Chat now with support
Chat with Support

Change Auditor 7.4 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Managing a Microsoft Sentinel integration
Webhook technical insights

Managing a Microsoft Sentinel integration

To send the rich events gathered by Change Auditor to Microsoft Sentinel, you need to create an event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

The following Azure Log Analytics KQL query example, returns a list of servers missing heartbeats in the last 10 minutes where the servers have been active at some point in the last 24 hours.

Working with Microsoft Sentinel subscriptions through the client

1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add then select Microsoft Sentinel subscription to enter the required information.
5
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
6
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
5
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.

New-CASentinelEventSubscription

Use this command to create the subscription required to send Change Auditor event data to Microsoft Sentinel.

 

Table 2. Available parameters

-WorkspaceID

The unique identifier for the Log Analytics workspace that has been enabled for Microsoft Sentinel.

-SecretKey

The primary or secondary key for the Log Analytics workspace that has been enabled for Microsoft Sentinel.

-Subsystems (Optional)

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE:  
To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-StartTime (Optional)

Specifies date and time from which events should be sent. The default is to start sending events from the time when the subscription is created.

For example:

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 6500 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to Microsoft Sentinel. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the Heartbeat URL. Heartbeat notifications are sent to the Heartbeat_ChangeAuditor_CL log in Microsoft Sentinel where you can query and alert on them if required. By default, this is set to 0 (disabled).

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include fields prefixed with additionalDetails, containing the values from the raw JSON string for Office 365 and Azure Active Directory events. When set to false, the additionalDetails field is not included.

By default, this is set to false.

Example: Create a subscription to send all subsystems event data to Microsoft Sentinel

New-CASentinelEventSubscription -Connection $connection -WorkspaceID $workspaceID -SecretKey $secretKey -StartTime $dtStartTime -Subsystems $allowedSubsystems -AllowedCoordinators $allowedCoordinators

Get-CASentinelEventSubscriptions

Use this command to see the details of the current Microsoft Sentinel subscriptions.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor PowerShell Command Guide for details.

-SubscriptionId (optional)

The ID of an existing Microsoft Sentinel subscription.

If specified, the command will only return the Microsoft Sentinel subscription with that ID. If not specified, all Microsoft Sentinel subscriptions are returned.

Example: Get a list of all Microsoft Sentinel subscriptions

Get-CASentinelEventSubscriptions -Connection $connection

Command output

The command returns the following information.

Id

The subscription ID.

WebhookSubscriptionId

The webhook subscription ID.

StartTimeUTC

Starting point in time for events being sent.

Subsystems

Subsystems that contain the event data being sent.

Enabled

Whether the subscription is enabled.

HeartbeatUrl

URL for heartbeat notifications.

LastEventTimeUTC

When the last event was sent.

LastEventResponse

Last event response.

LastHeartbeatTimeUTC

When the last heartbeat was sent.

LastHeartbeatResponse

The last heartbeat response.

For example, statusCode = OK (200), statusCode = Bad Request (400), or statusCode = Internal Server Error (500).

EventsSent

Number of events sent.

BatchesSent

Number of batches sent.

HeartbeatsSent

Number of heartbeats sent.

NotificationInterval

How often how often (in milliseconds) notifications are sent.

HeartbeatInterval

How often (in milliseconds) heartbeat notifications are sent.

BatchSize

Batch size. (The maximum number of events that the active batch size can increase to.)

ActiveBatchSize

The current batch size. (The current number of events to include in a single notification message.) The batch size is automatically adjusted based on network throughput and system performance. Its value never exceeds the specified batch size.

AllowedCoordinators

List of coordinators permitted to send events or heartbeat notifications.

LastCoordinator

The last coordinator to send events or modify the subscription.

IncludeO365AADDetails

Identifies whether or not the additionalDetails field with the raw JSON string is included for Office 365 and Azure Active Directory events.

When set to true, the event will include fields prefixed with additionalDetails, containing the values from the raw JSON string for Office 365 and Azure Active Directory events. When set to false, the additionalDetails field is not included.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating