Chat now with support
与支持团队交流

Change Auditor Threat Detection 7.0.2 - Deployment Guide

Connecting to Change Auditor

Connect-CAClient

Most Change Auditor commands require a connection to a coordinator. You can make multiple connections to different coordinators or deployments in the same script as long as the version of Change Auditor is the same.

This connection can be assigned to a variable and used for any command that requires it. Use this command to search for a suitable coordinator in a Change Auditor installation and create a connection. Suitable coordinators are those which you have access to and can be located by searching through Active Directory service connection points.

-Credential (Optional)

Windows credentials specifying the user to connect to the Change Auditor installation. All operations using this connection will be authorized as this user. When not specified, the current client running PowerShell is used.

-CoordinatorConnectionPoint (Optional)

Specify to use a specific coordinator found from a previous call to Find-CACoordinators.

-SelectLocalCoordinator (Optional)

Create a connection to the local coordinator.

-InstallationName (Optional)

The installation name to connect to. If an installation cannot be found with this name, no connection is made.

If more than one Change Auditor installation exists in the current forest, this parameter is mandatory. Omitting it results in a connection failure due to ambiguity.

-DomainName (Optional)

The name of the domain where the Change Auditor installation exists.

-ComputerName (Optional)

The computer to connect to.

-Port (Optional)

The port to connect to.

-WaitForServiceReady (Optional)

The number of seconds to wait for the connected coordinator service to be ready.

Connect-CAClient –InstallationName ‘XYZ’ -DomainName 'DomainName.com'

Managing a Threat Detection configuration

New-CAThreatDetectionConfiguration

Use this command to create a Threat Detection configuration.

-Connection

A connection obtained by using the Connect-CAClient command. See Connecting to Change Auditor.

-TDServer

The Threat Detection server fully qualified domain name.

-TDPassword

The password used to access the Threat Detection server. Use the integration password that was specified during the Threat Detection server deployment.

-DomainAdminCredential

The credentials required to join the Threat Detection server to your coordinator’s domain to enable access to the dashboard using windows integrated authentication.

-HistoricalDays (Optional)

The number of days of historical events to send to the Threat Detection server. For details, see Historical events and your baseline calculations.

-AllowedCoordinators (Optional)

The DNS or NetBIOS name of the coordinators permitted to send events. If none are specified, all coordinators installed at the time of configuration are permitted to send events.

Example: Creating a configuration

New-ThreatDetectionConfiguration -Connection $connection -TDServer ‘ServerName.Domain.Com’ -TDPassword $TDPassword -DomainAdminCredential $DomainAdminCredential -HistoricalDays 30
-AllowedCoordinators @('machine1.domain.com','machine2.domain.com')

相关文档