For the best web experience, please use IE11+, Chrome, Firefox, or Safari

Change Auditor Threat Detection

Proactively detect user-based security threats in your Microsoft environments

Game over for rogue users with Change Auditor Threat Detection 02:29
Change Auditor Threat Detection offers a unique approach to user threat detection by modeling individual user behavior patterns to detect anomalous activity that might indicate suspicious users or compromised accounts. By analyzing user activity, using proprietary advanced learning technology, user and entity behavior analytics (UEBA), and sophisticated, scoring algorithms, Change Auditor Threat Detection ranks the highest risk users in your organization, identifies potential user threats and reduces the noise from false positive alerts. Overcome the gaps left behind by native auditing tools and keep your environment secure.

Quickly and easily discover threats including:

Data exfiltration

Easily identify compromised users or accounts attempting to steal or destroy data.

Malware

Quickly recognize malware attempts to take over user accounts and privileges.

Privileged account misuse

Locate when a program or script has taken control of user credentials.

Brute-force attacks

Identify attackers by correlating repeated security events to related alerts.

Elevated Privileges

Spot improper privilege elevation by highlighting events and related user actions.

Abnormal AD activity

Quickly identify suspicious user activity in AD.

Lateral movement

Locate attackers by comparing patterns of abnormal behavior to user baselines.

Inappropriate system or resource access

Raise alerts on users attempting to access unnecessary data.

Threat detection features

Audit log analysis

Real-time audit log analysis

Efficiently analyze a high volume of audit data in real-time, including AD changes, authentications and file activity. Build user baselines from these raw activity events and proactively detect when users’ behavior appears anomalous so you’re immediately aware of potential suspicious activity.

UEBA

Automated user behavior analytics

Model user activity patterns with no administrator input or configuration required. User behavior baselines are automatically created using unsupervised advanced machine learning, modeling every aspect of a user’s activity, including their logon patterns, administrative activity and file and folder access.

Anomaly detection

Sophisticated behavioral anomaly detection

Identify abnormal user activity by automatically comparing every user action against that user’s behavioral baseline. Sophisticated threat indicator detection and multi-level risk scoring ensure that only the most egregious anomalies are highlighted, representing the riskiest user behaviors.

User threat detection

Pattern-based user threat detection

Rather than rely on rules to detect specific activities, automatically analyze user activity as it happens. Identify the most suspicious users through advanced user behavior pattern detection. Sophisticated global modeling ensures that only the most critical and concerning patterns of user behavior are highlighted, significantly reducing the noise caused by isolated activities and false positives.

Security alerts

View security alerts in context

View all suspicious user activity alerts in the context of the threat indicators that were discovered as part of the alert. Every behavioral anomaly is presented in the context of the user’s baseline activity and with all of the raw events that triggered the alert, clearly indicating why the alert was raised and simplifying the investigation and follow-up.

High-fidelity user analytics

Change Auditor creates audit logs that feed the analytics, so all of the raw event data being used to proactively detect threats in your environment includes valuable information like the who, what, when, where and at which workstation the change originated. Change Auditor ensures no important user actions are missed which could create critical gaps in the user behavior analytics.

Lightweight user threat detection

Leverage your existing Change Auditor infrastructure and audit data to model user behavior so there’s no need to deploy unnecessarily unwieldy additional agents and servers. A single virtual appliance is the only additional infrastructure required to enable advanced user threat analytics.
Stevie Awards 2018 People’s Choice winner

Stevie Awards 2018 People’s Choice winner

In the 2018 Stevie Award’s People Choice awards, Change Auditor was voted best software and also won a Silver Stevie for best new product of 2018.

    Dynamic dashboard

  • Dynamic dashboard displays the most suspicious user behaviors.

  • Proactive threat detection

  • Identify the real-time risk level of user activity to detect threats.

  • User behavior baselines

  • Model user behavior to create a baseline of typical user activity.

  • Anomaly detection

  • Find abnormal activity by comparing every action against the baseline.

  • Pattern-based detection

  • Display user threat alerts only when a pattern of suspicious behavior is detected.

  • Alerts in context

  • Suspicious activity alerts display all indicators as part of the alert.

  • Automated alert priority

  • Prioritize alerts based on the riskiest users in your environment.

  • Accelerated investigation

  • View complete alert background with analyses to speed investigations.

  • Risky users details

  • Details of the risky user helps narrow context and speed security investigations.

Specifications

There are specific system requirements for the Change Auditor coordinator (server-side), Change Auditor client (client-side), Change Auditor agent (server-side), and the Change Auditor workstation and web client (optional components). For a full list of system requirements and required permissions for all components and target systems that can be audited by Change Auditor please refer to the Change Auditor Installation Guide.

The Change Auditor coordinator is responsible for fulfilling client and agent requests and for generating alerts.

Processor

Quad core Intel® Core™ i7 equivalent or better

Memory

Minimum: 8 GB RAM or better

Recommended: 32 GB RAM or better

SQL Server

SQL databases supported up to the following versions:

  • Microsoft SQL Server 2012 SP4
  • Microsoft SQL Server 2014 SP3
  • Microsoft SQL Server 2016 SP2
  • Microsoft SQL Server 2017

NOTE: Change Auditor supports SQL AlwaysOn Availability Groups, SQL Clusters, and databases that have row and page compression applied.

