SIEM Integration

'SIEM Integration' option allows you to forward data from ADAuditPlus to an external SIEM product or to a Syslog Server in real time.

You can choose to forward

• All of ADAuditPlus data category wise (except Printer Audit Reports and Advanced GPO Reports).
• ADAuditPlus Technician Audit Reports.
• Alerts.

Forwarding ADAudit Plus data to a Syslog Server

Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP Receiver.

Configuring a Syslog Server:

• Syslog daemon runs by default in udp, port 514.
• The default settings can be modified in its configuration file /etc/syslog.conf . Remember to restart Syslog daemon for the changes to take effect.

Steps to enable Syslog Logging in ADAuditPlus:

1. Click on 'Admin' Tab → 'SIEM Integration'.
2. Tick the 'Enable' checkbox and choose the 'Syslog' radio button.
3. Enter the Syslog server name. Ensure that the Syslog server is reachable from the ADAuditPlus server.
4. Enter Syslog port number and protocol.
5. Choose Syslog standard and data format as required by your SIEM Parser.
6. After saving this configuration, Choose the categories to forward.

LogRhythm syslog key mapping

ADAudit Plus forwards a wide array of syslog key data. Listed below are the key mappings that are common across all audited data. Dynamic keys that vary based on report categories are not listed in the table below.

Syslog key	ADAudit Plus column
Category	ADAuditPlus Category
EVENT_NUMBER	Event Number
RECORD_NUMBER	Record Number
UNIQUE_ID	Unique ID
REPORT_PROFILE	ADAuditPlus Report Profile Name
ALERT_PROFILE	ADAuditPlus Alert Profile Name
SOURCE APP_DISPLAY_NAME	Event Source
SEVERITY	Severity
TIME_GENERATED	Event Time
USER_MGMT_TYPE GROUP_MGMT_TYPE OPERATION_TYPE OBJECT_CLASS_TEXT ACCESS_TYPE_TEXT MODIFIED_PROPS COMP_MGMT_TYPE OBJECT_CLASS CHANGE_TYPE_TEXT	Event Type
REMARKS	Event Remarks
EVENT_TYPE_TEXT	Event Outcome
FORMAT_MESSA GE	ADAuditPlus Message String
COMMAND_PATH DISPLAY_NAME FILE_NAME	File Name
POLICY_PATH	File Location
CLIENT_USER_NAME USERNAME LOGIN_NAME ACTOR_NAME CALLER_USER_NAME USER_DISPLAY_NAME	User Name / Caller User Name
CALLER_USER_SID USER_SID	User SID / Caller User Name
DOMAIN ACCOUNT_DOMAIN EVENT_MACHINE_DOMAIN CALLER_USER_DOMAIN TENANT_NAME	Domain Name / Caller Domain Name
CLIENT_HOST_N AME EVENT_MACHINE _NAME DEVICE_INFO	User Machine / Caller Machine Name
ACTOR_IP_ADDRESS CLIENT_MC_NAME CLIENT_IP_ADDRESS IP_ADDRESS	User Machine IP Address
ACCOUNT_NAME OBJECT_NAME_TEXT TARGET0_UPN	Target User Name
TARGET0_NAME ACCOUNT_SID	Target User SID

Forwarding ADAudit Plus data to an external SIEM product : Splunk HTTP

Configuring Splunk Http Event Collector:

• Click on 'Settings' → 'Data Inputs' → 'Http Event Collector'.
• Click 'New Token'. Provide a name for the token(Preferably ADAuditPlus) and leave the rest to the default values(Customize if required).
• After saving the configuration, an auth token will be generated. This token needs to be provided in ADAuditPlus configuration.
• Under 'Global Settings' in the 'Http Event Collector' page, Enable 'All tokens'.
• You can also customize 'Http port number' and 'SSL' settings as required in the 'Global Settings'.

Steps to enable Splunk forwarding in ADAuditPlus:

1. Click on 'Admin' Tab → 'SIEM Integration'.
2. Tick the 'Enable' Checkbox and choose the 'Splunk' Radio Button.
3. Enter the Splunk Server name. Ensure that the Splunk Server is reachable from the ADAuditPlus Server.
4. Enter Splunk Http Event Collector port number and protocol.
5. Specify the Http Event Collector token generated in Splunk for ADAuditPlus.
6. After saving this configuration, Choose the categories to forward.

Forwarding ADAudit Plus data to an external SIEM product : ArcSight

Steps to enable ArcSight forwarding in ADAuditPlus:

1. Click on 'Admin' Tab → 'SIEM Integration'.
2. Tick the 'Enable' Checkbox and choose the 'ArcSight' Radio Button.
3. Enter the ArcSight Server name. Ensure that the ArcSight Server is reachable from the ADAuditPlus Server.
4. Enter the ArcSight collector port number and protocol.
5. After saving this configuration, Choose the categories to forward.

ArcSight CEF Key Mappings

CEF Key	ADAuditPlus Column
cat	ADAuditPlus Category
cn1	Event Number
cn2	Record Number
cn3	Unique ID
cs1	ADAuditPlus Report Profile Name
cs4	ADAuditPlus Alert Profile Name
cs3	Event Source
cs5	Severity
rt	Event Time
type	Event Type
reason	Event Remarks
outcome	Event Outcome
msg	ADAuditPlus Message String
fileName	File Name
fileLocation	File Location
suser	User Name / Caller User Name
suid	User SID / Caller User Name
sntdom	Domain Name / Caller Domain Name
shost	User Machine / Caller Machine Name
cs2	User Machine IP Address
duser	Target User Name
duid	Target User SID

To search for ADAuditPlus Data in your SIEM product

The forwarded ADAudit Plus events can be searched, grouped into reports and categorized as needed in your SIEM product.

• Events from ADAuditPlus can be easily separated by the 'SOURCE' field.
• Each log event will have a 'Category' field. The possible values for this field are defined under 'Choose categories to forward' menu in the configuration page.
• Timestamp of each event will be available in the 'TIME_GENERATED' field.
• Other fields pertaining to events may vary depending on the event category. So one regex can be maintained for each of the required categories in your SIEM product.