サポートと今すぐチャット
サポートとのチャット

Change Auditor 7.4 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Managing a Microsoft Sentinel integration
Webhook technical insights

Set-CASentinelEventSubscription

Use this command to modify a Microsoft Sentinel subscription

 

Table 2. Available parameters

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor PowerShell Command Guide for details.

-Subscription

The PSCASyslogEventSubscriptionStatus object that corresponds to the subscription to modify. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to modify. This parameter is required if the Subscription parameter is not specified. Use the Get-CASentinelEventSubscriptions command to find the ID.

-Subsystems (Optional)

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE:  
To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-WorkspaceID (Optional)

The unique identifier for the Log Analytics workspace that has been enabled for Microsoft Sentinel.

-SecretKey (Optional)

The primary or secondary key for the Log Analytics workspace that has been enabled for Microsoft Sentinel.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The maximum is 6500 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to Microsoft Sentinel. Setting to 0 results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the Heartbeat URL. Heartbeat notifications are sent to the Heartbeat_ChangeAuditor_CL log in Microsoft Sentinel where you can query and alert on them if required. Setting this to 0 disables the heartbeat message if enabled.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. If you specify a null or empty array, any coordinator can send the results.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include fields prefixed with additionalDetails, containing the values from the raw JSON string for Office 365 and Azure Active Directory events. When set to false, the additionalDetails field is not included.

Example: Set a new batch size value for a Microsoft Sentinel subscription

Set-CASentinelEventSubscription -Connection $connection -SubscriptionId $subscriptionId -BatchSize $newIntValue

Remove-CASentinelEventSubscription

Use this command to remove a subscription.

Remove-CASentinelEventSubscription -Subscription $subscription

 

 

Webhook technical insights

Handling webhook responses

To see the response codes, run the associated Get command and review the LastEventResponse and LastHeartbeatResponse in the output for the following response codes:

 

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択