Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Integrating Change Auditor and SIEM Tools

Previous Next

Integrating Change Auditor and SIEM Tools
Webhooks in Change Auditor
Webhook terminology
Subscription configuration process

 

Webhooks in Change Auditor

Previous Next

Webhooks in Change Auditor

Change Auditor administrators can configure Change Auditor to send events to a third party tool using webhook technology. This technology allows you to integrate Change Auditor with Splunk, IBM QRadar, Micro Focus Security ArcSight, Quest IT Security Search, or any other tool that accepts webhook notifications.

This guide is intended for customers who want to access and reuse the rich event data gathered by Change Auditor. It describes the configuration required to implement an integration with third-party tools.

Webhook terminology

Previous Next

Webhook terminology
Webhook receiver: A service that has one or more webhook endpoints and is a third party tool that can receive Change Auditor events.
Webhook endpoint: Specified with the NotificationUrl parameter, it is the web location where events are sent to inside the receiver.
Webhook subscription: A configuration that contains information on the webhook receiver and how events should be sent. This includes a notification URL, notification interval, and the coordinator responsible for event forwarding.
Notification: A message sent to the webhook receiver that contains a batch of events.

Subscription configuration process

Previous Next

Subscription configuration process

To begin receiving event data, you need to:

1
Deploy a SIEM tool that can receive and process events from Change Auditor.

Create a webhook endpoint and configure it in your SIEM tool. The specifics for this are dependent on the tool that you are using.

Test the webhook receiver to confirm it is working properly.

2
Create and configure a subscription within Change Auditor. The subscription contains information such as where to send the events, which events to include, and the coordinator responsible for event forwarding. It also contains the heartbeat notification which is a message sent to the webhook receiver that notifies it that the Change Auditor coordinator is responsive. The heartbeat notification contains the bookmark time. The bookmark is the time the last event was sent in the event notification.

For details on using more than one coordinator to avoid the suspension of event sending due to connection issues, see Subscription failover support.

For details on creating subscriptions see Managing a Splunk integration, Managing an IBM QRadar integration, Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration, and Managing a Quest IT Security Search integration (Preview).

3
Once the subscription is created, the coordinator polls the database and continuously pushes new events to the specified notification URL in the subscription. Events are sent based on the time specified in the subscription.
4
Validate that events are being sent and processed by running the
Get-CAEventWebhookSubscriptions, Get-CASplunkEventSubscriptions, Get-CAQRadarEventSubscriptions, Get-CAArcSightEventSubscriptions, or Get-CAITSSEventSubscriptions commands. The information in these commands indicate if the events are being received.

Figure 1. Webhook integration process

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating