Change Auditor 7.2 - SIEM Integration User Guide


Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.
-Subscription	The PSCAEventWebhookStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.
-SubscriptionId	The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CASplunkEventSubscriptions command to find the ID.

Example: Remove a Splunk subscription

Remove-CASplunkEventSubscription -Connection $connection -SubscriptionId $subscriptionId

Managing an IBM QRadar integration

You can take advantage of the rich data gathered by Change Auditor and use it with QRadar on-premises deployments. To begin sending event data, you need to create the QRadar extension and a QRadar event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

IMPORTANT: To ensure that QRadar can read and present Change Auditor events, you need to import the extension created during the subscription creation or with the New-CAQRadarExtension command.

Open the QRadar console and select the Admin tab.

Select Extensions Management | Add.

Select the extension zip file and follow the instructions.

If prompted that the extension is not signed, select Install. When prompted to overwrite or keep existing data, select Overwrite.

IMPORTANT: If your Change Auditor coordinator IP addresses change, you must update the corresponding log source identifier in QRadar.

Open the QRadar console and select the Admin tab.

Select Log Sources.

Select the Change Auditor log source and select Edit.

Enter the new IP address into the Log Source Identifier field and select Save.

•

Working with QRadar subscriptions through the client

•

New-CAQRadarExtension

•

New-CAQRadarEventSubscription

•

Get-CAQRadarEventSubscriptions

•

Set-CAQRadarEventSubscription

•

Remove-CAQRadarEventSubscription

Working with QRadar subscriptions through the client


	NOTE: All new subscriptions created through the client are encrypted with TLS/SSL. QRadar must be configured to accept the TLS protocol. To create a subscription that is not encrypted, use the New-CAQRadarEventSubscription command and set -TlsEnabled to false.

To create a QRadar subscription

From the Administration Tasks, select Configuration | Event Subscriptions.

Click Add QRadar Subscription to open the event subscription wizard.

Specify the IPv4 address or FQDN (fully qualified domain name) of the QRadar instance that will receive the event data.

Specify the port number for your QRadar instance that will receive the event data. The default port is 6514.

Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.

•

By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time. The time cannot be more than 30 days prior to the Change Auditor installation date.

•

Select the subsystems to include in the subscription.

Click Next to create the required extension to import to your QRadar instance. The extension instructs QRadar on how to read and present Change Auditor events. Specifically, it defines the log source (coordinator) and maps Change Auditor event columns to QRadar event columns.


	NOTE: If you create a new extension, the subscription is created in the disabled state. After you have imported and applied the extension, you need to enable the subscription.


	NOTE: If you have previously configured your QRadar instance for Change Auditor, you can select My QRadar instance is already configured and click Finish to complete the subscription setup.

Specify the file path and name for the file and click Generate extension.

Click OK in the confirmation dialog. Copy the file path to import the extension to your QRadar instance.

Click Finish.

To view existing QRadar subscription details:

From the Administration Tasks, select Configuration | Event Subscriptions.

Expand the required subscription.

The summary page displays the type of subscription (Target), where the events are being sent, the subscription status (Enabled or Disabled), and when the last event was sent (Last Event).

To create a new extension

From the Administration Tasks, select Configuration | Event Subscriptions.

Right-click the required subscription and click Generate Extension.

Specify the file path and name for the file and click Generate file.

Click OK in the confirmation dialog.

Copy the file path to import the extension to your QRadar instance.

To edit the QRadar subscription

From the Administration Tasks, select Configuration | Event Subscriptions.

Select the required subscription and click Edit.

If required, enter the server and port and click Next.

If required, add and remove the subsystems included in the subscription and click Next.

If required, you can generate a new extension.

Click Finish.

To remove a QRadar subscription

From the Administration Tasks, select Configuration | Event Subscriptions.

Select the required subscription and click Delete.

Confirm the removal.

To enable and disable a subscription

•

When viewing the summary information, select the status column and choose to enable or disable the subscription as required.

To refresh the summary information

From the Administration Tasks, select Configuration | Event Subscriptions.

Click Refresh.

New-CAQRadarExtension

The Change Auditor extension must be added to QRadar for it to read and present Change Auditor events. Specifically, the extension defines the log source (coordinator) and maps Change Auditor event columns to QRadar event columns.

Use this command to create and generate a zip file that contains XML with the required extension. The extension must then be imported to QRadar.

Table 2. Available parameters


Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.
-SubscriptionId	The ID of an existing QRadar subscription. The subscription specifies the TLS log source port in the extension.
-ExtensionFilepath	Specifies the path for the output zip file.
-CoordinatorHosts (Optional)	Specifies a list of addresses from which QRadar can receive events.

Example: Create a QRadar subscription extension, and specify the location for the output and the TLS log source

New-CAQRadarExtension -Connection $connection -ExtensionFilepath $ExtensionFilepath -SubscriptionId $SubscriptionId

Documentos relacionados

Change Auditor - 7.2
Built-in Reports Reference Guide
Event Reference Guide
FIPS Compliance User Guide
Installation Guide
Office 365 and Azure Active Directory Event Reference Guide
Office 365 and Azure Active Directory User Guide
PowerShell User Guide
Quick Start Guide
Release Notes
SIEM Integration User Guide

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação

Selecione seu produto:

Para podermos atendê-lo melhor, informe o Propósito de seu chat:

Soluções recomendadas para seu problema

Change Auditor 7.2 - SIEM Integration User Guide

Remove-CASplunkEventSubscription

Managing an IBM QRadar integration

Working with QRadar subscriptions through the client

New-CAQRadarExtension