Operating system

Installation platforms (x64) supported up to the following versions:

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

NOTE: Microsoft Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.)

Coordinator software and configuration

For the best performance, Quest strongly recommends:

  • Install the Change Auditor coordinator on a dedicated member server.
  • The Change Auditor database should be configured on a separate, dedicated SQL server instance.

NOTE: Do NOT pre-allocate a fixed size for the Change Auditor database.

In addition, the following software/configuration is required:

  • The coordinator must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
  • x64 version of Microsoft’s .NET 4.7.1
  • x64 version of Microsoft XML Parser (MSXML) 6.0
  • x64 version of Microsoft SQLXML 4.0
Coordinator footprint
  • Estimated hard disk space used: 1 GB.
  • Coordinator RAM usage is highly dependent on the environment, number of agent connections, and event volume.
  • Estimated database size will vary depending on the number of agents deployed and audited events captured.

Additional Account Coordinator minimum permissions required, please see Change Auditor Installation Guide .

The Change Auditor Threat Detection Server is a virtual appliance responsible for analyzing the audit logs from Change Auditor and detecting suspicious user behavior patterns. For more details on deploying the virtual appliance please refer to the Change Auditor Threat Detection Deployment Guide.

Deployment on Microsoft Hyper-V
  • Hyper-V host which is running on Windows server 2016
  • Threat Detection server requirements:
    • Template size: ~10 GB
    • CPU: 8 or 16 cores, Minimal 2.3 GHz, Recommended 2.4 GHz.
    • RAM: 64 GB
    • I/O: 500 MB/sec
    • Disk: SAS 320 GB, SAS 930 GB.
Deployment on VMWare ESX
  • VMWare ESXI version 5.5 and above which is managed by VMware Vcenter 5.5 and above
  • The following vSphere clients are supported:
    • With ESX 5.5 - vSphere Windows client.
    • With ESX 6.0 - vSphere Flash client.
    • With ESX 6.5 - vSphere Flex client, vSphere HTML5 client.
  • Small and medium sized enterprise edition OVA:
    • OVA file size: ~10GB
    • CPU: 8 cores, Minimal 2.3 GHz, Recommended 2.4 GHz
    • RAM: 64 GB
    • I/O: 500 MB/sec
    • Disk: SAS 320 GB, SAS 930 GB
  • Large sized enterprise edition OVA:
    • OVA file size: ~10GB
    • CPU: 16 cores, Minimal 2.3 GHz, Recommended 2.4 GHz
    • RAM: 64 GB
    • I/O: 500 MB/sec
    • Disk: SAS 320 GB, SAS 930 GB

Resources

Change Auditor Threat Detection
Datasheet
Change Auditor Threat Detection
Change Auditor Threat Detection
Proactive user behavior-based threat detection for Microsoft environments
Read Datasheet
Change Auditor Family
Datasheet
Change Auditor Family
Change Auditor Family
Ensure security, compliance and control of AD and Azure AD.
Read Datasheet
Office 365 and Azure AD Security Events to Monitor During the COVID-19 Crisis
E-book
Office 365 and Azure AD Security Events to Monitor During the COVID-19 Crisis
Office 365 and Azure AD Security Events to Monitor During the COVID-19 Crisis

Increase in remote workers means explosive adoption and utilization of Office 365 workloads such as Teams, Exchange Online, SharePoint Online and OneDrive for Business. Malicious actors can try and

Read E-book
Three ways a privileged user can hose your Active Directory
E-book
Three ways a privileged user can hose your Active Directory
Three ways a privileged user can hose your Active Directory
This eBook reviews insider threats and eight AD security best practices to reduce risk and recovery time.
Read E-book
Nine Best Practices to Reduce Active Directory Security Breaches and Insider Threats
E-book
Nine Best Practices to Reduce Active Directory Security Breaches and Insider Threats
Nine Best Practices to Reduce Active Directory Security Breaches and Insider Threats
This ebook explores the anatomy of an AD insider threat and details the best defense strategies against it.
Read E-book
Active Directory and Azure AD Security Best Practices
E-book
Active Directory and Azure AD Security Best Practices
Active Directory and Azure AD Security Best Practices
Unless you’ve been hiding under a rock, it’s going to come as no surprise that Office 365 adoption is increasing rapidly. With primary drivers like Exchange Online, SharePoint Online and OneDrive, Office 365 is obtaining an average of around 1 million new
Read E-book
Integrated change auditing and event log management for strong security
White Paper
Integrated change auditing and event log management for strong security
Integrated change auditing and event log management for strong security
This white paper explores how you can use Change Auditor and InTrust, either alone or in combination with your SIEM, to improve security and compliance while reducing costs.
Read White Paper
Surviving Common Office 365 Security Pitfalls — Is Your On-Premise AD the Weakest Link?
E-book
Surviving Common Office 365 Security Pitfalls — Is Your On-Premise AD the Weakest Link?
Surviving Common Office 365 Security Pitfalls — Is Your On-Premise AD the Weakest Link?
Read this insightful e-book to learn how to: • Prep your on-premises AD for synchronization with your Azure AD • Protect your data during the migration • Avoid dangerous security gaps and crippling inefficiencies
Read E-book

Get Started Now

Proactively detect user-based security threats in your Microsoft environments