Chat now with support
Chat mit Support

Change Auditor 7.4 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Managing a Microsoft Sentinel integration
Webhook technical insights

Set-CAEventWebhookSubscription

Use this command to edit the subscription.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAEventWebhookStatus object that corresponds to the subscription to modify. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to modify. This parameter is required if the Subscription parameter is not specified.

-NotificationUrl (Optional)

Specifies where to send notifications. The notification URL is provided by the webhook receiver.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications. The URL is provided by the webhook receiver.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the receiver. By default, this is set to 0, resulting in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to webhook receiver. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat notifications.

-AuthorizationId (Optional)

Specifies the unique identifier used to confirm that the specified subscriber is authorized to accept event data. The Id is provided by webhook receiver.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

-Subsystems (Optional)

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Office 365 and Azure Active Directory events. When set to false, the additionalDetails field is not included.

By default, this is set to true.

Example: Edit a webhook subscription to send events to www.quest.com for Office 365 and Active Directory

$subscriptionId = "ed01cc15-b67f-428d-b836-25405235dd1f"

$notificationUrl = "https://www.quest.com/api/webhook"

Set-CAEventWebhookSubscription -Connection $connection -SubscriptionId $subscriptionId -NotificationUrl $notificationUrl

Example: Edit the subsystems included in a webhook subscription

$newSubsystems = Get-CAEventExportSubsystems -Connection $connection | ? { $_.DisplayName -eq "File System" -or $_.DisplayName -eq "Active Directory" }

Set-CAEventWebhookSubscription -Connection $connection -SubscriptionId cd87b774-8e65-46e1-8520-da478c60c4c3 -Subsystems $newSubsystems

Remove-CAEventWebhookSubscription

Use this command to remove a subscription.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAEventWebhookStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CAEventWebhookSubscriptions command to find the ID.

Remove-CAEventWebhookSubscription -Connection $connection -SubscriptionId $subscriptionId

Get-CAEventExportSubsystems

Use this command to obtain an array of subsystems to include in a new subscriptions.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

Get-CAEventExportSubsystems -Connection $connection | ? {$_.DisplayName -eq "Active Directory" -or $_.DisplayName -eq "File System"}

Working with event subscriptions in the client

The event subscriptions summary page displays the type of subscription (Target), where the events are being sent (Event URL), the subscription status (Enabled or Disabled), and when the last event was sent (Last Event).

See Managing a Splunk integration, Managing an IBM QRadar integration, Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration, Managing a Quest IT Security Search integration (Preview), and Managing a Syslog integration for details.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen