Chat now with support

Change Auditor Threat Detection 7.0.2 - Deployment Guide

Requirements and prerequisites

For a successful deployment, ensure that your environment meets the minimum system requirements.

The Threat Detection server deployed on VMWare ESX is available in both 8 and 16 cores versions.
For a Hyper-v deployment, a single server is available and you select the number of cores during the deployment.

For all deployments:

Events to configure

NOTE: Consider Maintaining the Change Auditor database size when adding events for Threat Detection auditing.

Events from the following modules are used to build models and generate alerts:

Change Auditor for Logon Activity

Authentication Activity events – these are the successful and failed interactive and remote interactive events (all enabled by default).

Domain Controller Authentication events – Ensure that you enable the ‘User authenticated through Kerberos” event. By default, it is disabled.

Change Auditor for Active Directory

User and group events (all enabled by default).

Change Auditor for Windows File Servers

Change Auditor for EMC

Change Auditor for FluidFS

Change Auditor for NetApp

For optimal Threat Detection results, Quest recommends that you select file, folder, and share events that audit permission changes, create, delete, rename, and open actions during the template creation.

Maintaining the Change Auditor database size

Some of the events required for Threat Detection can be very noisy and take up significant space in the Change Auditor database. Once the events are sent to the Threat Detection server for analysis storage in the Change Auditor database is no longer needed.

To ensure the database maintains a manageable size, Quest recommends that you purge events older than 30 days.

Particularly noisy events are:

Deploying a Threat Detection server on ESX

To download the Threat Detection server go to

The Threat Detection server, which is a a version of Red Hat Enterprise Linux 7 (64 bit), is available as Open Virtual Appliance (OVA) file that must be deployed on VMWare ESXi using VMWare VSphere Client.

Select Actions | Deploy OVF Template.
Under Select template, choose Local file, browse for the OVA template, and click Next.
Under Select name and location, specify the name and inventory location for the deployed template and click Next.
On Select a resource, choose the destination computer for the OVA and click Next.
Under Review details, verify the OVF template details and click Next.
Under Select Storage, select the datastore for the configuration and the disk files and click Next. The Thin Provision option is recommended.
Under Select networks, choose a destination network for the virtual computer and select Next.
Under Customize template, enter the deployment properties for the Threat Detection sever.



Fully qualified domain name of the Threat Detection server that has been registered in DNS.

For example:

IP address

Static IPv4 address of the Threat Detection server.

Subnet mask

Subnet mask.

For example:

Default gateway

Default gateway IP address.


DNS server IP address.

Integration password

Password required for the integration between Change Auditor and the Threat Detection server. The integration password is used during the Threat Detection configuration.

The password must be 8-24 characters and can only include the following supported values: a-z, A-Z, 1-0, @,$.

Maintain this password for use when creating the Threat Detection configuration.

Root password

Root password for the Threat Detection server. It must be 8-24 characters and can only include the following supported values: a-z, A-Z, 1-0, @,$.

Click Next.
Under Ready to complete, verify the information and click Finish.