Click here to shrink
Click here to expand Click here to expand

SIEM Integration

'SIEM Integration' option allows you to forward data from ADAuditPlus to an external SIEM product or to a Syslog Server in real time.

You can choose to forward

  • All of ADAuditPlus data category wise (except Printer Audit Reports and Advanced GPO Reports).
  • ADAuditPlus Technician Audit Reports.
  • Alerts.

Forwarding ADAudit Plus data to a Syslog Server

Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP Receiver.

Configuring a Syslog Server:

  • Syslog daemon runs by default in udp, port 514.
  • The default settings can be modified in its configuration file /etc/syslog.conf . Remember to restart Syslog daemon for the changes to take effect.

Steps to enable Syslog Logging in ADAuditPlus:

  1. Click on 'Admin' Tab → 'SIEM Integration'.
  2. Tick the 'Enable' checkbox and choose the 'Syslog' radio button.
  3. Enter the Syslog server name. Ensure that the Syslog server is reachable from the ADAuditPlus server.
  4. Enter Syslog port number and protocol.
  5. Choose Syslog standard and data format as required by your SIEM Parser.
  6. After saving this configuration, Choose the categories to forward.

LogRhythm syslog key mapping

ADAudit Plus forwards a wide array of syslog key data. Listed below are the key mappings that are common across all audited data. Dynamic keys that vary based on report categories are not listed in the table below.

Syslog key ADAudit Plus column
Category ADAuditPlus Category
EVENT_NUMBER Event Number
RECORD_NUMBER Record Number
UNIQUE_ID Unique ID
REPORT_PROFILE ADAuditPlus Report Profile Name
ALERT_PROFILE ADAuditPlus Alert Profile Name

SOURCE

APP_DISPLAY_NAME

Event Source
SEVERITY Severity
TIME_GENERATED Event Time

USER_MGMT_TYPE

GROUP_MGMT_TYPE

OPERATION_TYPE

OBJECT_CLASS_TEXT

ACCESS_TYPE_TEXT

MODIFIED_PROPS

COMP_MGMT_TYPE

OBJECT_CLASS

CHANGE_TYPE_TEXT

Event Type
REMARKS Event Remarks
EVENT_TYPE_TEXT Event Outcome
FORMAT_MESSA GE ADAuditPlus Message String

COMMAND_PATH

DISPLAY_NAME

FILE_NAME

File Name
POLICY_PATH File Location

CLIENT_USER_NAME

USERNAME

LOGIN_NAME

ACTOR_NAME

CALLER_USER_NAME

USER_DISPLAY_NAME

User Name / Caller User Name

CALLER_USER_SID

USER_SID

User SID / Caller User Name

DOMAIN

ACCOUNT_DOMAIN

EVENT_MACHINE_DOMAIN CALLER_USER_DOMAIN

TENANT_NAME

Domain Name / Caller Domain Name

CLIENT_HOST_N AME

EVENT_MACHINE _NAME

DEVICE_INFO

User Machine / Caller Machine Name

ACTOR_IP_ADDRESS

CLIENT_MC_NAME

CLIENT_IP_ADDRESS

IP_ADDRESS

User Machine IP Address

ACCOUNT_NAME

OBJECT_NAME_TEXT

TARGET0_UPN

Target User Name

TARGET0_NAME

ACCOUNT_SID

Target User SID

Forwarding ADAudit Plus data to an external SIEM product : Splunk HTTP

Configuring Splunk Http Event Collector:

  • Click on 'Settings' → 'Data Inputs' → 'Http Event Collector'.
  • Click 'New Token'. Provide a name for the token(Preferably ADAuditPlus) and leave the rest to the default values(Customize if required).
  • After saving the configuration, an auth token will be generated. This token needs to be provided in ADAuditPlus configuration.
  • Under 'Global Settings' in the 'Http Event Collector' page, Enable 'All tokens'.
  • You can also customize 'Http port number' and 'SSL' settings as required in the 'Global Settings'.

Steps to enable Splunk forwarding in ADAuditPlus:

  1. Click on 'Admin' Tab → 'SIEM Integration'.
  2. Tick the 'Enable' Checkbox and choose the 'Splunk' Radio Button.
  3. Enter the Splunk Server name. Ensure that the Splunk Server is reachable from the ADAuditPlus Server.
  4. Enter Splunk Http Event Collector port number and protocol.
  5. Specify the Http Event Collector token generated in Splunk for ADAuditPlus.
  6. After saving this configuration, Choose the categories to forward.

Forwarding ADAudit Plus data to an external SIEM product : ArcSight

Steps to enable ArcSight forwarding in ADAuditPlus:

  1. Click on 'Admin' Tab → 'SIEM Integration'.
  2. Tick the 'Enable' Checkbox and choose the 'ArcSight' Radio Button.
  3. Enter the ArcSight Server name. Ensure that the ArcSight Server is reachable from the ADAuditPlus Server.
  4. Enter the ArcSight collector port number and protocol.
  5. After saving this configuration, Choose the categories to forward.

ArcSight CEF Key Mappings

CEF Key ADAuditPlus Column
cat ADAuditPlus Category
cn1 Event Number
cn2 Record Number
cn3 Unique ID
cs1 ADAuditPlus Report Profile Name
cs4 ADAuditPlus Alert Profile Name
cs3 Event Source
cs5 Severity
rt Event Time
type Event Type
reason Event Remarks
outcome Event Outcome
msg ADAuditPlus Message String
fileName File Name
fileLocation File Location
suser User Name / Caller User Name
suid User SID / Caller User Name
sntdom Domain Name / Caller Domain Name
shost User Machine / Caller Machine Name
cs2 User Machine IP Address
duser Target User Name
duid Target User SID

The forwarded ADAudit Plus events can be searched, grouped into reports and categorized as needed in your SIEM product.

  • Events from ADAuditPlus can be easily separated by the 'SOURCE' field.
  • Each log event will have a 'Category' field. The possible values for this field are defined under 'Choose categories to forward' menu in the configuration page.
  • Timestamp of each event will be available in the 'TIME_GENERATED' field.
  • Other fields pertaining to events may vary depending on the event category. So one regex can be maintained for each of the required categories in your SIEM product.

Don't see what you're looking for?

  •  

    Visit our community

    Post your questions in the forum.

     
  •  

    Request additional resources

    Send us your requirements.

     
  •  

    Need implementation assistance?

    Try OnboardPro

     

On this page

Copyright © 2020, ZOHO Corp. All Rights Reserved.

Get download link