Converse agora com nosso suporte
Chat com o suporte

Change Auditor 7.1.1 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration
Webhook technical insights

Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration

You can take advantage of the rich data gathered by Change Auditor and use it with ArcSight Logger and ArcSight Enterprise Security Manager (ESM). To begin sending event data, you need to create an ArcSight event subscription with Change Auditor.

To send encrypted Change Auditor events to ArcSight ESM or ArcSight Logger, you must set the ArcSight host and port to match the host and port of the ArcSight connector configured to receive syslog messages over TCP.

When sending encrypted events, communication between the coordinator and connector is unencrypted, however, communication between the connector and ArcSight is encrypted. For improved security:

The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

Working with Change Auditor data within ArcSight

The following table describes how Change Auditor event details are mapped to the event details provided in ArcSight’s Common Event Format (CEF) extensions. All other Change Auditor columns not listed here will display as custom columns in ArcSight.

 

Subsystem

deviceEventClassId

Event

name

Severity

agentSeverity

Action

categoryBehaviour

Result

categoryOutcome

Server FQDN

deviceHostName

IP Address

deviceAddress

ID

eventId

Origin IPv4

sourceAddress

Origin IPv6

c6a2

Origin

sourceHostName

User SID

sourceUserId

User

sourceUserName

Description

message

Time Detected

endTime

Time Detected

startTime

Working with ArcSight subscriptions through the client

1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add ArcSight Subscription to open the event subscription wizard.
5
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time. The time cannot be more than 30 days prior to the Change Auditor installation date.
6
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
5
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.

New-CAArcSightEventSubscription

Use this command to create the subscription required to send Change Auditor event data to ArcSight.

Table 2. Available parameters

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-ArcSightHost

Specifies the IP address or host name of the computer where ArcSight Logger or the ArcSight connector is installed.

-ArcSightPort (Optional)

The port number for the ArcSight Logger or the ArcSight connector. The default port is 515.

-Subsystems

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE: To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-StartTime (Optional)

Specifies date and time from which events should be sent. The default is to start sending events from the time when the subscription is created.

For example:

The time will be local unless you specify the required flag to convert to UTC.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications. Heatbeat notifications cannot be sent directly to ArcSight. To use this parameter, you must use a previously created webhook URL.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the computer where ArcSight Logger or the ArcSight connector is installed. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the HeartbeatURL. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat message.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Office 365 and Azure Active Directory events. When set to false, the additionalDetails field is not included.

By default, this is set to false.

Example: Create a subscription to send all subsystems event data to a computer where ArcSight Logger or the ArcSight connector is installed

$allSubsystems = Get-CAEventExportSubsystems -Connection $connection

New-CAArcSightEventSubscription -Connection $connection -ArcSightHost $ArcSightHost -Subsystems $allSubsystems

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação