Chat now with support
Chat with Support

Change Auditor Threat Detection 7.0.1 - Deployment Guide

Connecting to Change Auditor

Connecting to Change Auditor
Connect-CAClient

Connect-CAClient

Most Change Auditor commands require a connection to a coordinator. You can make multiple connections to different coordinators or deployments in the same script as long as the version of Change Auditor is the same.

This connection can be assigned to a variable and used for any command that requires it. Use this command to search for a suitable coordinator in a Change Auditor installation and create a connection. Suitable coordinators are those which you have access to and can be located by searching through Active Directory service connection points.

* 
NOTE: Connections are closed when the PowerShell session is ended or disconnected.
Table 1. Available parameters
Parameter
Description

-Credential (Optional)

Windows credentials specifying the user to connect to the Change Auditor installation. All operations using this connection will be authorized as this user. When not specified, the current client running PowerShell is used.

-CoordinatorConnectionPoint (Optional)

Specify to use a specific coordinator found from a previous call to Find-CACoordinators.

-SelectLocalCoordinator (Optional)

Create a connection to the local coordinator.

-InstallationName (Optional)

The installation name to connect to. If an installation cannot be found with this name, no connection is made.

If more than one Change Auditor installation exists in the current forest, this parameter is mandatory. Omitting it results in a connection failure due to ambiguity.

-DomainName (Optional)

The name of the domain where the Change Auditor installation exists.

-ComputerName (Optional)

The computer to connect to.

-Port (Optional)

The port to connect to.

-WaitForServiceReady (Optional)

The number of seconds to wait for the connected coordinator service to be ready.

NOTE: If not specified, when the Change Auditor coordinator is not ready for connections due to an in-progress install or upgrade, an error is returned. The maximum is 144,000 seconds, or 10 hours.
Example: Connect to the installation “XYZ” in the specified domain

Connect-CAClient –InstallationName ‘XYZ’ -DomainName 'DomainName.com'

Managing a Threat Detection configuration
New-CAThreatDetectionConfiguration
Get-CAThreatDetectionConfiguration
Set-CAThreatDetectionConfiguration
Remove-CAThreatDetectionConfiguration

New-CAThreatDetectionConfiguration

Use this command to create a Threat Detection configuration.

* 
NOTE: Quest recommends that you use the sample script CreateThreatDetectionConfiguration.ps from Program Files\Quest\ChangeAuditor\Client\PowerShell Sample Scripts.
* 
NOTE: When you create a new configuration, the underlying webhook subscription that is generated is marked as internal. This ensures that the required subscription cannot be removed from an existing configuration.
Table 2. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command. See Connecting to Change Auditor.

-TDServer

The Threat Detection server fully qualified domain name.

-TDPassword

The password used to access the Threat Detection server. Use the integration password that was specified during the Threat Detection server deployment.

-HistoricalDays (Optional)

The number of days of historical events to send to the Threat Detection server. For details, see Historical events and your baseline calculations.

-AllowedCoordinators (Optional)

The DNS or NetBIOS name of the coordinators permitted to send events. If none are specified, all coordinators installed at the time of configuration are permitted to send events.

NOTE: The list order does not determine which coordinator is selected to send events.

Example: Creating a configuration

New-ThreatDetectionConfiguration -Connection $connection -TDServer ‘ServerName.Domain.Com’ -TDPassword $TDPassword -HistoricalDays 30
-AllowedCoordinators @('machine1.domain.com','machine2.domain.com')

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating