Chat now with support
Chat with Support

Change Auditor 7.2 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration
Webhook technical insights

New-CAQRadarEventSubscription

Use this command to create the subscription required to send Change Auditor event data to QRadar.

Table 2. Available parameters

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-QRadarHost

Specifies the IPv4 address or FQDN (fully qualified domain name) of your QRadar instance that will receive the event data.

-Subsystems

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE: To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-QRadarPort (Optional)

Specifies the port number for your QRadar instance that will receive the event data.

When TlsEnabled is set to true to enable TLS/SSL encryption, the default port is 6514.

When the TlsEnabled is set to false to send unencrypted events, the default port is 514.

-StartTimeUTC (Optional)

Specifies date and time from which events should be sent. The default is to start sending events from the time when the subscription is created.

For example:

The time will be local unless you specify the required flag to convert to UTC.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications. Heatbeat notifications cannot be sent directly to QRadar. To use this parameter, you must use a previously created webhook URL.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the QRadar instance. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the HeartbeatURL. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat notifications.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

-TlsEnabled (Optional)

When set to true, the subscription sends events encrypted with TLS/SSL and sets the default port to 6514.

When set to false, the subscription sends events without encryption enabled, and sets the default port to 514.

The default is set to true.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Office 365 and Azure Active Directory events. When set to false, the additionalDetails field is not included.

By default, this is set to false.

Example: Create a subscription to send all subsystems event data to a QRadar instance

$allSubsystems = Get-CAEventExportSubsystems -Connection $connection

New-CAQRadarEventSubscription -Connection $connection -QRadarHost $QRadarHost
-Subsystems $allSubsystems

Get-CAQRadarEventSubscriptions

Use this command to see the details of the current QRadar subscriptions.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-SubscriptionId (optional)

The ID of an existing QRadar subscription.

If specified, the command will only return the QRadar subscription with that ID. If not specified, all QRadar subscriptions are returned.

Get-CAQRadarEventSubscriptions -Connection $connection

Command output

The command returns the following information.

Id

The subscription ID.

WebhookSubscriptionId

The webhook subscription ID.

QRadarUrl

The URL where the event data is sent.

StartTimeUTC

Starting point in time for events being sent.

Subsystems

Subsystems that contain the event data being sent.

Enabled

Whether the subscription is enabled.

HeartbeatUrl

The URL where heartbeat notifications are sent.

LastEventTimeUTC

When the last event was sent.

LastEventResponse

Last event response.

For example, statusCode = OK (200), statusCode = Bad Request (400), or statusCode = Internal Server Error (500).

LastHeartbeatTimeUTC

When the last heartbeat was sent.

LastHeartbeatResponse

Last heartbeat response.

For example, statusCode = OK (200), statusCode = Bad Request (400), or statusCode = Internal Server Error (500).

EventsSent

Number of events sent.

BatchesSent

Number of batches sent.

HeartbeatsSent

Number of heartbeats sent.

NotificationInterval

How often (in milliseconds) notifications are sent.

HeartbeatInterval

How often (in milliseconds) heartbeat notifications are sent.

BatchSize

Batch size. (The maximum number of events that the active batch size can increase to.)

ActiveBatchSize

The current batch size. (The current number of events to include in a single notification message.) The batch size is automatically adjusted based on network throughput and system performance. Its value never exceeds the specified batch size.

AllowedCoordinators

List of coordinators permitted to send events.

LastCoordinator

The coordinator that is sending events. If the subscription is disabled, this is the last coordinator sending the events.

IncludeO365AADDetails

Identifies whether or not the additionalDetails field with the raw JSON string is included for Office 365 and Azure Active Directory events.

Set-CAQRadarEventSubscription

Use this command to modify a QRadar subscription.

Table 2. Available parameters

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAQRadarSubscriptionStatus object that corresponds to the subscription to modify. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to modify. This parameter is required if the Subscription parameter is not specified. Use the Get-CAQRadarEventSubscriptions command to find the ID.

-QRadarHost

Specifies the IPv4 address or FQDN (fully qualified domain name) of your QRadar instance that will receive the event data.

-QRadarPort (Optional)

Specifies the port number for your QRadar instance that will receive the event data. The default port depends on whether the existing subscription is sending encrypted or unencrypted events.

When TlsEnabled is set to true the default port is 6514; when set to false the default port is 514.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the QRadar instance. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the HeartbeatUrl. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat notifications.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

-Subsystems (Optional)

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Office 365 and Azure Active Directory events. When set to false, the additionalDetails field is not included.

By default, this is set to false.

Example: Disable a subscription

Set-CAQRadarEventSubscription -Connection $connection -QRadarHost $QRadarHost -SubscriptionId $SubscriptionId -Enabled $false

Example: Edit the subsystems included in a webhook subscription

$newSubsystems = Get-CAEventExportSubsystems -Connection $connection | ? { $_.DisplayName -eq "File System" -or $_.DisplayName -eq "Active Directory" }

Set-CAQRadarEventSubscription -Connection $connection -QRadarHost $QRadarHost -SubscriptionId cd87b774-8e65-46e1-8520-da478c60c4c3 -Subsystems $newSubsystems

Remove-CAQRadarEventSubscription

Use this command to remove a QRadar subscription.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAQRadarSubscriptionStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CAQRadarEventSubscriptions command to find the ID.

Remove-CAQRadarEventSubscription -Connection $connection -SubscriptionId $subscriptionId

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating