Chat now with support
Chat mit Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Managing a Splunk integration

Previous Next

Managing a Splunk integration

To begin to take advantage of the rich data gathered by Change Auditor by sending event data to Splunk, you need to create an event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

* 
NOTE: Columns that do not contain any event data will not display in Splunk.
* 
IMPORTANT: To configure Splunk to receive events from Change Auditor you need to configure an HTTP event collector token in your Splunk instance.
1
Within Splunk, navigate to Settings | Data Inputs | HTTP Event Collector. Ensure that All Tokens are enabled under the Global Settings.
2
Click New Token and complete the steps in the wizard.
3
Copy the token. This value is required to create a Splunk subscription in Change Auditor.

Currently, you can create and manage a subscription for managed and unmanaged Splunk Cloud and Splunk Enterprise editions through the Change Auditor client or through PowerShell commands.
Working with Splunk subscriptions through the client
New-CASplunkEventSubscription
Get-CASplunkEventSubscriptions
Set-CASplunkEventSubscription
Remove-CASplunkEventSubscription

Working with Splunk subscriptions through the client

Previous Next

Working with Splunk subscriptions through the client

To create a Splunk subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add Splunk Subscription to enter the required information.
3
Specify where to send the event data by entering the event URL.

For a Splunk Enterprise instance, use https://[hostname]:[port]/services/collector/event.

[hostname] is the hostname of your Splunk instance, [port] is the port defined in your Splunk instance's HTTP Event Collector token page (default is 8088).

For a Splunk Cloud instance, use:
“https://input-[hostname]:[port]/services/collector/event”.

[hostname] is available in the address bar of an open Splunk Cloud instance and the default port is 8088.

4
Enter the event token.

Splunk uses this unique identifier to confirm that the specified event URL is authorized to accept event data. The token value is created during the Splunk instance configuration.

5
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time.
Select the subsystems to include in the subscription.
6
Click Finish.
To view existing Splunk subscription details:
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Expand the required subscription.

The summary page displays the type of subscription (Target), where the events are being sent (Event URL), the subscription status (Enabled or Disabled), and when the last event was sent (Last Event).

To edit the Splunk subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Select the required subscription and click Edit.
3
If required, enter the new URL and click Next.
4
If required, add and remove the subsystems included in the subscription.
5
Click Finish.
To remove a Splunk subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Select the required subscription and click Delete.
3
Confirm the removal.
To enable and disable a subscription
When viewing the summary information, select the status column and choose to enable or disable the subscription as required.
To refresh the summary information
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.

New-CASplunkEventSubscription

Previous Next

New-CASplunkEventSubscription

Use this command to create the subscription required to send Change Auditor event data to Splunk.

Table 2. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-SplunkUrl

Specifies the address of your Splunk instance that will receive the event data.

For a Splunk Enterprise instance, use https://[hostname]:[port]/services/collector/event ([hostname] is the hostname of your Splunk instance, [port] is the port defined in your Splunk instance's HTTP Event Collector token page (default is 8088)
For a Splunk cloud instance, use:
“https://input-[hostname]:[port]/services/collector/event”. (Hostname is available in the address bar of an open Splunk cloud instance.)
For details, see the Splunk documentation on HTTP Event Collector data inputs.

-EventToken

The unique identifier (token) used by Splunk to confirm that the specified Splunk URL is authorized to accept event data.

The token value is created during the Splunk instance configuration.

For details on creating an event collector token, see the Splunk documentation on HTTP Event Collector data inputs.

-Subsystems

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE: To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-StartTimeUTC (Optional)

Specifies date and time from which events should be sent. The default is to start sending events from the time when the subscription is created.

For example:

20 July, 2020 12:01 PM uses local time
2020-07-20 12:10:00Z uses UTC time

The time will be local unless you specify the required flag to convert to UTC.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications.

NOTE: If no value is specified, heartbeat notifications are not sent.

-HeartbeatToken (Optional)

The unique identifier (token) used by Splunk to confirm that the specified HeartbeatUrl is authorized to accept heartbeat notifications.

NOTE: This is optional as you may have opted to send your heartbeat notifications to a URL that does not require a token for verification.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the Splunk instance. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the HeartbeatUrl. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat notifications.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

NOTE: The list order does not determine which coordinator is selected to send events.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Microsoft 365 and Microsoft Entra ID events. When set to false, the additionalDetails field is not included.

By default, this is set to true.

Example: Create a subscription to send all subsystems event data to a Splunk instance

$allSubsystems = Get-CAEventExportSubsystems -Connection $connection

New-CASplunkEventSubscription -Connection $connection -SplunkUrl $splunkUrl -EventToken $eventToken -Subsystems $allSubsystems

Get-CASplunkEventSubscriptions

Previous Next

Get-CASplunkEventSubscriptions

Use this command to see the details of the current Splunk subscriptions.

* 
NOTE: The “Batches sent”, “Last event time in UTC”, “Last event response” and “Events sent” are all indicators that the events are being received by Splunk. Any failures receiving the data populate the “Last event response” property in the object with information on why the data was not received.

Table 6. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-SubscriptionId (optional)

The ID of an existing Splunk subscription.

If specified, the command will only return the Splunk subscription with that ID. If not specified, all Splunk subscriptions are returned.

You can find this by running this command using just the connection information. It is also returned by the New-CASplunkEventSubscription command.

Example: List defined Splunk subscriptions

Get-CASplunkEventSubscriptions -Connection $connection

Command output

The command returns the following information.

Table 7. Available configuration information

Setting

Description

Id

The subscription ID.

WebhookSubscriptionId

The webhook subscription ID.

SplunkUrl

The URL where event data is sent.

StartTimeUTC

Starting point in time for events being sent.

Subsystems

Subsystems that contain the event data you want to send.

Enabled

Whether the subscription is enabled.

HeartbeatUrl

URL for heartbeat notifications.

LastEventTimeUTC

When the last event was sent.

LastEventResponse

Last event response.

For example, statusCode = OK (200), statusCode = Bad Request (400), or statusCode = Internal Server Error (500).

LastHeartbeatTimeUTC

When the last heartbeat was sent.

LastHeartbeatResponse

Last heartbeat response.

For example, statusCode = OK (200), statusCode = Bad Request (400), or statusCode = Internal Server Error (500).

EventsSent

Number of events sent.

BatchesSent

Number of batches sent.

HeartbeatsSent

Number of heartbeats sent.

NotificationInterval

How often (in milliseconds) notifications are sent.

HeartbeatInterval

How often (in milliseconds) heartbeat notificaitons are sent to the HeartbeatURL.

BatchSize

Batch size. (The maximum number of events that the active batch size can increase to.)

ActiveBatchSize

The current batch size. (The current number of events to include in a single notification message.) The batch size is automatically adjusted based on network throughput and system performance. Its value never exceeds the specified batch size.

AllowedCoordinators

List of coordinators permitted to send events.

LastCoordinator

The coordinator that is sending events. If the subscription is disabled, this is the last coordinator sending the events.

IncludeO365AADDetails

Identifies whether or not the additionalDetails field with the raw JSON string is included for Microsoft 365 and Microsoft Entra ID events.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen