Quest Change Auditor (https://www.quest.com/change-auditor ) integration with Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1339792%22%20slang%3D%22en-US%22%3EQuest%20Change%20Auditor%20(%3CA%20href%3D%22https%3A%2F%2Fwww.quest.com%2Fchange-auditor%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.quest.com%2Fchange-auditor%3C%2FA%3E%20)%20integration%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1339792%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3EHope%20you%20are%20well.%20Just%20wanted%20to%20know%20if%20anyone%20has%20integrated%20Quest%20Change%20Auditor%20with%20Sentinel%20please%3F%20If%20yes%2C%20wha%20was%20the%20method%20used%20.%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EMaxou%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1340299%22%20slang%3D%22en-US%22%3ERe%3A%20Quest%20Change%20Auditor%20(%3CA%20href%3D%22https%3A%2F%2Fwww.quest.com%2Fchange-auditor%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.quest.com%2Fchange-auditor%3C%2FA%3E%20)%20integration%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1340299%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F440425%22%20target%3D%22_blank%22%3E%40Maxou%3C%2FA%3E%26nbsp%3BI%20worked%20with%20a%20customer%20recently%20to%20get%20Edgewise%20configured%20for%20ingestion%20with%20Sentinel%20and%20Change%20Auditor%20seems%20very%20similar%20in%20function.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoes%20Change%20Auditor%20have%20the%20ability%20to%20export%20data%3F%20If%20so%2C%20you%20can%20use%20the%20Log%20Analytics%20agent%20to%20deliver%20the%20data%20to%20a%20custom%20table%20in%20the%20Azure%20Sentinel%20Log%20Analytics%20Workspace.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAsk%20Quest%20if%20this%20is%20possible%2C%20or%20if%20they%20have%20instructions%20for%20integrating%20their%20product%20with%20other%20SIEMS.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1340516%22%20slang%3D%22en-US%22%3ERe%3A%20Quest%20Change%20Auditor%20(%3CA%20href%3D%22https%3A%2F%2Fwww.quest.com%2Fchange-auditor%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.quest.com%2Fchange-auditor%3C%2FA%3E%20)%20integration%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1340516%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%2C%20Thanks%20for%20coming%20back%20to%20me.%20On%20their%20website%20they%20say%20they%20integrate%20with%20Arcsight%2C%20Splunk%20and%20Qradar%20for%20SIEM%20but%20there%20was%20no%20mention%20of%20Sentinel.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20will%20probably%20have%20to%20get%20in%20touch%20with%20them%20to%20see%20if%20CEF%20or%20Syslog%20can%20be%20something%20of%20use%20for%20integrating%20their%20logs%20with%20Sentinel.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1340523%22%20slang%3D%22en-US%22%3ERe%3A%20Quest%20Change%20Auditor%20(%3CA%20href%3D%22https%3A%2F%2Fwww.quest.com%2Fchange-auditor%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.quest.com%2Fchange-auditor%3C%2FA%3E%20)%20integration%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1340523%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F440425%22%20target%3D%22_blank%22%3E%40Maxou%3C%2FA%3E%26nbsp%3BDefinitely%20let%20me%20know%20what%20comes%20of%20it.%20Very%20interested.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20methods%20Quest%20uses%20for%20the%20other%20SIEMs%20would%20be%20very%20similar%20to%20how%20we%20do%20it.%20We%20still%20have%20customers%20that%20run%20other%20SIEMs%20side-by-side%20with%20Sentinel%20-%20either%20long%20term%2C%20or%20as%20a%20migration%20path.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20even%20import%20csv%20and%20JSON%20data%20files%2C%20btw.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1346575%22%20slang%3D%22en-US%22%3ERe%3A%20Quest%20Change%20Auditor%20(%3CA%20href%3D%22https%3A%2F%2Fwww.quest.com%2Fchange-auditor%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.quest.com%2Fchange-auditor%3C%2FA%3E%20)%20integration%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1346575%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%26nbsp%3B%20Okay%20then.%20Will%20see%20what%20they%20if%20they%20come%20back%20to%20me.%20Thanks%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi All,

Hope you are well. Just wanted to know if anyone has integrated Quest Change Auditor with Sentinel please? If yes, wha was the method used .

Regards,

Maxou

4 Replies

@Maxou I worked with a customer recently to get Edgewise configured for ingestion with Sentinel and Change Auditor seems very similar in function.

 

Does Change Auditor have the ability to export data? If so, you can use the Log Analytics agent to deliver the data to a custom table in the Azure Sentinel Log Analytics Workspace.

 

Ask Quest if this is possible, or if they have instructions for integrating their product with other SIEMS.

Hi @rodtrent, Thanks for coming back to me. On their website they say they integrate with Arcsight, Splunk and Qradar for SIEM but there was no mention of Sentinel.

I will probably have to get in touch with them to see if CEF or Syslog can be something of use for integrating their logs with Sentinel.

@Maxou Definitely let me know what comes of it. Very interested.

 

The methods Quest uses for the other SIEMs would be very similar to how we do it. We still have customers that run other SIEMs side-by-side with Sentinel - either long term, or as a migration path.

 

We can even import csv and JSON data files, btw.

@rodtrent  Okay then. Will see what they if they come back to me. Thanks again.