Converse agora com nosso suporte
Chat com o suporte

Change Auditor 7.2 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration
Webhook technical insights

Remove-CASplunkEventSubscription

Use this command to remove a Splunk subscription.

Remove-CASplunkEventSubscription -Connection $connection -SubscriptionId $subscriptionId

Managing an IBM QRadar integration

You can take advantage of the rich data gathered by Change Auditor and use it with QRadar on-premises deployments. To begin sending event data, you need to create the QRadar extension and a QRadar event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

Working with QRadar subscriptions through the client

1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add QRadar Subscription to open the event subscription wizard.
5
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time. The time cannot be more than 30 days prior to the Change Auditor installation date.
6
Click Next to create the required extension to import to your QRadar instance. The extension instructs QRadar on how to read and present Change Auditor events. Specifically, it defines the log source (coordinator) and maps Change Auditor event columns to QRadar event columns.
NOTE: If you have previously configured your QRadar instance for Change Auditor, you can select My QRadar instance is already configured and click Finish to complete the subscription setup.
8
Click OK in the confirmation dialog. Copy the file path to import the extension to your QRadar instance.
9
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
4
Click OK in the confirmation dialog.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
6
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.

New-CAQRadarExtension

The Change Auditor extension must be added to QRadar for it to read and present Change Auditor events. Specifically, the extension defines the log source (coordinator) and maps Change Auditor event columns to QRadar event columns.

Use this command to create and generate a zip file that contains XML with the required extension. The extension must then be imported to QRadar.

Table 2. Available parameters

Example: Create a QRadar subscription extension, and specify the location for the output and the TLS log source

New-CAQRadarExtension -Connection $connection -ExtensionFilepath $ExtensionFilepath -SubscriptionId $SubscriptionId

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação