立即与支持人员聊天
与支持团队交流

Change Auditor 7.2 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration
Webhook technical insights

Remove-CAITSSEventSubscription

Use this command to remove an IT Security Search subscription.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAITSSSubscriptionStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CAITSSEventSubscriptions command to find the ID.

Remove-CAITSSEventSubscription -Connection $connection -SubscriptionId $subscriptionId

3

Managing a Syslog integration

To send the rich events gathered by Change Auditor to a Syslog server, you need to create an event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

Working with Syslog subscriptions through the client

1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add Syslog Subscription to enter the required information.
6
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time. The time cannot be more than 30 days prior to the Change Auditor installation date.
7
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
5
Click Next.
7
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.

New-CASyslogEventSubscription

Use this command to create the subscription required to send Change Auditor event data to a Syslog server.

 

Table 2. Available parameters

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor PowerShell Command Guide for details.

-Host (Optional)

Specifies the IP address or host name of the computer where the Syslog server is installed.

-Port (Optional)

Specifies the port of the computer where the Syslog server is installed.

-TIsEnabled (Optional)

Specifies whether TLS encryption is enabled.

-SyslogFormat (Optional)

Specifies the message format (LEEF or CEF).

-Subsystems

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE: To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-StartTimeUTC (Optional)

Specifies date and time from which events should be sent. The default is to start sending events from the time when the subscription is created.

For example:

The time will be local unless you specify the required flag to convert to UTC.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the computer where the Syslog server is installed. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the HeartbeatURL. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat message.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Office 365 and Azure Active Directory events. When set to false, the additionalDetails field is not included.

By default, this is set to true.

Example: Create a subscription to send all subsystems event data to a computer where a Syslog server is installed

$allSubsystems = Get-CAEventExportSubsystems -Connection $connection

New-CASyslogEventSubscription -Connection $connection -Host $Host -Subsystems $allSubsystems

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级