立即与支持人员聊天
与支持团队交流

Change Auditor 7.4 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Managing a Microsoft Sentinel integration
Webhook technical insights

Remove-CAQRadarEventSubscription

Use this command to remove a QRadar subscription.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAQRadarSubscriptionStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CAQRadarEventSubscriptions command to find the ID.

Remove-CAQRadarEventSubscription -Connection $connection -SubscriptionId $subscriptionId

Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration

You can take advantage of the rich data gathered by Change Auditor and use it with ArcSight Logger and ArcSight Enterprise Security Manager (ESM). To begin sending event data, you need to create an ArcSight event subscription with Change Auditor.

To send encrypted Change Auditor events to ArcSight ESM or ArcSight Logger, you must set the ArcSight host and port to match the host and port of the ArcSight connector configured to receive syslog messages over TCP.

When sending encrypted events, communication between the coordinator and connector is unencrypted, however, communication between the connector and ArcSight is encrypted. For improved security:

The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

Working with Change Auditor data within ArcSight

The following table describes how Change Auditor event details are mapped to the event details provided in ArcSight’s Common Event Format (CEF) extensions. All other Change Auditor columns not listed here will display as custom columns in ArcSight.

 

Subsystem

deviceEventClassId

Event

name

Severity

agentSeverity

Action

categoryBehaviour

Result

categoryOutcome

Server FQDN

deviceHostName

IP Address

deviceAddress

ID

eventId

Origin IPv4

sourceAddress

Origin IPv6

c6a2

Origin

sourceHostName

User SID

sourceUserId

User

sourceUserName

Description

message

Time Detected

endTime

Time Detected

startTime

Working with ArcSight subscriptions through the client

1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add ArcSight Subscription to open the event subscription wizard.
5
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time. The time cannot be more than 30 days prior to the Change Auditor installation date.
6
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
5
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级