Chat now with support
Chat mit Support

Change Auditor 7.4 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Managing a Microsoft Sentinel integration
Webhook technical insights

Set-CASentinelEventSubscription

Use this command to modify a Microsoft Sentinel subscription

 

Table 2. Available parameters

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor PowerShell Command Guide for details.

-Subscription

The PSCASyslogEventSubscriptionStatus object that corresponds to the subscription to modify. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to modify. This parameter is required if the Subscription parameter is not specified. Use the Get-CASentinelEventSubscriptions command to find the ID.

-Subsystems (Optional)

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE:  
To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-WorkspaceID (Optional)

The unique identifier for the Log Analytics workspace that has been enabled for Microsoft Sentinel.

-SecretKey (Optional)

The primary or secondary key for the Log Analytics workspace that has been enabled for Microsoft Sentinel.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The maximum is 6500 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to Microsoft Sentinel. Setting to 0 results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the Heartbeat URL. Heartbeat notifications are sent to the Heartbeat_ChangeAuditor_CL log in Microsoft Sentinel where you can query and alert on them if required. Setting this to 0 disables the heartbeat message if enabled.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. If you specify a null or empty array, any coordinator can send the results.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include fields prefixed with additionalDetails, containing the values from the raw JSON string for Office 365 and Azure Active Directory events. When set to false, the additionalDetails field is not included.

Example: Set a new batch size value for a Microsoft Sentinel subscription

Set-CASentinelEventSubscription -Connection $connection -SubscriptionId $subscriptionId -BatchSize $newIntValue

Remove-CASentinelEventSubscription

Use this command to remove a subscription.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCASentinelEventSubscriptionStatus object obtained using Get-CASentinelEventSubscriptions that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CASentinelEventSubscriptions command to find the ID.

Remove-CASentinelEventSubscription -Subscription $subscription

 

 

Webhook technical insights

Handling webhook responses

To see the response codes, run the associated Get command and review the LastEventResponse and LastHeartbeatResponse in the output for the following response codes:

HTTP 200

Notification successfully received

This response code is expected for every notification.

HTTP 429

Too many events being sent

When this occurs, Change Auditor will automatically reduce the batch size when it sends its next notification.

HTTP 400

Bad Request

This occurs when the receiving server is unreachable or the data is improperly formatted. Review the information provided with the response for details.

HTTP 401

 

Unauthorized access

For example, the notification message has an incorrect or expired AuthorizationID configured in the subscription. In this case, the subscription will be disabled until the error is corrected.

HTTP 500

Internal Server Error

This can be either an issue with the Change Auditor coordinator or the receiving server.

 

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen