Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Change Auditor 7.0.4 - SIEM Integration Guide

Table of Contents

Integrating Change Auditor and SIEM Tools

Webhooks in Change Auditor Webhook terminology Subscription configuration process

Subscription Management

Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions

New-CAEventWebhookSubscription Get-CAEventWebhookSubscriptions Set-CAEventWebhookSubscription Remove-CAEventWebhookSubscription Get-CAEventExportSubsystems

Working with event subscriptions in the client Managing a Splunk integration

Working with Splunk subscriptions through the client New-CASplunkEventSubscription Get-CASplunkEventSubscriptions Set-CASplunkEventSubscription Remove-CASplunkEventSubscription

Managing an IBM QRadar integration

Working with QRadar subscriptions through the client New-CAQRadarExtension New-CAQRadarEventSubscription Get-CAQRadarEventSubscriptions Set-CAQRadarEventSubscription Remove-CAQRadarEventSubscription

Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration

Working with Change Auditor data within ArcSight Working with ArcSight subscriptions through the client New-CAArcSightEventSubscription Get-CAArcSightEventSubscriptions Set-CAArcSightEventSubscription Remove-CAArcSightEventSubscription

Managing a Quest IT Security Search integration (Preview)

Working with a Quest IT Security Search subscriptions through the client New-CAITSSEventSubscription Get-CAITSSEventSubscriptions Set-CAITSSEventSubscription Remove-CAITSSEventSubscription

Webhook technical insights

Handling webhook responses

Remove-CAITSSEventSubscription

Use this command to remove an IT Security Search subscription.

Table 18. Available parameters


Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.
-Subscription	The PSCAITSSSubscriptionStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.
-SubscriptionId	The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CAITSSEventSubscriptions command to find the ID.

Example: Remove an IT Security Search subscription

Remove-CAITSSEventSubscription -Connection $connection -SubscriptionId $subscriptionId

3

Webhook technical insights

•

Handling webhook responses

Handling webhook responses

To see the response codes, run the associated Get command and review the LastEventResponse and LastHeartbeatResponse in the output for the following response codes:

Table 1. Response codes
Response code	Description
HTTP 200	Notification successfully received This response code is expected for every notification.
HTTP 429	Too many events being sent When this occurs, Change Auditor will automatically reduce the batch size when it sends its next notification.
HTTP 400	Bad Request This occurs when the receiving server is unreachable or the data is improperly formatted. Review the information provided with the response for details.
HTTP 401	Unauthorized access For example, the notification message has an incorrect or expired AuthorizationID configured in the subscription. In this case, the subscription will be disabled until the error is corrected.
HTTP 500	Internal Server Error This can be either an issue with the Change Auditor coordinator or the receiving server.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center