For the best web experience, please use IE11+, Chrome, Firefox, or Safari

Change Auditor Threat Detection

Proactively detect user-based security threats in your Microsoft environments

Change Auditor Threat Detection offers a unique approach to user threat detection by modeling individual user behavior patterns to detect anomalous activity that might indicate suspicious users or compromised accounts. By analyzing user activity, using proprietary advanced learning technology, user and entity behavior analytics (UEBA), and sophisticated, scoring algorithms, Change Auditor Threat Detection ranks the highest risk users in your organization, identifies potential user threats and reduces the noise from false positive alerts. Overcome the gaps left behind by native auditing tools and keep your environment secure.

Quickly and easily discover threats including:

Data exfiltration

Easily identify compromised users or accounts attempting to steal or destroy data.

Malware

Quickly recognize malware attempts to take over user accounts and privileges.

Privileged account misuse

Locate when a program or script has taken control of user credentials.

Brute-force attacks

Identify attackers by correlating repeated security events to related alerts.

Elevated Privileges

Spot improper privilege elevation by highlighting events and related user actions.

Abnormal AD activity

Quickly identify suspicious user activity in AD.

Lateral movement

Locate attackers by comparing patterns of abnormal behavior to user baselines.

Inappropriate system or resource access

Raise alerts on users attempting to access unnecessary data.

Threat detection features

Audit log analysis

Real-time audit log analysis

Efficiently analyze a high volume of audit data in real-time, including AD changes, authentications and file activity. Build user baselines from these raw activity events and proactively detect when users’ behavior appears anomalous so you’re immediately aware of potential suspicious activity.

UEBA

Automated user behavior analytics

Model user activity patterns with no administrator input or configuration required. User behavior baselines are automatically created using unsupervised advanced machine learning, modeling every aspect of a user’s activity, including their logon patterns, administrative activity and file and folder access.

Anomaly detection

Sophisticated behavioral anomaly detection

Identify abnormal user activity by automatically comparing every user action against that user’s behavioral baseline. Sophisticated threat indicator detection and multi-level risk scoring ensure that only the most egregious anomalies are highlighted, representing the riskiest user behaviors.

User threat detection

Pattern-based user threat detection

Rather than rely on rules to detect specific activities, automatically analyze user activity as it happens. Identify the most suspicious users through advanced user behavior pattern detection. Sophisticated global modeling ensures that only the most critical and concerning patterns of user behavior are highlighted, significantly reducing the noise caused by isolated activities and false positives.

Security alerts

View security alerts in context

View all suspicious user activity alerts in the context of the threat indicators that were discovered as part of the alert. Every behavioral anomaly is presented in the context of the user’s baseline activity and with all of the raw events that triggered the alert, clearly indicating why the alert was raised and simplifying the investigation and follow-up.

High-fidelity user analytics

Change Auditor creates audit logs that feed the analytics, so all of the raw event data being used to proactively detect threats in your environment includes valuable information like the who, what, when, where and at which workstation the change originated. Change Auditor ensures no important user actions are missed which could create critical gaps in the user behavior analytics.

Lightweight user threat detection

Leverage your existing Change Auditor infrastructure and audit data to model user behavior so there’s no need to deploy unnecessarily unwieldy additional agents and servers. A single virtual appliance is the only additional infrastructure required to enable advanced user threat analytics.
Stevie Awards 2018 People’s Choice winner

Stevie Awards 2018 People’s Choice winner

In the 2018 Stevie Award’s People Choice awards, Change Auditor was voted best software and also won a Silver Stevie for best new product of 2018.

    Dynamic dashboard

  • Dynamic dashboard displays the most suspicious user behaviors.

  • Proactive threat detection

  • Identify the real-time risk level of user activity to detect threats.

  • User behavior baselines

  • Model user behavior to create a baseline of typical user activity.

  • Anomaly detection

  • Find abnormal activity by comparing every action against the baseline.

  • Pattern-based detection

  • Display user threat alerts only when a pattern of suspicious behavior is detected.

  • Alerts in context

  • Suspicious activity alerts display all indicators as part of the alert.

  • Automated alert priority

  • Prioritize alerts based on the riskiest users in your environment.

  • Accelerated investigation

  • View complete alert background with analyses to speed investigations.

  • Risky users details

  • Details of the risky user helps narrow context and speed security investigations.

Specifications

There are specific system requirements for the Change Auditor coordinator (server-side), Change Auditor client (client-side), Change Auditor agent (server-side), and the Change Auditor workstation and web client (optional components). For a full list of system requirements and required permissions for all components and target systems that can be audited by Change Auditor please refer to the Change Auditor Installation Guide.

The Change Auditor coordinator is responsible for fulfilling client and agent requests and for generating alerts.

Processor

Quad core Intel® Core™ i7 equivalent or better

Memory

Minimum: 8 GB RAM or better

Recommended: 32 GB RAM or better

SQL Server

SQL databases supported up to the following versions:

  • Microsoft SQL Server 2012 SP4
  • Microsoft SQL Server 2014 SP3
  • Microsoft SQL Server 2016 SP2
  • Microsoft SQL Server 2017

NOTE: Change Auditor supports SQL AlwaysOn Availability Groups and SQL Clusters.

