Change Auditor Threat Detection 7.0.2


	NOTE: The number of cores impact the length of time it takes to process historical audit data and build the baseline. 16 cores is recommended, 8 cores can be used if processing less than 5 million events per day.

Deployment on VMWare ESX

•

VMWare ESXI version 5.5 and above which is managed by VMware Vcenter 5.5 and above

•

The following vSphere clients are supported:

•

With ESX 5.5 - vSphere Windows client.

•

With ESX 6.0 - vSphere Flash client.

•

With ESX 6.5 - vSphere Flex client, vSphere HTML5 client.

•

Small and medium sized enterprise edition OVA:

•

OVA file size: ~10GB

•

CPU: 8 cores, Minimal 2.3 GHz, Recommended 2.4 GHz

•

RAM: 64 GB

•

I/O: 500 MB/sec

•

Disk: SAS 320 GB, SAS 930 GB

•

Large sized enterprise edition OVA:

•

OVA file size: ~10GB

•

CPU: 16 cores, Minimal 2.3 GHz, Recommended 2.4 GHz

•

RAM: 64 GB

•

I/O: 500 MB/sec

•

Disk: SAS 320 GB, SAS 930 GB

Deployment on Microsoft Hyper-V

•

Hyper-V host which running on Windows server 2016

•

Threat Detection server requirements:

•

Template size: ~10 GB

•

CPU: 8 or 16 cores, Minimal 2.3 GHz, Recommended 2.4 GHz.

•

RAM: 64 GB

•

I/O: 500 MB/sec

•

Disk: SAS 320 GB, SAS 930 GB.

For all deployments:

•

Obtain a static IP address for Threat Detection server and add DNS (A) record for it.

•

Determine the number of historical days to use for your activity baseline. For information on how to determine the best amount for you, see Historical events and your baseline calculations.

Events to configure


	NOTE: Consider Maintaining the Change Auditor database size when adding events for Threat Detection auditing.

Events from the following modules are used to build models and generate alerts:

Table 1. Events used for modeling and alerts
Module	Events
Change Auditor for Logon Activity	Authentication Activity events – these are the successful and failed interactive and remote interactive events (all enabled by default). Domain Controller Authentication events – Ensure that you enable the ‘User authenticated through Kerberos” event. By default, it is disabled.
Change Auditor for Active Directory	User and group events (all enabled by default).
Change Auditor for Windows File Servers Change Auditor for EMC Change Auditor for FluidFS Change Auditor for NetApp	For optimal Threat Detection results, Quest recommends that you select file, folder, and share events that audit permission changes, create, delete, rename, and open actions during the template creation.

Maintaining the Change Auditor database size

Some of the events required for Threat Detection can be very noisy and take up significant space in the Change Auditor database. Once the events are sent to the Threat Detection server for analysis storage in the Change Auditor database is no longer needed.

To ensure the database maintains a manageable size, Quest recommends that you purge events older than 30 days.

Particularly noisy events are:

•

User authenticated through Kerberos

•

File and folder open

Deploying a Threat Detection server on ESX

To download the Threat Detection server go to https://support.quest.com/change-auditor/download-new-releases.

The Threat Detection server, which is a a version of Red Hat Enterprise Linux 7 (64 bit), is available as Open Virtual Appliance (OVA) file that must be deployed on VMWare ESXi using VMWare VSphere Client.


	NOTE: Depending on the version of the ESXi, the deployment steps may be different. The below steps outline the process for vSphere Client version 6.5.

To deploy the Threat Detection server

Open vSphere client.


	NOTE: VMWare VSphere Client should be connected to VMWare vCenter not an individual ESXi host.

Select Actions | Deploy OVF Template.

Under Select template, choose Local file, browse for the OVA template, and click Next.

Under Select name and location, specify the name and inventory location for the deployed template and click Next.

On Select a resource, choose the destination computer for the OVA and click Next.

Under Review details, verify the OVF template details and click Next.

Under Select Storage, select the datastore for the configuration and the disk files and click Next. The Thin Provision option is recommended.

Under Select networks, choose a destination network for the virtual computer and select Next.

Under Customize template, enter the deployment properties for the Threat Detection sever.


Property	Description
Hostname	Fully qualified domain name of the Threat Detection server that has been registered in DNS. For example: hostname.yourcompany.com.
IP address	Static IPv4 address of the Threat Detection server.
Subnet mask	Subnet mask. For example: 255.255.255.0
Default gateway	Default gateway IP address.
DNS	DNS server IP address.
Integration password	Password required for the integration between Change Auditor and the Threat Detection server. The integration password is used during the Threat Detection configuration. The password must be 8-24 characters and can only include the following supported values: a-z, A-Z, 1-0, @,$. Maintain this password for use when creating the Threat Detection configuration.
Root password	Root password for the Threat Detection server. It must be 8-24 characters and can only include the following supported values: a-z, A-Z, 1-0, @,$.

Click Next.

Under Ready to complete, verify the information and click Finish.

Once the deployment in complete, power on the Threat Detection server.

Quest recommends that you take a snapshot of the newly deployed virtual server. This allows you to revert to a clean state without redeploying the server if you need to start over or re-create a configuration.

You are now ready to create a Threat Detection configuration in Change Auditor.

请选择您的产品：

为向您提供更好的服务，请填写'Purpose of your Chat'（联系目的）：

针对您的问题建议的解决方案

Change Auditor Threat Detection 7.0.2 - Deployment Guide

Requirements and prerequisites

Events to configure

Maintaining the Change Auditor database size

Deploying a Threat Detection server on ESX