Chat now with support
与支持团队交流

Change Auditor Threat Detection 7.0.2 - Deployment Guide

Get-CAThreatDetectionConfiguration

Use this command to view the Threat Detection configuration information and information about the associated subscription.

-Connection

A connection obtained by using the Connect-CAClient command. See Connecting to Change Auditor.

Example: Review Threat Detection configuration details

Get-ThreatDetectionConfiguration -Connection $connection

Command output

The command returns the following information. For more information about some of these settings see the Change Auditor SIEM Integration Guide.

TDServer

The Threat Detection server fully qualified domain name.

ConfigurationState

State of the configuration:

HistoricalDays

How many days of historical events have been sent to Threat Detection server.

TDServerStatus

Status of the Threat Detection server:

DataProcessingStatus

Status of the data processing. For example, building baseline.

TDServerVersion

Threat Detection server version.

TDSubscriptionId

Threat Detection subscription ID.

StartTime

Starting point in time for events to send.

Subsystems

Subsystems that have been selected for event sending.

TDSubscriptionEnabled

Whether the Threat Detection subscription is enabled.

NotificationInterval

How often how often (in milliseconds) events are sent.

HeartbeatInterval

Interval (in milliseconds) that a heartbeat check is made for the configuration.

BatchSize

Batch size. The maximum number of events to include in a single notification message.

NotificationUrl

Url for notifications.

HeartbeatUrl

Url for heartbeat notifications.

LastEventTime

When the last event was sent.

LastEventResponse

Last event response (For example OK, HTTP 429 - Too many events being sent, and HTTP 401 - Unauthorized access.)

LastHeartbeatTime

When the last heartbeat was sent.

LastHeartbeatResponse

The last heartbeat response. (For example OK, HTTP 429 - Too many events being sent, and HTTP 401 - Unauthorized access.)

EventsSent

Number of events sent.

BatchesSent

Number of batches sent.

HeartbeatsSent

Number of heartbeats sent.

BookmarkTime

Time the last event was sent.

AllowedCoordinators

List of coordinators permitted to send events.

LastCoordinator

The coordinator that is sending events. If the subscription is disabled, this is the last coordinator that sent events.

Set-CAThreatDetectionConfiguration

Use this command to modify the list of allowed coordinators for the Threat Detection configuration.

-Connection

A connection obtained by using the Connect-CAClient command. See Connecting to Change Auditor.

-AllowedCoordinators (Optional)

The DNS or NetBIOS name of the coordinators permitted to send events. If none are specified, all coordinators installed at the time of configuration are permitted to send events.

Example: Modifying a configuration

Set-CAThreatDetectionConfiguration -Connection $connection -AllowedCoordinators @('machine1.domain.com','machine2.domain.com')

Example: To clear a previous list of allowed coordinators

Set-CAThreatDetectionConfiguration -Connection $connection -AllowedCoordinators @()

Remove-CAThreatDetectionConfiguration

Use this command to remove a Threat Detection configuration.

NOTE:  

Deleting the configuration only removes configuration information from Change Auditor. It does not remove data or configuration on the Threat Detection server.

-Connection

A connection obtained by using the Connect-CAClient command. See Connecting to Change Auditor.

Example: Remove the Threat Detection configuration

Remove-ThreatDetectionConfiguration -Connection $connection

 

 

Appendix: System Architecture

相关文档