Chat now with support
Chat with Support

Change Auditor Threat Detection 7.0.4 - User Guide

Threat indicators

The following tables contain indicators (and the alert that they are associated with) available for each Change Auditor subsystem:

Abnormal File Access Time

 

Non-Standard Hours

 

A user accessed a file at an abnormal time.

Abnormal File Access Permission Change

 

Mass Permission Changes

 

A user changed multiple share permissions.

Abnormal File Access Event

 

Abnormal File Access

 

A user accessed a file abnormally.

Multiple File Access Permission Changes

Mass Permission Changes

 

A user changed multiple file share permissions.

Multiple File Access Events

 

Snooping User

 

A user accessed multiple file share permissions.

Multiple Failed File Access Permission Changes

Mass Permission Changes

 

A user failed multiple times to change file access permissions.

Multiple Failed File Access Events

 

Snooping User

 

A user failed multiple times to access a file.

Multiple File Open Events

Snooping User

A user opened multiple files.

Multiple Folder Open Events

Snooping User

A user opened multiple folders.

Multiple File Delete Events

Abnormal File Access

A user deleted multiple files.

Multiple File Rename Events

Mass File Rename

A user renamed multiple files.

Excessive Number of Files Moved from File System

Data Exfiltration

 

A user moved multiple files from a shared drive.

Excessive Number of Files Moved to File System

Data Exfiltration

 

A user moved multiple files to a shared drive.

 

 

Abnormal Active Directory Change Time

Non-Standard Hours

 

A user made Active Directory changes at an abnormal time.

Abnormal Active Directory Change

 

Abnormal AD Changes

A user made an abnormal change to AD attribute.

Abnormal Site

Abnormal Site Access

A user logged on from a computer in an abnormal site.

Multiple Member Additions to Enterprise Critical Groups

See the list of groups in the Change Auditor for Active Directory Event Reference Guide for "Member Added to Critical Enterprise Group”.

Mass Changes to Critical Enterprise Groups

A user successfully made multiple changes to sensitive groups.

Multiple Group Membership Changes

Mass Changes to Groups

 

A user successfully made multiple changes to groups.

Multiple Account Management Changes

Abnormal AD Changes

 

A user successfully made multiple Active Directory changes.

Multiple User Account Management Changes

Abnormal AD Changes

 

A user successfully made multiple sensitive Active Directory changes.

Multiple Failed Account Management Changes

Abnormal AD Changes

 

A user failed to make multiple Active Directory changes.

Admin Password Changed

Admin Password Change

An admin's password was changed.

User Account Enabled

Sensitive User Status Changes

A user enabled another user account.

User Account Disabled

Sensitive User Status Changes

A user disabled another user account.

User Account Unlocked

Sensitive User Status Changes

A user unlocked another user account.

User Account Type Changed

Sensitive User Status Changes

A user account type was changed by another user account.

User Account Locked

Sensitive User Status Changes

A user locked another user account.

User Password Never Expires Option Changed

Sensitive User Status Changes

 

A user password policy was changed by another user account.

User Password Changed by Non-Owner

Sensitive User Status Changes

 

A user's password was changed by non-owner.

User Password Changed

Sensitive User Status Changes

A user changed the password for another user account.

Member Added to Critical Enterprise Group

Elevated Privileges Granted

 

A user was added to a privileged group.

 

Abnormal Logon Time

Non-Standard Hours

A user logged on at an abnormal time.

Abnormal Remote Computer

 

User Login to Abnormal Remote Host

A user attempted to remotely access an abnormal computer.

Abnormal Computer

User Login to Abnormal Host

A user attempted to access an abnormal computer.

Multiple Successful Authentications

Multiple Logons by User

A user logged on multiple times.

Multiple Failed Authentications

Multiple Failed Logons

A user failed to log on multiple times.

Logged into Multiple Domains

User Logins to Multiple AD Sites

A user attempted to log on to multiple domains.

Logged onto Multiple Computers

User Logged into Multiple Hosts

 

A user attempted to log on from multiple computers.

 

 

Related Documents