Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Change Auditor Threat Detection 7.0.1 - User Guide

Table of Contents

Introduction to Change Auditor Threat Detection

Overview Which systems are monitored? Threat detection concepts

Baselines Threat indicators SMART alerts Risk scoring

Threat Detection process

Using the Threat Detection Dashboard

Deployment and installation Accessing the dashboard Overview tab

High Risk Users SMART Alerts All Users Alerts Status Alerts Severity

Filters Risk Navigator Users Grid

Alert list Alert Filter How to perform an alert investigation

Common functions

Alert and indicator reference

Alert types Threat indicators

Baselines

Change Auditor Threat Detection applies machine learning to build behavioral features and a multi-dimensional baseline of typical behavior for each user in your environment. The baseline comprises a unique set of identifiers to ensure that only abnormal behaviors are flagged. For example, the baseline can include information about when a user typically logs on, which workstation they use, whether they tend to log on from remote locations, which files they typically access and so on.

As the baselines are refined over time, the Threat Detection server makes logical assumptions around what to expect, which minimizes the chances for any alarms around normal changes in activity. Change Auditor Threat Detection requires 30 days of audit history to establish the initial user behavior baselines.

Threat indicators

Indicators define risky activity, such as suspicious user logons, brute-force password attacks, unusual Active Directory changes, and abnormal file access. However, threat indicators are not constrained to a specific raw event — they use machine learning to identify patterns of events that together could indicate a threat.

Specifically, as raw events stream in, the Threat Detection server analyzes human actors, accounts, locations and operations to identify behavior that deviates from established baselines.

Abnormal and risky behaviors are evaluated to produce threat indicators. These indicators are based on present and historical patterns, as well as specifically defined risky attributes. An indicator consolidates all activities that are detected as abnormal and are scored as such based on their overall significance.

Anomalous behavior that corresponds with a threat indicator is assigned an individual risk score based on the event’s rarity and criticality. This strategy ensures that only behavioral changes that are important and potentially indicative of a suspicious activity are highlighted out of the raw events.

Threat indicators are the basis for the formation of alerts. Sorted by severity to reflect the security importance, alerts are managed by the analyst providing investigation and feedback.

SMART alerts

SMART (Significant Multidimensional Anomaly Reduction Technology) is a correlation technology that provides prioritized results for dynamic and frequently changing behaviors. The technology uses statistical and machine learning algorithms to identify unique connections between anomalies, thereby reducing false positives and helping to spot threats.

SMART prioritizes and consolidates threats that reflect a meaningful deviation in user behavior. As a result, while millions of raw events might yield discovery of thousands of threat indicators, only patterns of truly suspicious behavior are scored. This means that fewer alerts are raised in the Threat Detection dashboard, and fewer false positives are identified. Like baselines, SMART alerts improve over time as more log data is processed, so they deliver increasingly accurate user threat detection.

Risk scoring

Each alert is assigned a risk score based on the criticality of its threat indicators. All the alerts that have been identified for each user are combined to produce an overall user risk score that reflects how risky or suspicious that user is. To ensure that only highly suspicious patterns of activity are highlighted and more innocuous alerts are suppressed, risk scoring is applied at four different stages.

Table 1. Event scoring stages

Stage 1: Event scoring

Each raw event is given an initial risk score that rates the abnormality of its parameters, such as the computer, time or file location.

Stage 2: Threat indicator scoring

Similar events are grouped as threat indicators and scored again to identify abnormal patterns that extend over a period of time, such as an hour.

Stage 3: Alert scoring

SMART alerts correlate events and threat indicators into an aggregate alert, which is scored for a third time based on the uniqueness of its composition and the severity of the activities involved.

Indicators that are not scored high enough, or that are not correlated with other indicators in the same time period, are eliminated as false positives so that they do not create excessive noise. Only the SMART alerts that are scored as most critical are shown in the dashboard.

The final score ranges between 0 and 100, where 0 reflects an event/session/user which is completely adequate with the normal baseline, whereas 100 indicates a very unusual anomaly.

Score base values are predetermined, and can also be modified to increase or reduce their sensitivity to risk. By default, each risk level has the following base scores:

•

Critical alerts are scored +20

•

High alerts are scored +15

•

Medium alerts are scored +10

•

Low alerts are scored +5

Stage 4: User risk scoring

The user risk score is an aggregate of all the SMART alert scores that have been raised for that user. The users with the highest risk scores are highlighted in the Threat Detection dashboard.

Figure 1. Event scoring stages

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center