Chat now with support
Chat with Support

Change Auditor Threat Detection 7.0.1 - Deployment Guide

Requirements and prerequisites

For a successful deployment, ensure that your environment meets the minimum system requirements.

* 
NOTE: The Threat Detection server is available in both 8 and 16 cores versions. The number of cores impact the length of time it takes to process historical audit data and build baseline.

Minimum system requirements for the Threat Detection server:
VMWare ESX version 5.5 and above
Small and medium sized enterprise edition OVA:
* 
NOTE: The 8 core edition is most appropriate if Change Auditor is sending and the Threat Detection server is processing less than 5 Million events per day.
OVA file size: ~10GB
CPU: 8 cores, Minimal 2.3 GHz, Recommended 2.4 GHz
RAM: 64 GB
I/O: 500 MB/sec
Disk: SAS 320 GB, SAS 930 GB
Large sized enterprise edition OVA:
OVA file size: ~10GB
CPU: 16 cores, Minimal 2.3 GHz, Recommended 2.4 GHz
RAM: 64 GB
I/O: 500 MB/sec
Disk: SAS 320 GB, SAS 930 GB
Obtain a static IP address for Threat Detection server and add DNS (A) record for it.
Determine the number of historical days to use for your activity baseline. For information on how to determine the best amount for you, see Historical events and your baseline calculations.

Events to configure

Events to configure
* 
NOTE: Consider Maintaining the Change Auditor database size when adding events for Threat Detection auditing.

Events from the following modules are used to build models and generate alerts:

Table 1. Events used for modeling and alerts
Module
Events

Change Auditor for Logon Activity

Authentication Activity events – these are the successful and failed interactive and remote interactive events (all enabled by default).

Domain Controller Authentication events – Ensure that you enable the ‘User authenticated through Kerberos” event. By default, it is disabled.

Change Auditor for Active Directory

User and group events (all enabled by default)

Change Auditor for Windows File Servers

Change Auditor for EMC

Change Auditor for FluidFS

Change Auditor for NetApp

For optimal Threat Detection results, Quest recommends that you select file, folder, and share events that audit permission changes, create, delete, rename, and open actions during the template creation.

Maintaining the Change Auditor database size

Some of the events required for Threat Detection can be very noisy and take up space in the Change Auditor database. Once the events are sent to the Threat Detection server for analysis storage in the Change Auditor database is no longer needed.

To ensure the database maintains a manageable size, Quest recommends that you purge events older than 30 days.

Particularly noisy events are:
User authenticated through Kerberos
File and folder open

Deploying the Threat Detection server

To download the Threat Detection server go to https://support.quest.com/change-auditor/download-new-releases.

The Threat Detection server, which is a a version of Red Hat Enterprise Linux 6 (64 bit), is available as Open Virtual Appliance (OVA) file that needs to be deployed on VMWare ESXi using VMWare VSphere Client.

* 
NOTE: Depending on the version of the ESXi, the deployment steps may be different. The below steps outline the process for vSphere Client version 6.5.
To deploy the Threat Detection server
1
Open vSphere Web Client (Flash) version.
* 
NOTE: VMWare VSphere Client should be connected to VMWare vCenter not an individual ESXi host.
2
Select Actions | Deploy OVF Template.
3
Under Select template, choose Local file, browse for the OVA template, and click Next.
* 
NOTE: The file should be located on the computer where the VSphere client is being used.
4
Under Select name and location, specify the name and inventory location for the deployed template and click Next.
5
On Select a resource, choose the destination computer for the OVA and click Next.
6
Under Review details, verify the OVF template details and click Next.
7
Under Select Storage, select the datastore for the configuration and the disk files and click Next. The Thin Provision option is recommended.
8
Under Select networks, choose a destination network for the virtual computer and select Next.
9
Under Customize template, enter the deployment properties for the Threat Detection sever.

 
Property
Description

Hostname

Fully qualified domain name of the Threat Detection server that has been registered in DNS

For example: hostname.yourcompamy.com

IP Address

Static IPv4 address of the Threat Detection server

Subnet Netmask

Subnet mask

For example: 255.255.255.0

Default Gateway

Default gateway IP address

DNS

DNS server IP address

Password

Password required for the integration between Change Auditor and the Threat Detection server. The integration password is used during the Threat Detection configuration and accessing the Tread Detection dashboard from a Chrome browser.

The password must be 8-24 characters and can only include the following supported values: a-z, A-Z, 1-0, @,$.

Maintain this password for creating the Threat Detection configuration.

10
Click Next.
11
Under Ready to complete, verify the information and click Finish.
12
Once the deployment in complete, power on the Threat Detection server.
13
Quest recommends that you take a snapshot of the newly deployed virtual server. This allows you to revert to a clean state without redeploying the server if you need to start over or re-create a configuration.
You are now ready to create a Threat Detection configuration in Change Auditor.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating