How to configure Change Auditor and IT Security Search Integration (4237359)

How do you configure the integration between Change Auditor and IT Security Search

At this time, standard SQL Server database access is used to set up the connection between IT Security Search and Change Auditor. To configure the connection, go to the IT Security Search Settings page.

Starting with IT Security Search 11.4.1, Quest is working on extending Change Auditor integration to support a broader range of use cases. The natural way to do it is to take advantage of the forwarding capabilities of Change Auditor and put forwarded information in the IT Security Search Warehouse store. This helps achieve a number of goals:

- Search across multiple Change Auditor instances at once

- Take some load off the Change Auditor SQL Server database

- Speed up searches for Change Auditor events in IT Security Search

- Ability to perform full-text searches for all O365, Exchange Online and Azure AD events

- Ability to search for Change Auditor Threat Detection events

IT Security Search 11.4.1 contains an early implementation of support for retrieval of forwarded Change Auditor data in the Warehouse connector.

This feature preview is provided as-is, so that you can try it out, give us feedback and help us make it more useful in a future release.

Before You Begin

First, make sure the ITSS.Warehouse service is running on your IT Security Search server. This is required for a successful Change Auditor subscription.
Getting Change Auditor Ready

To make Change Auditor push audit data to Warehouse, run the CreateCAITSSEventSubscription.ps1 PowerShell script, which is located in the <Change Auditor installation folder>\Client\PowerShell Sample Scripts folder on your Change Auditor coordinator. This will start a multi-step configuration procedure in the command prompt, where you will need to specify the settings for your particular environment.

The following are examples of values that you can supply for some of the prompts:

• Specify Change Auditor installation name
  DEFAULT
• Enter the number(s) of the subsystem events to be forwarded (separate multiple entries with commas)
  1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
• Specify the destination URL and port for the ITSS warehouse instance
  https://myitssserver:443/warehouse/changeauditor/events

• Enter a coordinator DNS or NetBIOS name (or press enter to finish)
  mycacoordinatorvm1,someothercacoordinatorvm9

The following additional scripts are also provided to let you manage your IT Security Search subscriptions:

• GetCAITSSEventSubscriptions.ps1
• ModifyCAITSSEventSubscription.ps1
• RemoveCAITSSEventSubscription.ps1.

Getting IT Security Search Ready

IMPORTANT:

• It is not recommended that you use the Change Auditor connector and the Warehouse connector to get data from the same Change Auditor coordinator at once. This will result in duplicate events in your searches.
• For this feature preview, the lifetime of stored Change Auditor events is limited to 30 days after their "Time Detected" date. Older events are automatically purged from the Warehouse.

At this time, the Warehouse connector settings in the web UI do not expose Change Auditor-related options. You need to edit the configuration file manually.

To set up retrieval of Change Auditor data from Warehouse

1. On your IT Security Search server, make sure the %ProgramData%\Quest\IT Security Search\settings.xml file exists. If it doesn't, this means IT Security Search settings have never been configured. To make IT Security Search create the file, you can change some minor option, save the settings and then change it back and save the settings again.
2. Stop the ITSS.Server (Quest IT Security Search) service.
3. Open the %ProgramData%\Quest\IT Security Search\settings.xml file in a text editor.
4. Change this:
   <connector active='false' key='WarehouseCA'>
   to this:
   <connector active='true' key='WarehouseCA'>
5. Save the configuration file.
6. Start the ITSS.Server (Quest IT Security Search) service.

After you have completed these steps, data pushed by Change Auditor to Warehouse should appear in your searches.