Operating system

Installation platforms (x64) supported up to the following versions:

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

NOTE: Microsoft Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.)

Coordinator software and configuration

For the best performance, Quest strongly recommends:

  • Install the Change Auditor coordinator on a dedicated member server.
  • The Change Auditor database should be configured on a separate, dedicated SQL server instance.

NOTE: Do NOT pre-allocate a fixed size for the Change Auditor database.

In addition, the following software/configuration is required:

  • The coordinator must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
  • x64 version of Microsoft’s .NET 4.6.1
  • x64 version of Microsoft XML Parser (MSXML) 6.0
  • x64 version of Microsoft SQLXML 4.0
Coordinator footprint
  • Estimated hard disk space used: 1 GB.
  • Coordinator RAM usage is highly dependent on the environment, number of agent connections, and event volume.
  • Estimated database size will vary depending on the number of agents deployed and audited events captured.

Additional Account Coordinator minimum permissions required, please see Change Auditor Installation Guide .

The Change Auditor Threat Detection Server is a virtual appliance responsible for analyzing the audit logs from Change Auditor and detecting suspicious user behavior patterns. For more details on deploying the virtual appliance please refer to the Change Auditor Threat Detection Deployment Guide.

Deployment on Microsoft Hyper-V
  • Hyper-V host which is running on Windows server 2016
  • Threat Detection server requirements:
    • Template size: ~10 GB
    • CPU: 8 or 16 cores, Minimal 2.3 GHz, Recommended 2.4 GHz.
    • RAM: 64 GB
    • I/O: 500 MB/sec
    • Disk: SAS 320 GB, SAS 930 GB.
Deployment on VMWare ESX
  • VMWare ESXI version 5.5 and above which is managed by VMware Vcenter 5.5 and above
  • The following vSphere clients are supported:
    • With ESX 5.5 - vSphere Windows client.
    • With ESX 6.0 - vSphere Flash client.
    • With ESX 6.5 - vSphere Flex client, vSphere HTML5 client.
  • Small and medium sized enterprise edition OVA:
    • OVA file size: ~10GB
    • CPU: 8 cores, Minimal 2.3 GHz, Recommended 2.4 GHz
    • RAM: 64 GB
    • I/O: 500 MB/sec
    • Disk: SAS 320 GB, SAS 930 GB
  • Large sized enterprise edition OVA:
    • OVA file size: ~10GB
    • CPU: 16 cores, Minimal 2.3 GHz, Recommended 2.4 GHz
    • RAM: 64 GB
    • I/O: 500 MB/sec
    • Disk: SAS 320 GB, SAS 930 GB

Resources

Change Auditor Threat Detection
Datasheet
Change Auditor Threat Detection
Change Auditor Threat Detection
Proactive user behavior-based threat detection for Microsoft environments
Read Datasheet
Microsoft ATA and Azure ATP – How they fit in your defense in depth security strategy?
On Demand Webcast
Microsoft ATA and Azure ATP – How they fit in your defense in depth security strategy?
Microsoft ATA and Azure ATP – How they fit in your defense in depth security strategy?

According to the 2018 Verizon Data Breach Investigations Report, 68% of investigated data breaches went undetected for 60 or more days. Fortunately, platform providers, such as Microsoft, are

Watch Webcast
What Is Azure ATP and How Does It Fit into Your Security Strategy?
White Paper
What Is Azure ATP and How Does It Fit into Your Security Strategy?
What Is Azure ATP and How Does It Fit into Your Security Strategy?

Being able to quickly detect and respond to threats is essential for both security and regulatory compliance. But it’s not an easy task. On the one hand, you have hackers battering your netwo

Read White Paper
How to Spot Insider Threats Before They Wreak Havoc
E-book
How to Spot Insider Threats Before They Wreak Havoc
How to Spot Insider Threats Before They Wreak Havoc
Change Auditor Threat Detection distills AD audit data down to a manageable number of SMART alerts and highlights the riskiest users through pattern-based
Read E-book
Tackling insider threat detection with user behavior analytics
White Paper
Tackling insider threat detection with user behavior analytics
Tackling insider threat detection with user behavior analytics
Review challenges detecting an insider threat, benefits and limitations of rule-based tools and explore user behavior analytics threat detection solutions
Read White Paper
Inside Change Auditor Threat Detection
Technical Brief
Inside Change Auditor Threat Detection
Inside Change Auditor Threat Detection
Identify insider threats with advanced machine learning, user and entity behavioral analytics (UEBA), and SMART correlation technology to stop data breach
Read Technical Brief
Introducing Change Auditor Threat Detection
Introducing Change Auditor Threat Detection

04:11

Video
Introducing Change Auditor Threat Detection
Be proactive about detecting potential insider threats and anomalous activity by modeling user behavior through unsupervised machine learning.
Watch Video
Three ways a privileged user can hose your Active Directory
E-book
Three ways a privileged user can hose your Active Directory
Three ways a privileged user can hose your Active Directory
This eBook reviews insider threats and eight AD security best practices to reduce risk and recovery time.
Read E-book

Get Started Now

Proactively detect user-based security threats in your Microsoft environments