Game over for rogue users with Change Auditor Threat Detection
Change Auditor Threat Detection offers a unique approach to user threat detection by modeling individual user behavior patterns to detect anomalous activity that might indicate suspicious users or compromised accounts. By analyzing user activity, using proprietary advanced learning technology, user and entity behavior analytics (UEBA), and sophisticated, scoring algorithms, Change Auditor Threat Detection ranks the highest risk users in your organization, identifies potential user threats and reduces the noise from false positive alerts. You’ll finally be able to overcome the gaps left behind by native auditing tools so you can keep your environment secure.
Easily identify compromised users or accounts attempting to steal or destroy data.
Quickly recognize malware attempts to take over user accounts and privileges.
Locate when a program or script has taken control of user credentials.
Identify attackers by correlating repeated security events to related alerts.
Spot improper privilege elevation by highlighting events and related user actions.
Quickly identify suspicious user activity in AD.
Locate attackers by comparing patterns of abnormal behavior to user baselines.
Raise alerts on users attempting to access unnecessary data.
Efficiently analyze a high volume of audit data in real-time, including AD changes, authentications and file activity. Build user baselines from these raw activity events and proactively detect when users’ behavior appears anomalous so you’re immediately aware of potential suspicious activity.
Model user activity patterns without any administrator input or configuration required. User behavior baselines are automatically created using unsupervised advanced machine learning, modeling every aspect of a user’s activity, including their logon patterns, administrative activity and file and folder access.
Identify abnormal user activity by automatically comparing every user action against that user’s behavioral baseline. Sophisticated threat indicator detection and multi-level risk scoring ensure that only the most egregious anomalies are highlighted, representing the riskiest user behaviors.
Change Auditor creates the audit logs feeding the analytics, so all of the raw event data being used to proactively detect threats in your environment inherently includes valuable information like:
Unlike native Windows event logs, Change Auditor ensures no important user actions are missed which could otherwise create critical gaps in the user behavior analytics.
SMART user threat alerts are only raised when a correlated pattern of anomalous user behavior is detected. Rather than rely on rules to detect specific activities, automatically analyze all user activity as it happens and identify the most suspicious users in the environment through sophisticated user behavior pattern detection. Sophisticated global modeling ensures that only the most critical and concerning patterns of user behavior are highlighted, significantly reducing the noise caused by isolated activities and false positives.
Leverage existing Change Auditor infrastructure and audit data to model user behavior so there’s no need to deploy unnecessarily unwieldy additional agents and servers. A single virtual appliance is the only additional infrastructure required to enable advanced user threat analytics.
For a full list of system requirements and required permissions for all components and target systems that can be audited by Change Auditor please refer to the Change Auditor Installation Guide.
The Change Auditor coordinator is responsible for fulfilling client and agent requests and for generating alerts.
Quad core Intel® Core™ i7 equivalent or better
Minimum: 8 GB RAM or better
Recommended: 32 GB RAM or better
SQL databases supported up to the following versions:
NOTE: Change Auditor does not support SQL high availability technology other than clusters.
Installation platforms (x64) supported up to the following versions:
NOTE: Microsoft Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.)
For the best performance, we strongly recommend:
NOTE: Do NOT pre-allocate a fixed size for the Change Auditor database.
In addition, the following software/configuration is required:
The Change Auditor Threat Detection Server is a virtual appliance responsible for analyzing the audit logs from Change Auditor and detecting suspicious user behavior patterns. For more details on deploying the virtual appliance please refer to the Change Auditor Threat Detection Deployment Guide.
Small and medium sized organizations (less than 5 Million events per day):
Large sized organizations (more than 5 Million events per day):
64 GB RAM
SAS 320 GB, SAS 930 GB
Proactive user behavior-based threat detection for Microsoft environments
Review challenges detecting an insider threat, benefits and limitations of rule-based tools and explore user behavior analytics threat detection solutions
Change Auditor Threat Detection distills AD audit data down to a manageable number of SMART alerts and highlights the riskiest users through pattern-based
Identify insider threats with advanced machine learning, user and entity behavioral analytics (UEBA), and SMART correlation technology to stop data breach
Be proactive about detecting potential insider threats and anomalous activity by modeling user behavior through unsupervised machine learning.
This eBook reviews insider threats and eight AD security best practices to reduce risk and recovery time.
This ebook explores the anatomy of an AD insider threat and details the best defense strategies against it.
This eBook provides solutions to stop insider threats, manage privileged accounts, simplify GPO management and administration.
Ensure security, compliance and control of AD and Azure AD.
Get answers to critical security and compliance questions
Track, audit and receive reports on all Windows File Server real-time system changes
Audit all events related to file activity and permissions on your NetApp NAS devices.
Audit all events related to file activity and permissions on your EMC NAS devices.
Audit all events related to file activity and permissions on your FluidFS NAS devices.