지금 지원 담당자와 채팅
지원 담당자와 채팅

Change Auditor 7.6 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Managing a Microsoft Sentinel integration
Webhook technical insights

Managing a Splunk integration

Managing a Splunk integration

To begin to take advantage of the rich data gathered by Change Auditor by sending event data to Splunk, you need to create an event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

* 
NOTE: Columns that do not contain any event data will not display in Splunk.
* 
IMPORTANT: To configure Splunk to receive events from Change Auditor you need to configure an HTTP event collector token in your Splunk instance.
1
Within Splunk, navigate to Settings | Data Inputs | HTTP Event Collector. Ensure that All Tokens are enabled under the Global Settings.
2
Click New Token and complete the steps in the wizard.
3
Copy the token. This value is required to create a Splunk subscription in Change Auditor.

Currently, you can create and manage a subscription for managed and unmanaged Splunk Cloud and Splunk Enterprise editions through the Change Auditor client or through PowerShell commands.
Working with Splunk subscriptions through the client
New-CASplunkEventSubscription
Get-CASplunkEventSubscriptions
Set-CASplunkEventSubscription
Remove-CASplunkEventSubscription

Working with Splunk subscriptions through the client

To create a Splunk subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add Splunk Subscription to enter the required information.
3
Specify where to send the event data by entering the event URL.
For a Splunk Enterprise instance, use https://[hostname]:[port]/services/collector/event.
[hostname] is the hostname of your Splunk instance, [port] is the port defined in your Splunk instance's HTTP Event Collector token page (default is 8088).
For a Splunk Cloud instance, use:
“https://input-[hostname]:[port]/services/collector/event”.
[hostname] is available in the address bar of an open Splunk Cloud instance and the default port is 8088.
4
Enter the event token.
Splunk uses this unique identifier to confirm that the specified event URL is authorized to accept event data. The token value is created during the Splunk instance configuration.
5
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time.
Select the subsystems to include in the subscription.
6
Click Finish.
To view existing Splunk subscription details:
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Expand the required subscription.
The summary page displays the type of subscription (Target), where the events are being sent (Event URL), the subscription status (Enabled or Disabled), and when the last event was sent (Last Event).
To edit the Splunk subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Select the required subscription and click Edit.
3
If required, enter the new URL and click Next.
4
If required, add and remove the subsystems included in the subscription.
5
Click Finish.
To remove a Splunk subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Select the required subscription and click Delete.
3
Confirm the removal.
To enable and disable a subscription
When viewing the summary information, select the status column and choose to enable or disable the subscription as required.
To refresh the summary information
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.

New-CASplunkEventSubscription

Use this command to create the subscription required to send Change Auditor event data to Splunk.

Table 2. Available parameters

Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-SplunkUrl

Specifies the address of your Splunk instance that will receive the event data.

For a Splunk Enterprise instance, use https://[hostname]:[port]/services/collector/event ([hostname] is the hostname of your Splunk instance, [port] is the port defined in your Splunk instance's HTTP Event Collector token page (default is 8088)
For a Splunk cloud instance, use:
“https://input-[hostname]:[port]/services/collector/event”. (Hostname is available in the address bar of an open Splunk cloud instance.)
For details, see the Splunk documentation on HTTP Event Collector data inputs.

-EventToken

The unique identifier (token) used by Splunk to confirm that the specified Splunk URL is authorized to accept event data.

The token value is created during the Splunk instance configuration.

For details on creating an event collector token, see the Splunk documentation on HTTP Event Collector data inputs.

-Subsystems

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE: To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-StartTimeUTC (Optional)

Specifies date and time from which events should be sent. The default is to start sending events from the time when the subscription is created.

For example:

20 July, 2020 12:01 PM uses local time
2020-07-20 12:10:00Z uses UTC time

The time will be local unless you specify the required flag to convert to UTC.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications.

NOTE: If no value is specified, heartbeat notifications are not sent.

-HeartbeatToken (Optional)

The unique identifier (token) used by Splunk to confirm that the specified HeartbeatUrl is authorized to accept heartbeat notifications.

NOTE: This is optional as you may have opted to send your heartbeat notifications to a URL that does not require a token for verification.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the Splunk instance. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the HeartbeatUrl. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat notifications.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

NOTE: The list order does not determine which coordinator is selected to send events.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Microsoft 365 and Microsoft Entra ID events. When set to false, the additionalDetails field is not included.

By default, this is set to true.

Example: Create a subscription to send all subsystems event data to a Splunk instance

$allSubsystems = Get-CAEventExportSubsystems -Connection $connection

New-CASplunkEventSubscription -Connection $connection -SplunkUrl $splunkUrl -EventToken $eventToken -Subsystems $allSubsystems

Get-CASplunkEventSubscriptions

Use this command to see the details of the current Splunk subscriptions.

* 
NOTE: The “Batches sent”, “Last event time in UTC”, “Last event response” and “Events sent” are all indicators that the events are being received by Splunk. Any failures receiving the data populate the “Last event response” property in the object with information on why the data was not received.
Table 6. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-SubscriptionId (optional)

The ID of an existing Splunk subscription.

If specified, the command will only return the Splunk subscription with that ID. If not specified, all Splunk subscriptions are returned.

You can find this by running this command using just the connection information. It is also returned by the New-CASplunkEventSubscription command.

Example: List defined Splunk subscriptions

Get-CASplunkEventSubscriptions -Connection $connection

Command output

The command returns the following information.

Table 7. Available configuration information
Setting
Description

Id

The subscription ID.

WebhookSubscriptionId

The webhook subscription ID.

SplunkUrl

The URL where event data is sent.

StartTimeUTC

Starting point in time for events being sent.

Subsystems

Subsystems that contain the event data you want to send.

Enabled

Whether the subscription is enabled.

HeartbeatUrl

URL for heartbeat notifications.

LastEventTimeUTC

When the last event was sent.

LastEventResponse

Last event response.

For example, statusCode = OK (200), statusCode = Bad Request (400), or statusCode = Internal Server Error (500).

LastHeartbeatTimeUTC

When the last heartbeat was sent.

LastHeartbeatResponse

Last heartbeat response.

For example, statusCode = OK (200), statusCode = Bad Request (400), or statusCode = Internal Server Error (500).

EventsSent

Number of events sent.

BatchesSent

Number of batches sent.

HeartbeatsSent

Number of heartbeats sent.

NotificationInterval

How often (in milliseconds) notifications are sent.

HeartbeatInterval

How often (in milliseconds) heartbeat notificaitons are sent to the HeartbeatURL.

BatchSize

Batch size. (The maximum number of events that the active batch size can increase to.)

ActiveBatchSize

The current batch size. (The current number of events to include in a single notification message.) The batch size is automatically adjusted based on network throughput and system performance. Its value never exceeds the specified batch size.

AllowedCoordinators

List of coordinators permitted to send events.

LastCoordinator

The coordinator that is sending events. If the subscription is disabled, this is the last coordinator sending the events.

IncludeO365AADDetails

Identifies whether or not the additionalDetails field with the raw JSON string is included for Microsoft 365 and Microsoft Entra ID events.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택