Chatta subito con l'assistenza
Chat con il supporto

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Syslog event subscription wizard

Previous Next

Syslog event subscription wizard

From the Event Subscription Wizard you can add and edit a Syslog subscription.

* 
NOTE: Optional subscription settings can be set through PowerShell, see Set-CASyslogEventSubscription.
To create a subscription
1
Click Add | Syslog subscription to open the wizard.
2
Specify the IPv4 address or FQDN (fully qualified domain name) of the computer where Syslog is installed.
3
Specify the port number. The default port is 514.
4
Specify the message format (LEEF or CEF) and whether TLS encryption is required. By default, this is enabled.
5
Click Next to select the events to forward based on subsystem and event date.
By default, events start sending after the subscription is created. To change when to begin collecting and sending events, click Send events starting and select the desired date and time. You can select to send historical data; however, the time cannot be more than 30 days prior to the Change Auditor installation date.
Select the subsystems to include in the subscription.
6
Click Finish.
To edit the event URL for a subscription
1
Select the required subscription and click Edit.
2
If required, enter the server and port and click Next.
3
If required, edit the message format (LEEF or CEF) and whether TLS encryption is required.
4
If required, add and remove the subsystems included in the subscription.
5
Click Finish.

 

Managing a Microsoft Sentinel integration

Previous Next

Managing a Microsoft Sentinel integration

To send the rich events gathered by Change Auditor to Microsoft Sentinel, you need to create an event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

* 
NOTE: When enabled, heartbeat notifications are sent to the Heartbeat_ChangeAuditor_CL log in Microsoft Sentinel where you can query and alert on them if required.

The following Log Analytics KQL query example, returns a list of servers missing heartbeats in the last 10 minutes where the servers have been active at some point in the last 24 hours.

Heartbeat_ChangeAuditor_CL

| where timeSent_t >= ago(24h)

| project timeSent_t, sender_s

| order by timeSent_t desc

| partition by sender_s ( top 1 by timeSent_t )

| where timeSent_t < ago(10m)

| project sender_s
Working with Microsoft Sentinel subscriptions through the client
New-CASentinelEventSubscription
Get-CASentinelEventSubscriptions
Set-CASentinelEventSubscription
Remove-CASentinelEventSubscription

Working with Microsoft Sentinel subscriptions through the client

Previous Next

Working with Microsoft Sentinel subscriptions through the client

To create a subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add then select Microsoft Sentinel subscription to enter the required information.
3
Specify the Workspace ID for the Log Analytics workspace that has been enabled for Microsoft Sentinel.
4
Specify the secret key for the Log Analytics workspace that has been enabled for Microsoft Sentinel.
* 
NOTE: The Workspace ID and the secret keys (Primary and Secondary) can be found in Settings on the Agents management page for the Log Analytics workspace configured for Microsoft Sentinel (Microsoft Entra admin center).
5
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting from and select the desired date and time.
Select the subsystems to include in the subscription.
6
Click Finish.
To view existing subscription details:
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Expand the required subscription.

The summary page displays the type of subscription (Target), where the events are being sent (Destination), the subscription status (Enabled or Disabled), and when the last event was sent (Last Event Time (UTC)).

To edit the subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Select the required subscription and click Edit.
3
If required, enter the new Workspace ID or secret key and click Next.
4
If required, add and remove the subsystems included in the subscription.
5
Click Finish.
To remove a subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Select the required subscription and click Delete.
3
Confirm the removal.
To enable and disable a subscription
When viewing the summary information, select the status column and choose to enable or disable the subscription as required.
To refresh the summary information
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.

New-CASentinelEventSubscription

Previous Next

New-CASentinelEventSubscription

Use this command to create the subscription required to send Change Auditor event data to Microsoft Sentinel.

 

Table 2. Available parameters

Parameter

Description

-WorkspaceID

The unique identifier for the Log Analytics workspace that has been enabled for Microsoft Sentinel.

-SecretKey

The primary or secondary key for the Log Analytics workspace that has been enabled for Microsoft Sentinel.

-Subsystems (Optional)

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE:  
If not specified, the default is to send events for all subsystems.
To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-StartTime (Optional)

Specifies date and time from which events should be sent. The default is to start sending events from the time when the subscription is created.

For example:

20 July, 2020 12:01 PM uses local time
2020-07-20 12:10:00Z uses UTC time

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 6500 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to Microsoft Sentinel. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the Heartbeat URL. Heartbeat notifications are sent to the Heartbeat_ChangeAuditor_CL log in Microsoft Sentinel where you can query and alert on them if required. By default, this is set to 0 (disabled).

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

NOTE: The list order does not determine which coordinator is selected to send events.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include fields prefixed with additionalDetails, containing the values from the raw JSON string for Microsoft 365 and Microsoft Entra ID events. When set to false, the additionalDetails field is not included.

By default, this is set to false.

Example: Create a subscription to send all subsystems event data to Microsoft Sentinel

New-CASentinelEventSubscription -Connection $connection -WorkspaceID $workspaceID -SecretKey $secretKey -StartTime $dtStartTime -Subsystems $allowedSubsystems -AllowedCoordinators $allowedCoordinators

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione