立即与支持人员聊天
与支持团队交流

Change Auditor Threat Detection 7.0.2 - User Guide

Introduction to Change Auditor Threat Detection
Overview
Which Change Auditor modules are monitored?
Threat detection concepts
Threat Detection process

 

Overview

Detecting suspicious activity by rogue users is a difficult challenge. The traditional rule-based approach to user threat detection generates too many alerts to investigate. As a result, you waste time with false positives and risk missing the real threats, leaving your organization at risk of a data security breach.

To effectively protect your data and your business, Change Auditor Threat Detection uses advanced machine learning, user and entity behavioral analytics (UEBA), and SMART correlation technology to spot anomalous activity and identify the highest risk users in your environment.

More specifically, Change Auditor provides a threat detection solution that:
Is automated - The system does not rely on rules and prioritized alerts created by analysts.
Analyzes historical data to create user behavior baselines, and uses the constant stream of incoming data to update and improve models.
Correlates events, unifying multiple anomalies and supporting information into a single alert to reduce the volume of alerts and facilitate analysis.
Provides a manageable number of potential threats, prioritized by risk level, to ensure you can identify and investigate the most serious threats first.
Presents potential threats in a way that is easy to understand the sequence of events and their relationships, to facilitate quick investigation and response.
Provides a way to give input that feeds back into the risk scoring and prioritization model.

This guide gives information about the Threat Detection dashboard functions and capabilities for IT and security analysts. It is also relevant to chief information security officers, security architects, network administrators, and auditors responsible for information security in large organizations who need to understand the functionality and abilities made possible using the solution.

Which Change Auditor modules are monitored?

Threat Detection analyzes Change Auditor events to build a user behavior baseline and to detect anomalies and threats. User activity from the following Change Auditor subsystems is streamed to the Threat Detection server for processing to build the global map of users, groups, systems and files in your environment:
Authentication activity from Change Auditor for Logon Activity
Active Directory user and group changes from Change Auditor for Active Directory
File access activity from Change Auditor for Windows File Servers, Change Auditor for EMC, Change Auditor for FluidFS and Change Auditor for NetApp

Threat Detection server events

Threat Detection server activity is also monitored. Events are generated when:
A risky user is identified.
Risky user severity is increased or decreased.
An alert is generated.
An alert is marked as a risk.
An alert is marked as not a risk.
To view Threat Detection events in the Change Auditor client:
Open the Audit Events page on the Administration Tasks tab | Auditing
The events are listed under the Threat Detection - Risky User" facility and the "Threat Detection - Alert" facility.
The event details pane contains information to help gain a better understanding of the activities taking place on the Threat Detection server including:
The number of alerts and their name, severity, score.
User risk score, severity, old and new severity.
When the Threat Detection server started processing the alert.
Indicator s associated with the alert.
Contribution to user score .
For more information on the details displayed for these events, see the Change Auditor Event Reference guide.
自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级