立即与支持人员聊天
与支持团队交流

Change Auditor 7.4 - SIEM Integration User Guide

Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Managing an IBM QRadar integration Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Managing a Microsoft Sentinel integration
Webhook technical insights

Set-CASplunkEventSubscription

Use this command to modify a Splunk subscription.

Table 2. Available parameters

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAEventWebhookStatus object that corresponds to the subscription to modify. This parameter is required if the SubscriptionId parameter is not specified. Use the Get-CASplunkEventSubscriptions command to get a list of objects.

-SubscriptionId

The ID of the subscription to modify. This parameter is required if the Subscription parameter is not specified. Use the Get-CASplunkEventSubscriptions command to find the ID.

-SplunkUrl (Optional)

Specifies the address of your Splunk instance that will receive the event data.

For details, see the Splunk documentation on HTTP Event Collector data inputs.

-EventToken (Optional)

The unique identifier (token) used by Splunk to confirm that the specified SplunkUri is authorized to accept event data.

The token value is created during the Splunk instance configuration.

For details on creating an event collector token, see the Splunk documentation on HTTP Event Collector data inputs.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications.

-HeartbeatToken (Optional)

The unique identifier (token) used by Splunk to confirm that the specified heartbeatUri is authorized to accept heartbeat notifications.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the Splunk instance. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the HeartbeatURL. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat notifications.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

-Subsystems (Optional)

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Office 365 and Azure Active Directory events. When set to false, the additionalDetails field is not included.

By default, this is set to true.

Example: Disable a subscription

Set-CASplunkEventSubscription -Connection $connection -SubscriptionId $SubscriptionId -Enabled $false

Example: Edit the subsystems included in a webhook subscription

$newSubsystems = Get-CAEventExportSubsystems -Connection $connection | ? { $_.DisplayName -eq "File System" -or $_.DisplayName -eq "Active Directory" }

Set-CASplunkEventSubscription -Connection $connection -SubscriptionId cd87b774-8e65-46e1-8520-da478c60c4c3 -Subsystems $newSubsystems

Remove-CASplunkEventSubscription

Use this command to remove a Splunk subscription.

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-Subscription

The PSCAEventWebhookStatus object that corresponds to the subscription to remove. This parameter is required if the SubscriptionId parameter is not specified.

-SubscriptionId

The ID of the subscription to remove. This parameter is required if the Subscription parameter is not specified. Use the Get-CASplunkEventSubscriptions command to find the ID.

Remove-CASplunkEventSubscription -Connection $connection -SubscriptionId $subscriptionId

Managing an IBM QRadar integration

You can take advantage of the rich data gathered by Change Auditor and use it with QRadar on-premises deployments. To begin sending event data, you need to create the QRadar extension and a QRadar event subscription with Change Auditor. The subscription contains information about where to send the notifications and heartbeats and the event subsystems to include.

2
Select Extensions Management | Add.
If prompted that the extension is not signed, select Install. When prompted to overwrite or keep existing data, select Overwrite.
2
Select Log Sources.

Working with QRadar subscriptions through the client

1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add QRadar Subscription to open the event subscription wizard.
5
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time. The time cannot be more than 30 days prior to the Change Auditor installation date.
6
Click Next to create the required extension to import to your QRadar instance. The extension instructs QRadar on how to read and present Change Auditor events. Specifically, it defines the log source (coordinator) and maps Change Auditor event columns to QRadar event columns.
NOTE: If you have previously configured your QRadar instance for Change Auditor, you can select My QRadar instance is already configured and click Finish to complete the subscription setup.
8
Click OK in the confirmation dialog. Copy the file path to import the extension to your QRadar instance.
9
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
4
Click OK in the confirmation dialog.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
6
Click Finish.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级