- Related Products
- ADManager Plus
- ADSelfService Plus
- EventLog Analyzer
- Exchange Reporter Plus
- AD360
- Log360
'SIEM Integration' option allows you to forward data from ADAuditPlus to an external SIEM product or to a Syslog Server in real time.
You can choose to forward
Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP Receiver.
ADAudit Plus forwards a wide array of syslog key data. Listed below are the key mappings that are common across all audited data. Dynamic keys that vary based on report categories are not listed in the table below.
Syslog key | ADAudit Plus column |
---|---|
Category | ADAuditPlus Category |
EVENT_NUMBER | Event Number |
RECORD_NUMBER | Record Number |
UNIQUE_ID | Unique ID |
REPORT_PROFILE | ADAuditPlus Report Profile Name |
ALERT_PROFILE | ADAuditPlus Alert Profile Name |
SOURCE APP_DISPLAY_NAME |
Event Source |
SEVERITY | Severity |
TIME_GENERATED | Event Time |
USER_MGMT_TYPE GROUP_MGMT_TYPE OPERATION_TYPE OBJECT_CLASS_TEXT ACCESS_TYPE_TEXT MODIFIED_PROPS COMP_MGMT_TYPE OBJECT_CLASS CHANGE_TYPE_TEXT |
Event Type |
REMARKS | Event Remarks |
EVENT_TYPE_TEXT | Event Outcome |
FORMAT_MESSA GE | ADAuditPlus Message String |
COMMAND_PATH DISPLAY_NAME FILE_NAME |
File Name |
POLICY_PATH | File Location |
CLIENT_USER_NAME USERNAME LOGIN_NAME ACTOR_NAME CALLER_USER_NAME USER_DISPLAY_NAME |
User Name / Caller User Name |
CALLER_USER_SID USER_SID |
User SID / Caller User Name |
DOMAIN ACCOUNT_DOMAIN EVENT_MACHINE_DOMAIN CALLER_USER_DOMAIN TENANT_NAME |
Domain Name / Caller Domain Name |
CLIENT_HOST_N AME EVENT_MACHINE _NAME DEVICE_INFO |
User Machine / Caller Machine Name |
ACTOR_IP_ADDRESS CLIENT_MC_NAME CLIENT_IP_ADDRESS IP_ADDRESS |
User Machine IP Address |
ACCOUNT_NAME OBJECT_NAME_TEXT TARGET0_UPN |
Target User Name |
TARGET0_NAME ACCOUNT_SID |
Target User SID |
CEF Key | ADAuditPlus Column |
---|---|
cat | ADAuditPlus Category |
cn1 | Event Number |
cn2 | Record Number |
cn3 | Unique ID |
cs1 | ADAuditPlus Report Profile Name |
cs4 | ADAuditPlus Alert Profile Name |
cs3 | Event Source |
cs5 | Severity |
rt | Event Time |
type | Event Type |
reason | Event Remarks |
outcome | Event Outcome |
msg | ADAuditPlus Message String |
fileName | File Name |
fileLocation | File Location |
suser | User Name / Caller User Name |
suid | User SID / Caller User Name |
sntdom | Domain Name / Caller Domain Name |
shost | User Machine / Caller Machine Name |
cs2 | User Machine IP Address |
duser | Target User Name |
duid | Target User SID |
The forwarded ADAudit Plus events can be searched, grouped into reports and categorized as needed in your SIEM product.
Copyright © 2020, ZOHO Corp. All Rights Reserved.