Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Set-CASplunkEventSubscription

Previous Next

Set-CASplunkEventSubscription

Use this command to modify a Splunk subscription.

Table 2. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAEventWebhookStatus object that corresponds to the subscription to modify. This parameter is required if the SubscriptionId parameter is not specified. Use the Get-CASplunkEventSubscriptions command to get a list of objects.

-SubscriptionId

The ID of the subscription to modify. This parameter is required if the Subscription parameter is not specified. Use the Get-CASplunkEventSubscriptions command to find the ID.

-SplunkUrl (Optional)

Specifies the address of your Splunk instance that will receive the event data.

For a Splunk Enterprise instance, use https://[hostname]:[port]/services/collector/event ([hostname] is the hostname of your Splunk instance, [port] is the port defined in your Splunk instance's HTTP Event Collector token page (default is 8088)
For a Splunk cloud instance, use:
“https://input-[hostname]:[port]/services/collector/event”. (Hostname is available in the address bar of an open Splunk cloud instance.)

For details, see the Splunk documentation on HTTP Event Collector data inputs.

-EventToken (Optional)

The unique identifier (token) used by Splunk to confirm that the specified SplunkUri is authorized to accept event data.

The token value is created during the Splunk instance configuration.

For details on creating an event collector token, see the Splunk documentation on HTTP Event Collector data inputs.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications.

NOTE: If no value is specified, heartbeat notifications are not sent.

-HeartbeatToken (Optional)

The unique identifier (token) used by Splunk to confirm that the specified heartbeatUri is authorized to accept heartbeat notifications.

NOTE: This is optional as you may have opted to send your heartbeat notifications to a URL that does not require a token for verification.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the Splunk instance. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the HeartbeatURL. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat notifications.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

NOTE: The list order does not determine which coordinator is selected to send events.

-Subsystems (Optional)

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE: To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.
NOTE: The subsystems specified override the current subsystems included in the subscription.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Microsoft 365 and Microsoft Entra ID events. When set to false, the additionalDetails field is not included.

By default, this is set to true.

Example: Disable a subscription

Set-CASplunkEventSubscription -Connection $connection -SubscriptionId $SubscriptionId -Enabled $false

Example: Edit the subsystems included in a webhook subscription

$newSubsystems = Get-CAEventExportSubsystems -Connection $connection | ? { $_.DisplayName -eq "File System" -or $_.DisplayName -eq "Active Directory" }

Set-CASplunkEventSubscription -Connection $connection -SubscriptionId cd87b774-8e65-46e1-8520-da478c60c4c3 -Subsystems $newSubsystems

Remove-CASplunkEventSubscription

Previous Next

Remove-CASplunkEventSubscription

Use this command to remove a Splunk subscription.

Table 8. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAEventWebhookStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CASplunkEventSubscriptions command to find the ID.

Example: Remove a Splunk subscription

Remove-CASplunkEventSubscription -Connection $connection -SubscriptionId $subscriptionId

Splunk event subscription wizard

Previous Next

Splunk event subscription wizard

From the Event Subscription Wizard you can add and edit a Splunk subscription.

* 
NOTE: Optional subscription settings can be set through PowerShell, see Set-CASplunkEventSubscription.
* 
IMPORTANT: To configure Splunk to receive events from Change Auditor you need to configure an HTTP Event Collector token in your Splunk instance.
1
Within Splunk, navigate to Settings | Data Inputs | HTTP Event Collector. Ensure that All Tokens are enabled under the Global Settings.
2
Click New Token and complete the steps in the wizard.
3
Copy the token. This values is required to create a Splunk subscription in Change Auditor.
To create a Splunk subscription
1
Click Add | Splunk subscription to open the wizard.
2
Specify where to send the event data by entering the event URL.

For a Splunk Enterprise instance, use https://[hostname]:[port]/services/collector/event (Hostname is the localhost or the IP of the hosting computer.)

For a Splunk Cloud instance, use:
“https://input-[hostname]:[port]/services/collector/event”. [hostname] is available in the address bar of an open Splunk Cloud instance and the default port is 8088.

3
Enter the event token.

Splunk uses this unique identifier to confirm that the specified event URL is authorized to accept event data. The token value is created during the Splunk instance configuration.

4
Click Next to select the events to forward based on subsystem and event date.
By default, events start sending after the subscription is created. To change when to begin collecting and sending events, click Send events starting and select the desired date and time. You can select to send historical data; however, the time cannot be more than 30 days prior to the Change Auditor 7.0 installation date.
Select the subsystems to include in the subscription.
5
Click Finish.
To edit the event URL for a Splunk subscription
1
Select the required subscription and click Edit.
2
Enter the new URL and click Finish.

Managing an IBM QRadar integration

Previous Next

Managing an IBM QRadar integration

You can take advantage of the rich data gathered by Change Auditor and use it with QRadar on-premises deployments. To begin sending event data, you need to create the QRadar extension and a QRadar event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

* 
IMPORTANT: To ensure that QRadar can read and present Change Auditor events, you need to import the extension created during the subscription creation or with the New-CAQRadarExtension command.
1
Open the QRadar console and select the Admin tab.
2
Select Extensions Management | Add.
3
Select the extension zip file and follow the instructions.

If prompted that the extension is not signed, select Install. When prompted to overwrite or keep existing data, select Overwrite.

* 
IMPORTANT: If your Change Auditor coordinator IP addresses change, you must update the corresponding log source identifier in QRadar.
1
Open the QRadar console and select the Admin tab.
2
Select Log Sources.
3
Select the Change Auditor log source and select Edit.
4
Enter the new IP address into the Log Source Identifier field and select Save.
Working with QRadar subscriptions through the client
New-CAQRadarExtension
New-CAQRadarEventSubscription
Get-CAQRadarEventSubscriptions
Set-CAQRadarEventSubscription
Remove-CAQRadarEventSubscription
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating