Chat now with support
Chat mit Support

Change Auditor 7.4 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Managing a Microsoft Sentinel integration
Webhook technical insights

Set-CAITSSEventSubscription

Use this command to modify an IT Security Search subscription.

Table 2. Available parameters

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAITSSSubscriptionStatus object that corresponds to the subscription to modify. This parameter is required if the SubscriptionId parameter is not specified. Use the Get-CAITSSEventSubscriptions command to get a list of objects.

-SubscriptionId

The ID of the subscription to modify. This parameter is required if the Subscription parameter is not specified. Use the Get-CAITSSEventSubscriptions command to find the ID.

-ITSSUrl

Specifies the address of your IT Security Search instance that will receive the event data.

-Credential (Optional)

Domain\Username and password used for authenticating with the IT Security Search server.

Enter the username and password used to sign into the IT Security Search client.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the IT Security Search instance. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the HeartbeatURL. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat notifications.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

-Subsystems (Optional)

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE: To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Office 365 and Azure Active Directory events. When set to false, the additionalDetails field is not included.

By default, this is set to true.

Example: Disable a subscription

Set-CAITSSEventSubscription -Connection $connection -ITSSUrl $ITSSUrl -SubscriptionId $SubscriptionId -Enabled $false

Example: Edit the subsystems included in an IT Security Search subscription

$newSubsystems = Get-CAEventExportSubsystems -Connection $connection | ? { $_.DisplayName -eq "File System" -or $_.DisplayName -eq "Active Directory" }

Set-CAITSSEventSubscription -Connection $connection -ITSSUrl $ITSSUrl -SubscriptionId cd87b774-8e65-46e1-8520-da478c60c4c3 -Subsystems $newSubsystems

Remove-CAITSSEventSubscription

Use this command to remove an IT Security Search subscription.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAITSSSubscriptionStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CAITSSEventSubscriptions command to find the ID.

Remove-CAITSSEventSubscription -Connection $connection -SubscriptionId $subscriptionId

3

Managing a Syslog integration

To send the rich events gathered by Change Auditor to a Syslog server, you need to create an event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

Working with Syslog subscriptions through the client

1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add Syslog Subscription to enter the required information.
6
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time. The time cannot be more than 30 days prior to the Change Auditor installation date.
7
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
5
Click Next.
7
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen