Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Change Auditor 7.2 - SIEM Integration User Guide

Table of Contents

Integrating Change Auditor and SIEM Tools

Webhooks in Change Auditor Webhook terminology Subscription configuration process

Subscription Management

Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions

New-CAEventWebhookSubscription Get-CAEventWebhookSubscriptions Set-CAEventWebhookSubscription Remove-CAEventWebhookSubscription Get-CAEventExportSubsystems

Working with event subscriptions in the client Managing a Splunk integration

Working with Splunk subscriptions through the client New-CASplunkEventSubscription Get-CASplunkEventSubscriptions Set-CASplunkEventSubscription Remove-CASplunkEventSubscription

Managing an IBM QRadar integration

Working with QRadar subscriptions through the client New-CAQRadarExtension New-CAQRadarEventSubscription Get-CAQRadarEventSubscriptions Set-CAQRadarEventSubscription Remove-CAQRadarEventSubscription

Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration

Working with Change Auditor data within ArcSight Working with ArcSight subscriptions through the client New-CAArcSightEventSubscription Get-CAArcSightEventSubscriptions Set-CAArcSightEventSubscription Remove-CAArcSightEventSubscription

Managing a Quest IT Security Search integration (Preview)

Working with a Quest IT Security Search subscriptions through the client New-CAITSSEventSubscription Get-CAITSSEventSubscriptions Set-CAITSSEventSubscription Remove-CAITSSEventSubscription

Managing a Syslog integration

Working with Syslog subscriptions through the client New-CASyslogEventSubscription Get-CASyslogEventSubscriptions Set-CASyslogEventSubscription Remove-CASyslogEventSubscription

Webhook technical insights

Handling webhook responses

Remove-CAEventWebhookSubscription

Use this command to remove a subscription.


	NOTE: You cannot use this command to remove subscriptions that are marked as internal. You can use the Get-CAEventWebhookSubscriptions to see which subscriptions are internal.

Table 4. Available parameters


Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.
-Subscription	The PSCAEventWebhookStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.
-SubscriptionId	The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CAEventWebhookSubscriptions command to find the ID.

Example: Remove a webhook subscription

Remove-CAEventWebhookSubscription -Connection $connection -SubscriptionId $subscriptionId

Get-CAEventExportSubsystems

Use this command to obtain an array of subsystems to include in a new subscriptions.

Table 5. Available parameters


Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

Example: Get the Active Directory and file system subsystems

Get-CAEventExportSubsystems -Connection $connection | ? {$_.DisplayName -eq "Active Directory" -or $_.DisplayName -eq "File System"}

Working with event subscriptions in the client

The event subscriptions summary page displays the type of subscription (Target), where the events are being sent (Event URL), the subscription status (Enabled or Disabled), and when the last event was sent (Last Event).

From here, you can:

•

View existing subscription details.

•

Add ArcSight, Splunk, QRadar, IT Security Search, and Syslog subscriptions.

•

Edit ArcSight, Splunk, QRadar, IT Security Search, and Syslog subscriptions.

•

Create a QRadar extension.

•

Remove a subscription.

•

Enable and disable a subscription.

See Managing a Splunk integration, Managing an IBM QRadar integration, Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration, Managing a Quest IT Security Search integration (Preview), and Managing a Syslog integration for details.

Managing a Splunk integration

Managing a Splunk integration

To begin to take advantage of the rich data gathered by Change Auditor by sending event data to Splunk, you need to create an event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.


	NOTE: Columns that do not contain any event data will not display in Splunk.

IMPORTANT: To configure Splunk to receive events from Change Auditor you need to configure an HTTP event collector token in your Splunk instance.

1

Within Splunk, navigate to Settings | Data Inputs | HTTP Event Collector. Ensure that All Tokens are enabled under the Global Settings.

2

Click New Token and complete the steps in the wizard.

3

Copy the token. This value is required to create a Splunk subscription in Change Auditor.

Currently, you can create and manage a subscription for managed and unmanaged Splunk Cloud and Splunk Enterprise editions through the Change Auditor client or through PowerShell commands.

•

Working with Splunk subscriptions through the client

•

New-CASplunkEventSubscription

•

Get-CASplunkEventSubscriptions

•

Set-CASplunkEventSubscription

•

Remove-CASplunkEventSubscription

Related Documents

Change Auditor - 7.2
Built-in Reports Reference Guide
Event Reference Guide
FIPS Compliance User Guide
Installation Guide
Office 365 and Azure Active Directory Event Reference Guide
Office 365 and Azure Active Directory User Guide
PowerShell User Guide
Quick Start Guide
Release Notes
SIEM Integration User Guide

«
1
2
3
4
5
»

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center