Chatee ahora con Soporte
Chat con el soporte

Change Auditor 7.2 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration
Webhook technical insights

Remove-CASplunkEventSubscription

Use this command to remove a Splunk subscription.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAEventWebhookStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CASplunkEventSubscriptions command to find the ID.

Remove-CASplunkEventSubscription -Connection $connection -SubscriptionId $subscriptionId

Managing an IBM QRadar integration

You can take advantage of the rich data gathered by Change Auditor and use it with QRadar on-premises deployments. To begin sending event data, you need to create the QRadar extension and a QRadar event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

2
Select Extensions Management | Add.
If prompted that the extension is not signed, select Install. When prompted to overwrite or keep existing data, select Overwrite.
2
Select Log Sources.

Working with QRadar subscriptions through the client

1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add QRadar Subscription to open the event subscription wizard.
5
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time. The time cannot be more than 30 days prior to the Change Auditor installation date.
6
Click Next to create the required extension to import to your QRadar instance. The extension instructs QRadar on how to read and present Change Auditor events. Specifically, it defines the log source (coordinator) and maps Change Auditor event columns to QRadar event columns.
NOTE: If you have previously configured your QRadar instance for Change Auditor, you can select My QRadar instance is already configured and click Finish to complete the subscription setup.
8
Click OK in the confirmation dialog. Copy the file path to import the extension to your QRadar instance.
9
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
4
Click OK in the confirmation dialog.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
6
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.

New-CAQRadarExtension

The Change Auditor extension must be added to QRadar for it to read and present Change Auditor events. Specifically, the extension defines the log source (coordinator) and maps Change Auditor event columns to QRadar event columns.

Use this command to create and generate a zip file that contains XML with the required extension. The extension must then be imported to QRadar.

Table 2. Available parameters

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-SubscriptionId

The ID of an existing QRadar subscription. The subscription specifies the TLS log source port in the extension.

-ExtensionFilepath

Specifies the path for the output zip file.

-CoordinatorHosts (Optional)

Specifies a list of addresses from which QRadar can receive events.

Example: Create a QRadar subscription extension, and specify the location for the output and the TLS log source

New-CAQRadarExtension -Connection $connection -ExtensionFilepath $ExtensionFilepath -SubscriptionId $SubscriptionId

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación