Easily identify compromised users or accounts attempting to steal or destroy data.
Quickly recognize malware attempts to take over user accounts and privileges.
Locate when a program or script has taken control of user credentials.
Identify attackers by correlating repeated security events to related alerts.
Spot improper privilege elevation by highlighting events and related user actions.
Quickly identify suspicious user activity in AD.
Locate attackers by comparing patterns of abnormal behavior to user baselines.
Raise alerts on users attempting to access unnecessary data.
Efficiently analyze a high volume of audit data in real-time, including AD changes, authentications and file activity. Build user baselines from these raw activity events and proactively detect when users’ behavior appears anomalous so you’re immediately aware of potential suspicious activity.
Model user activity patterns with no administrator input or configuration required. User behavior baselines are automatically created using unsupervised advanced machine learning, modeling every aspect of a user’s activity, including their logon patterns, administrative activity and file and folder access.
Identify abnormal user activity by automatically comparing every user action against that user’s behavioral baseline. Sophisticated threat indicator detection and multi-level risk scoring ensure that only the most egregious anomalies are highlighted, representing the riskiest user behaviors.
Rather than rely on rules to detect specific activities, automatically analyze user activity as it happens. Identify the most suspicious users through advanced user behavior pattern detection. Sophisticated global modeling ensures that only the most critical and concerning patterns of user behavior are highlighted, significantly reducing the noise caused by isolated activities and false positives.
View all suspicious user activity alerts in the context of the threat indicators that were discovered as part of the alert. Every behavioral anomaly is presented in the context of the user’s baseline activity and with all of the raw events that triggered the alert, clearly indicating why the alert was raised and simplifying the investigation and follow-up.
There are specific system requirements for the Change Auditor coordinator (server-side), Change Auditor client (client-side), Change Auditor agent (server-side), and the Change Auditor workstation and web client (optional components). For a full list of system requirements and required permissions for all components and target systems that can be audited by Change Auditor please refer to the Change Auditor Installation Guide.
The Change Auditor coordinator is responsible for fulfilling client and agent requests and for generating alerts.
Quad core Intel® Core™ i7 equivalent or better
Minimum: 8 GB RAM or better
Recommended: 32 GB RAM or better
SQL databases supported up to the following versions:
NOTE: Change Auditor supports SQL AlwaysOn Availability Groups, SQL Clusters, and databases that have row and page compression applied.
Installation platforms (x64) supported up to the following versions:
NOTE: Microsoft Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.)
For the best performance, Quest strongly recommends:
NOTE: Do NOT pre-allocate a fixed size for the Change Auditor database.
In addition, the following software/configuration is required:
Additional Account Coordinator minimum permissions required, please see Change Auditor Installation Guide .
The Change Auditor Threat Detection Server is a virtual appliance responsible for analyzing the audit logs from Change Auditor and detecting suspicious user behavior patterns. For more details on deploying the virtual appliance please refer to the Change Auditor Threat Detection Deployment Guide.