立即与支持人员聊天
与支持团队交流

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Working with QRadar subscriptions through the client

Previous Next

Working with QRadar subscriptions through the client

* 
NOTE: All new subscriptions created through the client are encrypted with TLS/SSL. QRadar must be configured to accept the TLS protocol.

To create a subscription that is not encrypted, use the New-CAQRadarEventSubscription command and set -TlsEnabled to false.
To create a QRadar subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Add QRadar Subscription to open the event subscription wizard.
3
Specify the IPv4 address or FQDN (fully qualified domain name) of the QRadar instance that will receive the event data.
4
Specify the port number for your QRadar instance that will receive the event data. The default port is 6514.
5
Click Next to select the events to forward based on subsystem and event date. Once the subscription is created the starting event date and time cannot be changed.
By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time.
Select the subsystems to include in the subscription.
6
Click Next to create the required extension to import to your QRadar instance. The extension instructs QRadar on how to read and present Change Auditor events. Specifically, it defines the log source (coordinator) and maps Change Auditor event columns to QRadar event columns.
* 
NOTE: If you create a new extension, the subscription is created in the disabled state. After you have imported and applied the extension, you need to enable the subscription.
* 
NOTE: If you have previously configured your QRadar instance for Change Auditor, you can select My QRadar instance is already configured and click Finish to complete the subscription setup.
7
Specify the file path and name for the file and click Generate extension.
8
Click OK in the confirmation dialog. Copy the file path to import the extension to your QRadar instance.
9
Click Finish.
To view existing QRadar subscription details:
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Expand the required subscription.

The summary page displays the type of subscription (Target), where the events are being sent, the subscription status (Enabled or Disabled), and when the last event was sent (Last Event).

To create a new extension
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Right-click the required subscription and click Generate Extension.
3
Specify the file path and name for the file and click Generate file.
4
Click OK in the confirmation dialog.
5
Copy the file path to import the extension to your QRadar instance.
To edit the QRadar subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Select the required subscription and click Edit.
3
If required, enter the server and port and click Next.
4
If required, add and remove the subsystems included in the subscription and click Next.
5
If required, you can generate a new extension.
6
Click Finish.
To remove a QRadar subscription
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Select the required subscription and click Delete.
3
Confirm the removal.
To enable and disable a subscription
When viewing the summary information, select the status column and choose to enable or disable the subscription as required.
To refresh the summary information
1
From the Administration Tasks, select Configuration | Event Subscriptions.
2
Click Refresh.

New-CAQRadarExtension

Previous Next

New-CAQRadarExtension

The Change Auditor extension must be added to QRadar for it to read and present Change Auditor events. Specifically, the extension defines the log source (coordinator) and maps Change Auditor event columns to QRadar event columns.

Use this command to create and generate a zip file that contains XML with the required extension. The extension must then be imported to QRadar.

Table 2. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-SubscriptionId

The ID of an existing QRadar subscription. The subscription specifies the TLS log source port in the extension.

-ExtensionFilepath

Specifies the path for the output zip file.

-CoordinatorHosts (Optional)

Specifies a list of addresses from which QRadar can receive events.

Example: Create a QRadar subscription extension, and specify the location for the output and the TLS log source

New-CAQRadarExtension -Connection $connection -ExtensionFilepath $ExtensionFilepath -SubscriptionId $SubscriptionId

New-CAQRadarEventSubscription

Previous Next

New-CAQRadarEventSubscription

Use this command to create the subscription required to send Change Auditor event data to QRadar.

* 
NOTE: Some Change Auditor events exceed QRadar’s recommended supported event data length. If a Change Auditor event exceeds this limit, the event data is continued in new QRadar events to ensure all data is stored.
* 
NOTE: Columns that do not contain any event data will not display in QRadar.

Table 2. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-QRadarHost

Specifies the IPv4 address or FQDN (fully qualified domain name) of your QRadar instance that will receive the event data.

-Subsystems

Specifies an array of event subsystems from which to send events. This can be single or multiple subsystems.

NOTE: To obtain an array of subsystems, use the Get-CAEventExportSubsystems command and filter the list to specify the required subsystems.

-QRadarPort (Optional)

Specifies the port number for your QRadar instance that will receive the event data.

When TlsEnabled is set to true to enable TLS/SSL encryption, the default port is 6514.

When the TlsEnabled is set to false to send unencrypted events, the default port is 514.

