How do you configure the integration between Change Auditor and IT Security Search
At this time, standard SQL Server database access is used to set up the connection between IT Security Search and Change Auditor. To configure the connection, go to the IT Security Search Settings page.
Starting with IT Security Search 11.4.1, Quest is working on extending Change Auditor integration to support a broader range of use cases. The natural way to do it is to take advantage of the forwarding capabilities of Change Auditor and put forwarded information in the IT Security Search Warehouse store. This helps achieve a number of goals:
- Search across multiple Change Auditor instances at once
- Take some load off the Change Auditor SQL Server database
- Speed up searches for Change Auditor events in IT Security Search
- Ability to perform full-text searches for all O365, Exchange Online and Azure AD events
- Ability to search for Change Auditor Threat Detection events
IT Security Search 11.4.1 contains an early implementation of support for retrieval of forwarded Change Auditor data in the Warehouse connector.
This feature preview is provided as-is, so that you can try it out, give us feedback and help us make it more useful in a future release.
Before You Begin
First, make sure the ITSS.Warehouse service is running on your IT Security Search server. This is required for a successful Change Auditor subscription.
Getting Change Auditor Ready
To make Change Auditor push audit data to Warehouse, run the CreateCAITSSEventSubscription.ps1 PowerShell script, which is located in the <Change Auditor installation folder>\Client\PowerShell Sample Scripts folder on your Change Auditor coordinator. This will start a multi-step configuration procedure in the command prompt, where you will need to specify the settings for your particular environment.
The following are examples of values that you can supply for some of the prompts:
NOTE: To find out which port is used, check the HKEY_LOCAL_ MACHINE\SOFTWARE\Quest\IT Security Search Warehouse API\ListenPort registry value on the IT Security Search server. To see whether HTTPS is used instead of HTTP, check the HKEY_LOCAL_ MACHINE\SOFTWARE\Quest\IT Security Search Warehouse API\ListenScheme registry value.
The following additional scripts are also provided to let you manage your IT Security Search subscriptions:
Getting IT Security Search Ready
At this time, the Warehouse connector settings in the web UI do not expose Change Auditor-related options. You need to edit the configuration file manually.
To set up retrieval of Change Auditor data from Warehouse
After you have completed these steps, data pushed by Change Auditor to Warehouse should appear in your searches.