Change Auditor 7.5 - User Guide

Connect-CAClient

Connect-CAClient

Most Change Auditor commands require a connection to a coordinator. You can make multiple connections to different coordinators or deployments in the same script as long as the version of Change Auditor is the same.

This connection can be assigned to a variable and used for any command that requires it. Use this command to search for a suitable coordinator in a Change Auditor installation and create a connection. Suitable coordinators are those which you have access to and can be located by searching through Active Directory service connection points.

NOTE: Connections are closed when the PowerShell session is ended or disconnected.

Table 1. Available parameters

Parameter	Description
-Credential (Optional)	Windows credentials specifying the user to connect to the Change Auditor installation. All operations using this connection will be authorized as this user. When not specified, the current client running PowerShell is used.
-CoordinatorConnectionPoint (Optional)	Specify to use a specific coordinator found from a previous call to Find-CACoordinators.
-SelectLocalCoordinator (Optional)	Create a connection to the local coordinator.
-InstallationName (Optional)	The installation name to connect to. If an installation cannot be found with this name, no connection is made. If more than one Change Auditor installation exists in the current forest, this parameter is mandatory. Omitting it results in a connection failure due to ambiguity.
-DomainName (Optional)	The name of the domain where the Change Auditor installation exists.
-ComputerName (Optional)	The computer to connect to.
-Port (Optional)	The port to connect to.
-WaitForServiceReady (Optional)	The number of seconds to wait for the connected coordinator service to be ready. NOTE: If not specified, when the Change Auditor coordinator is not ready for connections due to an in-progress install or upgrade, an error is returned. The maximum is 144,000 seconds, or 10 hours.

Example: Connect to the installation “XYZ” in the specified domain

Connect-CAClient –InstallationName ‘XYZ’ -DomainName 'DomainName.com'

Managing a Threat Detection configuration

Managing a Threat Detection configuration

•	New-CAThreatDetectionConfiguration

•	Get-CAThreatDetectionConfiguration

•	Set-CAThreatDetectionConfiguration

•	Remove-CAThreatDetectionConfiguration

New-CAThreatDetectionConfiguration

New-CAThreatDetectionConfiguration

Use this command to create a Threat Detection configuration.

NOTE: When a configuration is created, the Threat Detection server is automatically joined to your coordinator's domain and an associated service account is created. This is required to enable single-sign on to the Threat Detection dashboard.

NOTE: Quest recommends that you use the sample script CreateThreatDetectionConfiguration.ps from Program Files\Quest\ChangeAuditor\Client\PowerShell Sample Scripts.

NOTE: When you create a new configuration, the underlying webhook subscription that is generated is marked as internal. This ensures that the required subscription cannot be removed from an existing configuration.

Table 2. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command. See Connecting to Change Auditor.
-TDServer	The Threat Detection server fully qualified domain name.
-TDPassword	The password used to access the Threat Detection server. Use the integration password that was specified during the Threat Detection server deployment.
-DomainAdminCredential	The credentials required to join the Threat Detection server to your coordinator’s domain to enable access to the dashboard using windows integrated authentication. NOTE: The user must be a domain administrator or have been delegated the following tasks using the Active Directory Delegation Control wizard: ▪ Create, delete, and manage user account. ▪ Join a computer to the domain.
-HistoricalDays (Optional)	The number of days of historical events to send to the Threat Detection server. For details, see Historical events and your baseline calculations.
-AllowedCoordinators (Optional)	The DNS or NetBIOS name of the coordinators permitted to send events. If none are specified, all coordinators installed at the time of configuration are permitted to send events. NOTE: The list order does not determine which coordinator is selected to send events.

Example: Creating a configuration

New-CAThreatDetectionConfiguration -Connection $connection -TDServer ‘ServerName.Domain.Com’ -TDPassword $TDPassword -DomainAdminCredential $DomainAdminCredential -HistoricalDays 30
-AllowedCoordinators @('machine1.domain.com','machine2.domain.com')

Get-CAThreatDetectionConfiguration

Get-CAThreatDetectionConfiguration

Use this command to view the Threat Detection configuration information and information about the associated subscription.

Table 3. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command. See Connecting to Change Auditor.

Example: Review Threat Detection configuration details

Get-CAThreatDetectionConfiguration -Connection $connection

Command output

The command returns the following information. For more information about some of these settings see the Change Auditor SIEM Integration Guide.

Table 4. Available configuration information

Setting	Description
TDServer	The Threat Detection server fully qualified domain name.
ConfigurationState	State of the configuration: • Configured: Threat Detection has been configured • Unconfigured: Threat Detection has not been configured • A valid Change Auditor Threat Detection license is required
HistoricalDays	How many days of historical events have been sent to Threat Detection server.
TDServerStatus	Status of the Threat Detection server: • Online • Offline
DataProcessingStatus	Status of the data processing. For example, building baseline.
TDServerVersion	Threat Detection server version.
TDSubscriptionId	Threat Detection subscription ID.
StartTime	Starting point in time for events to send.
Subsystems	Subsystems that have been selected for event sending.
TDSubscriptionEnabled	Whether the Threat Detection subscription is enabled.
NotificationInterval	How often how often (in milliseconds) events are sent.
HeartbeatInterval	Interval (in milliseconds) that a heartbeat check is made for the configuration.
BatchSize	Batch size. The maximum number of events to include in a single notification message.
NotificationUrl	Url for notifications.
HeartbeatUrl	Url for heartbeat notifications.
LastEventTime	When the last event was sent.
LastEventResponse	Last event response (For example OK, HTTP 429 - Too many events being sent, and HTTP 401 - Unauthorized access.)
LastHeartbeatTime	When the last heartbeat was sent.
LastHeartbeatResponse	The last heartbeat response. (For example OK, HTTP 429 - Too many events being sent, and HTTP 401 - Unauthorized access.)
EventsSent	Number of events sent.
BatchesSent	Number of batches sent.
HeartbeatsSent	Number of heartbeats sent.
BookmarkTime	Time the last event was sent.
AllowedCoordinators	List of coordinators permitted to send events.
LastCoordinator	The coordinator that is sending events. If the subscription is disabled, this is the last coordinator that sent events.