an upgrade. See the Change Auditor Threat Detection Deployment Guide for details on creating a configuration or updating the Threat Detection server.

To access the dashboard from Change Auditor
Select View | Threat Detection Dashboard.
* 
NOTE: The account used to access the dashboard is the user currently logged on to Change Auditor.
To access the dashboard through Chrome
Use the DNS name for the Threat Detection server provided during deployment. For example: “https://TDServerName.DomainName.Com/caui-webapp/index.html”.
* 
NOTE: The following prerequisites are required to enable single-sign on:
In the Internet Options security settings, add the URL for the Threat Detection dashboard to:
Trusted Sites with the User Authentication | Logon | Automatic logon with current username and password option enabled.
- OR-
Local Internet
You must be a member of the Change Auditor Administrators or Operators group in the same domain as the Threat Detection server’s domain. To grant access to users from other domains in the same forest, add them to one of the Change Auditor's groups.

Overview tab

The Overview tab provides an initial view of the recent and most important user activities in your environment. At a glance you can see details on the high risk user such as their photo, display or logon name, job title, department, and their address.

Each pane shows either prioritized incidents for investigation or consolidated metrics reflecting potential risks to the enterprise.
High Risk Users
SMART Alerts
All Users
Alerts Status
Alerts Severity

High Risk Users

User risk scores are a primary tool for incident prioritization. Using the score, the system highlights specific user accounts that require immediate attention.

The user risk score is the addition of the "contribution to user score" assigned to each alert that is associated with the user and the analysts notes.

* 
NOTE: The Analyst Notes section of the dashboard allows analysts to mark an alert as an Actual Risk or Not a Risk.

Score calculation formula:

User Risk Score = ∑ [Unreviewed (no analyst notes provided) & "Actual Risk"] - ∑ ["Not A Risk"]

The contribution to the user score value for the alert is dependent on the alert severity. The severities are color coded to help identify the severity quickly.

Table 2. Severity color code and contribution to user score values based on alert severity
Severity
Color
Contribution

Critical

Red

+20

High

Yellow

+15

Medium

Blue

+10

Low

Green

+1

The High Risk Users pane lists users with the highest user risk scores, and the following information related to each of those alerts:
Username: Name of the user.
User Risk Score: The risk score of the user.

To investigate a user, click anywhere in the user frame to investigate the user’s alerts. See How to perform an alert investigation for more information.

Retired alerts

Alerts and their associated indicators are retired after 90 days and the alert score drops to 0. Once an alert is retired, the risky user is also removed from the dashboard. The retired alerts and indicators remain accessible in the dashboard for an additional 6 months. They will not affect the user score, and they will be grayed-out in the user profile page.

SMART Alerts

The SMART Alerts pane displays a list of alerts, severity level, alert creation date, and number of indicators. The list is comprised of the top ranked SMART alerts in the last 2 months.

Clicking on a SMART Alert displays the corresponding alert on the Alert Overview page, allowing for further investigation (see How to perform an alert investigation).

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택