Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Working with Change Auditor data within ArcSight

Previous Next

Working with Change Auditor data within ArcSight

The following table describes how Change Auditor event details are mapped to the event details provided in ArcSight’s Common Event Format (CEF) extensions. All other Change Auditor columns not listed here will display as custom columns in ArcSight.

* 
NOTE: Columns that do not contain any event data will not display in ArcSight.

 

Table 12. Mapping information

Change Auditor column

ArcSight column

Subsystem

deviceEventClassId

Event

name

Severity

agentSeverity

Action

categoryBehaviour

Result

categoryOutcome

Server FQDN

deviceHostName

IP Address

deviceAddress

ID

eventId

Origin IPv4

sourceAddress

Origin IPv6

c6a2

Origin

sourceHostName

User SID

sourceUserId

User

sourceUserName

Description

message

Time Detected

endTime

Time Detected

startTime

* 
NOTE: Some Change Auditor events exceed ArcSight’s recommended supported event data length. If a Change Auditor event exceeds this limit, the event data is continued in new ArcSight events to ensure all data is stored.

Working with ArcSight subscriptions through the client

Previous Next

Working with ArcSight subscriptions through the client

To create an ArcSight subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add ArcSight Subscription to open the event subscription wizard.
3
Specify the IPv4 address or FQDN (fully qualified domain name) of the computer where ArcSight Logger or the ArcSight connector is installed.
4
Specify the port number for the ArcSight Logger or the ArcSight connector. The default port is 515.
5
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time.
Select the subsystems to include in the subscription.
6
Click Finish.
To view existing ArcSight subscription details:
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Expand the required subscription.

The summary page displays the type of subscription (Target), where the events are being sent, the subscription status (Enabled or Disabled), and when the last event was sent (Last Event).

To edit the ArcSight subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Select the required subscription and click Edit.
3
If required, enter the server and port and click Next.
4
If required, add and remove the subsystems included in the subscription.
5
Click Finish.
To remove a subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Select the required subscription and click Delete.
3
Confirm the removal.
To enable and disable a subscription
When viewing the summary information, select the status column and choose to enable or disable the subscription as required.
To refresh the summary information
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.

New-CAArcSightEventSubscription

Previous Next

New-CAArcSightEventSubscription

Use this command to create the subscription required to send Change Auditor event data to ArcSight.

Table 2. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-ArcSightHost

Specifies the IP address or host name of the computer where ArcSight Logger or the ArcSight connector is installed.

-ArcSightPort (Optional)

The port number for the ArcSight Logger or the ArcSight connector. The default port is 515.

-Subsystems

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE: To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-StartTimeUTC (Optional)

Specifies date and time from which events should be sent. The default is to start sending events from the time when the subscription is created.

For example:

20 July, 2020 12:01 PM uses local time
2020-07-20 12:10:00Z uses UTC time

The time will be local unless you specify the required flag to convert to UTC.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications. Heatbeat notifications cannot be sent directly to ArcSight. To use this parameter, you must use a previously created webhook URL.

NOTE: If no value is specified, a heartbeat notification is not sent.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the computer where ArcSight Logger or the ArcSight connector is installed. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the HeartbeatURL. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat message.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

NOTE: The list order does not determine which coordinator is selected to send events.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Microsoft 365 and Microsoft Entra ID events. When set to false, the additionalDetails field is not included.

By default, this is set to false.

Example: Create a subscription to send all subsystems event data to a computer where ArcSight Logger or the ArcSight connector is installed

$allSubsystems = Get-CAEventExportSubsystems -Connection $connection

New-CAArcSightEventSubscription -Connection $connection -ArcSightHost $ArcSightHost -Subsystems $allSubsystems

Get-CAArcSightEventSubscriptions

Previous Next

Get-CAArcSightEventSubscriptions

Use this command to see the details of the current ArcSight subscriptions.

* 
NOTE: The “Batches sent”, “Last event time in UTC”, “Last event response” and “Events sent” are all indicators that the events are being received by ArcSight. Any failures receiving the data populate the “Last event response” property in the object with information on why the data was not received.

Table 13. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-SubscriptionId (optional)

The ID of an existing ArcSight subscription.

If specified, the command will only return the ArcSight subscription with that ID. If not specified, all ArcSight subscriptions are returned.

Example: List defined ArcSight subscriptions

Get-CAArcSightEventSubscriptions -Connection $connection

Command output

The command returns the following information.

Table 14. Available configuration information

Setting

Description

Id

The subscription ID.

WebhookSubscriptionId

The webhook subscription ID.

ArcSightHost

The IP address or host name where event data is sent.

ArcSightPort

The port where event data is sent.

StartTimeUTC

Starting point in time for events being sent.

Subsystems

Subsystems that contain the event data being sent.

Enabled

Whether the subscription is enabled.

HeartbeatUrl

URL for heartbeat notifications.

LastEventTimeUTC

When the last event was sent.

LastEventResponse

Last event response.

LastHeartbeatTimeUTC

When the last heartbeat was sent.

LastHeartbeatResponse

The last heartbeat response.

For example, statusCode = OK (200), statusCode = Bad Request (400), or statusCode = Internal Server Error (500).

EventsSent

Number of events sent.

BatchesSent

Number of batches sent.

HeartbeatsSent

Number of heartbeats sent.

NotificationInterval

How often how often (in milliseconds) notifications are sent.

HeartbeatInterval

How often (in milliseconds) heartbeat notifications are sent.

BatchSize

Batch size. (The maximum number of events that the active batch size can increase to.)

ActiveBatchSize

The current batch size. (The current number of events to include in a single notification message.) The batch size is automatically adjusted based on network throughput and system performance. Its value never exceeds the specified batch size.

AllowedCoordinators

List of coordinators permitted to send events.

LastCoordinator

The coordinator that is sending events. If the subscription is disabled, this is the last coordinator sending the events.

IncludeO365AADDetails

Identifies whether or not the additionalDetails field with the raw JSON string is included for Microsoft 365 and Microsoft Entra ID events.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating