Chatee ahora con Soporte
Chat con el soporte

Change Auditor 7.3 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Managing a Microsoft Sentinel integration
Webhook technical insights

Remove-CAEventWebhookSubscription

Use this command to remove a subscription.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAEventWebhookStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CAEventWebhookSubscriptions command to find the ID.

Remove-CAEventWebhookSubscription -Connection $connection -SubscriptionId $subscriptionId

Get-CAEventExportSubsystems

Use this command to obtain an array of subsystems to include in a new subscriptions.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

Get-CAEventExportSubsystems -Connection $connection | ? {$_.DisplayName -eq "Active Directory" -or $_.DisplayName -eq "File System"}

Working with event subscriptions in the client

The event subscriptions summary page displays the type of subscription (Target), where the events are being sent (Event URL), the subscription status (Enabled or Disabled), and when the last event was sent (Last Event).

See Managing a Splunk integration, Managing an IBM QRadar integration, Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration, Managing a Quest IT Security Search integration (Preview), and Managing a Syslog integration for details.

Managing a Splunk integration

To begin to take advantage of the rich data gathered by Change Auditor by sending event data to Splunk, you need to create an event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

1
Within Splunk, navigate to Settings | Data Inputs | HTTP Event Collector. Ensure that All Tokens are enabled under the Global Settings.
2
Click New Token and complete the steps in the wizard.

Currently, you can create and manage a subscription for managed and unmanaged Splunk Cloud and Splunk Enterprise editions through the Change Auditor client or through PowerShell commands.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación