Chat now with support
Chat with Support

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Change Auditor 7.4 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Managing a Microsoft Sentinel integration
Webhook technical insights

Subscription failover support

If a coordinator detects that the event sending to a SIEM subscription has been consistently failing for a specified period of time, it will try another coordinator that has been specified as an allowed coordinator to send events to a SIEM tool. If the second coordinator successfully sends events to the SIEM subscription, it will continue performing the task.

The following internal events help to keep you informed of any issues:

The Event forwarding suspended due to webhook error internal event alerts you to a SIEM connection issue.
The Event forwarding has resumed internal event indicates that the connection has been restored.

By default, the failover time period for the coordinator is set to 30 minutes.

Subscription Management
Adding the PowerShell module
Viewing available commands and help
Connecting to Change Auditor
Managing subscriptions
Managing a Splunk integration
Managing an IBM QRadar integration
Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration
Managing a Quest IT Security Search integration (Preview)
Managing a Syslog integration
Managing a Microsoft Sentinel integration

 

Adding the PowerShell module

Change Auditor comes with a PowerShell module for you to use to manage your environment. It is installed when you install the Windows client or a coordinator.

* 
NOTE: Windows PowerShell version 3.0 or higher is required.
To import the Change Auditor PowerShell module:
1
Open a Windows PowerShell window and type the following at the Windows PowerShell command prompt:
Import-Module <path>
Where "<path>" is the file path for the ChangeAuditor.PowerShell.dll assembly found in the Change Auditor Windows client or Change Auditor coordinator folder.
2
To ensure that the module was added, type the following at the Windows PowerShell command prompt:
Get-Module -All
The registered PowerShell modules are listed.

Viewing available commands and help
To view all available Change Auditor commands, enter:
Get-Command -Module ChangeAuditor.PowerShell
To view help on each command including the syntax, enter:
Get-Help cmdletName
To view an interactive command browser that shows you the layout of commands and the help for the commands, enter:
Show-Command cmdletName

 

* 
NOTE: Sample scripts are available in the Change Auditor client folder. By default they are located here: C:\Program Files\Quest\ChangeAuditor\Client\PowerShell Sample Scripts
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating