立即与支持人员聊天
与支持团队交流

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Introduction to Change Auditor Threat Detection

Previous Next

Introduction to Change Auditor Threat Detection

To protect your data and your business, Change Auditor Threat Detection uses advanced machine learning, user and entity behavioral analytics (UEBA), and SMART correlation technology to spot anomalous activity and identify the highest risk users in your environment. The users with the highest risk scores are then highlighted in the Threat Detection dashboard, enabling you to prioritize your response and adjust policies to strengthen your organization’s security and regulatory enforcement.

For details about using the Threat Detection dashboard see the Change Auditor Threat Detection User Guide.

This guide gives information about how Change Auditor integrates with the Threat Detection server to process event data. It is intended for administrators who are responsible for the implementation, deployment, and monitoring of the Change Auditor Threat Detection deployment and configuration.

Who should have input on the deployment plan?

Previous Next

Who should have input on the deployment plan?

A complete deployment plan requires the combined effort of the resources within your organization who are responsible for information security, such as:
Chief Information Security Officers who understand the complexities of the enterprise’s IT infrastructure and are responsible for the overall handling of key vulnerabilities. Change Auditor provides data to help them deliver security updates and communications.
Security architects who are responsible for building and overseeing the implementation of the network’s security measures. They need to define the threat priorities for their environment.
Database and network administrators who are responsible for the implementation, deployment, and monitoring of the Change Auditor Threat Detection configuration.
Auditors and network administrators who are responsible for reviewing the potential threats, optimizing the system by inputting feedback, and prioritizing and investigate the most serious threats.

Components and workflow

Previous Next

Components and workflow

Change Auditor sends events in real time to the Threat Detection server to be used for analysis based on calculated user behavior baselines.

See the Change Auditor Threat Detection User Guide for details on Threat Detection concepts and terms.

To enable Threat Detection:

1
Apply the required licenses. (Change Auditor Threat Detection and any required Change Auditor auditing modules.) If you are using more than one coordinator, apply the license to all of them. To verify that a license is applied, right-click the coordinator icon in the system tray and select Licensing.
2
Configure required events for Threat Detection. See Events to configure.
3
Deploy the Threat Detection server on a virtual computer. See Deploying a Threat Detection server on ESX and Deploying a Threat Detection server on Hyper-V.
4
Configure Change Auditor to send collected event data to the Threat Detection server. See Creating a Threat Detection configuration.
5
Login to the Threat Detection dashboard to see the alerts and data. See the Threat Detection User Guide for information about navigating the dashboard and using the data to secure your environment.

Requirements and prerequisites

Previous Next

Requirements and prerequisites

For a successful deployment, ensure that your environment meets the minimum system requirements.

The Threat Detection server deployed on VMWare ESX is available in both 8 and 16 cores versions.
For a Hyper-v deployment, a single server is available and you select the number of cores during the deployment.

* 
NOTE: The number of cores impact the length of time it takes to process historical audit data and build the baseline. 16 cores is recommended, 8 cores can be used if processing less than 5 million events per day.

Deployment on VMWare ESX
VMWare ESXI version 5.5 and above which is managed by VMware Vcenter 5.5 and above
The following vSphere clients are supported:
With ESX 5.5 - vSphere Windows client.
With ESX 6.0 - vSphere Flash client.
With ESX 6.5 - vSphere Flex client, vSphere HTML5 client.
Small and medium sized enterprise edition OVA:
OVA file size: ~10GB
CPU: 8 cores, Minimal 2.3 GHz, Recommended 2.4 GHz
RAM: 64 GB
I/O: 500 MB/sec
Disk: SAS 320 GB, SAS 930 GB
Large sized enterprise edition OVA:
OVA file size: ~10GB
CPU: 16 cores, Minimal 2.3 GHz, Recommended 2.4 GHz
RAM: 64 GB
I/O: 500 MB/sec
Disk: SAS 320 GB, SAS 930 GB

Deployment on Microsoft Hyper-V
Hyper-V host which running on Windows server 2016
Threat Detection server requirements:
Template size: ~10 GB
CPU: 8 or 16 cores, Minimal 2.3 GHz, Recommended 2.4 GHz.
RAM: 64 GB
I/O: 500 MB/sec
Disk: SAS 320 GB, SAS 930 GB.

For all deployments:
Obtain a static IP address for Threat Detection server and add DNS (A) record for it.
Determine the number of historical days to use for your activity baseline. For information on how to determine the best amount for you, see Historical events and your baseline calculations.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级