-StartTimeUTC (Optional)

Specifies date and time from which events should be sent. The default is to start sending events from the time when the subscription is created.

For example:

20 July, 2020 12:01 PM uses local time
2020-07-20 12:10:00Z uses UTC time

The time will be local unless you specify the required flag to convert to UTC.

-BatchSize (Optional)

Specifies the maximum number of events to include in a single notification. The default is 10000 events.

-Enabled (Optional)

Specifies whether the subscription is enabled or disabled. By default it is enabled.

-HeartbeatUrl (Optional)

Specifies where (URL) to send heartbeat notifications. Heatbeat notifications cannot be sent directly to QRadar. To use this parameter, you must use a previously created webhook URL.

NOTE: If no value is specified, a heartbeat notification is not sent.

-NotificationInterval (Optional)

Specifies how often (in milliseconds) notifications are sent to the QRadar instance. By default this is set to 0 which results in a continuous stream of events.

-HeartbeatInterval (Optional)

Specifies how often (in milliseconds) heartbeat notifications are sent to the HeartbeatURL. By default, this is set to every 5 minutes. Setting this to 0 disables the heartbeat notifications.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

NOTE: The list order does not determine which coordinator is selected to send events.

-TlsEnabled (Optional)

When set to true, the subscription sends events encrypted with TLS/SSL and sets the default port to 6514.

When set to false, the subscription sends events without encryption enabled, and sets the default port to 514.

The default is set to true.

-IncludeO365AADDetails (Optional)

Specifies whether to include the raw JSON event details provided by Microsoft. When set to true, the event will include a field named additionalDetails, containing the raw JSON string for Microsoft 365 and Microsoft Entra ID events. When set to false, the additionalDetails field is not included.

By default, this is set to false.

Example: Create a subscription to send all subsystems event data to a QRadar instance

$allSubsystems = Get-CAEventExportSubsystems -Connection $connection

New-CAQRadarEventSubscription -Connection $connection -QRadarHost $QRadarHost
-Subsystems $allSubsystems

Get-CAQRadarEventSubscriptions

Previous Next

Get-CAQRadarEventSubscriptions

Use this command to see the details of the current QRadar subscriptions.

* 
NOTE: The “Batches sent”, “Last event time in UTC”, “Last event response” and “Events sent” are all indicators that the events are being received by QRadar. Any failures receiving the data populate the “Last event response” property in the object with information on why the data was not received.

Table 9. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-SubscriptionId (optional)

The ID of an existing QRadar subscription.

If specified, the command will only return the QRadar subscription with that ID. If not specified, all QRadar subscriptions are returned.

Example: List defined QRadar subscriptions

Get-CAQRadarEventSubscriptions -Connection $connection

Command output

The command returns the following information.

Table 10. Available configuration information

Setting

Description

Id

The subscription ID.

WebhookSubscriptionId

The webhook subscription ID.

QRadarUrl

The URL where the event data is sent.

StartTimeUTC

Starting point in time for events being sent.

Subsystems

Subsystems that contain the event data being sent.

Enabled

Whether the subscription is enabled.

HeartbeatUrl

The URL where heartbeat notifications are sent.

LastEventTimeUTC

When the last event was sent.

LastEventResponse

Last event response.

For example, statusCode = OK (200), statusCode = Bad Request (400), or statusCode = Internal Server Error (500).

LastHeartbeatTimeUTC

When the last heartbeat was sent.

LastHeartbeatResponse

Last heartbeat response.

For example, statusCode = OK (200), statusCode = Bad Request (400), or statusCode = Internal Server Error (500).

EventsSent

Number of events sent.

BatchesSent

Number of batches sent.

HeartbeatsSent

Number of heartbeats sent.

NotificationInterval

How often (in milliseconds) notifications are sent.

HeartbeatInterval

How often (in milliseconds) heartbeat notifications are sent.

BatchSize

Batch size. (The maximum number of events that the active batch size can increase to.)

ActiveBatchSize

The current batch size. (The current number of events to include in a single notification message.) The batch size is automatically adjusted based on network throughput and system performance. Its value never exceeds the specified batch size.

AllowedCoordinators

List of coordinators permitted to send events.

LastCoordinator

The coordinator that is sending events. If the subscription is disabled, this is the last coordinator sending the events.

IncludeO365AADDetails

Identifies whether or not the additionalDetails field with the raw JSON string is included for Microsoft 365 and Microsoft Entra ID events.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级