SIEM Integration
'SIEM Integration' option allows you to forward data from ADAuditPlus to an external SIEM product or to a Syslog Server in real time.
You can choose to forward
- All of ADAuditPlus data category wise (except Printer Audit Reports and Advanced GPO Reports).
- ADAuditPlus Technician Audit Reports.
- Alerts.
Forwarding ADAudit Plus data to a Syslog Server
Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP Receiver.
Configuring a Syslog Server:
- Syslog daemon runs by default in udp, port 514.
- The default settings can be modified in its configuration file /etc/syslog.conf . Remember to restart Syslog daemon for the changes to take effect.
Steps to enable Syslog Logging in ADAuditPlus:
- Click on 'Admin' Tab → 'SIEM Integration'.
- Tick the 'Enable' checkbox and choose the 'Syslog' radio button.
- Enter the Syslog server name. Ensure that the Syslog server is reachable from the ADAuditPlus server.
- Enter Syslog port number and protocol.
- Choose Syslog standard and data format as required by your SIEM Parser.
- After saving this configuration, Choose the categories to forward.
LogRhythm syslog key mapping
ADAudit Plus forwards a wide array of syslog key data. Listed below are the key mappings that are common across all audited data. Dynamic keys that vary based on report categories are not listed in the table below.
| Syslog key |
ADAudit Plus column |
| Category |
ADAuditPlus Category |
| EVENT_NUMBER |
Event Number |
| RECORD_NUMBER |
Record Number |
| UNIQUE_ID |
Unique ID |
| REPORT_PROFILE |
ADAuditPlus Report Profile Name |
| ALERT_PROFILE |
ADAuditPlus Alert Profile Name |
SOURCE APP_DISPLAY_NAME |
Event Source |
| SEVERITY |
Severity |
| TIME_GENERATED |
Event Time |
|
USER_MGMT_TYPE
GROUP_MGMT_TYPE
OPERATION_TYPE
OBJECT_CLASS_TEXT
ACCESS_TYPE_TEXT
MODIFIED_PROPS
COMP_MGMT_TYPE
OBJECT_CLASS
CHANGE_TYPE_TEXT
|
Event Type |
| REMARKS |
Event Remarks |
| EVENT_TYPE_TEXT |
Event Outcome |
| FORMAT_MESSA GE |
ADAuditPlus Message String |
|
COMMAND_PATH
DISPLAY_NAME
FILE_NAME
|
File Name |
| POLICY_PATH |
File Location |
|
CLIENT_USER_NAME
USERNAME
LOGIN_NAME
ACTOR_NAME
CALLER_USER_NAME
USER_DISPLAY_NAME
|
User Name / Caller User Name |
CALLER_USER_SID USER_SID |
User SID / Caller User Name |
|
DOMAIN
ACCOUNT_DOMAIN
EVENT_MACHINE_DOMAIN CALLER_USER_DOMAIN
TENANT_NAME
|
Domain Name / Caller Domain Name |
|
CLIENT_HOST_N AME
EVENT_MACHINE _NAME
DEVICE_INFO
|
User Machine / Caller Machine Name |
|
ACTOR_IP_ADDRESS
CLIENT_MC_NAME
CLIENT_IP_ADDRESS
IP_ADDRESS
|
User Machine IP Address |
|
ACCOUNT_NAME
OBJECT_NAME_TEXT
TARGET0_UPN
|
Target User Name |
TARGET0_NAME ACCOUNT_SID |
Target User SID |
Forwarding ADAudit Plus data to an external SIEM product : Splunk HTTP
Configuring Splunk Http Event Collector:
- Click on 'Settings' → 'Data Inputs' → 'Http Event Collector'.
- Click 'New Token'. Provide a name for the token(Preferably ADAuditPlus) and leave the rest to the default values(Customize if required).
- After saving the configuration, an auth token will be generated. This token needs to be provided in ADAuditPlus configuration.
- Under 'Global Settings' in the 'Http Event Collector' page, Enable 'All tokens'.
- You can also customize 'Http port number' and 'SSL' settings as required in the 'Global Settings'.
Steps to enable Splunk forwarding in ADAuditPlus:
- Click on 'Admin' Tab → 'SIEM Integration'.
- Tick the 'Enable' Checkbox and choose the 'Splunk' Radio Button.
- Enter the Splunk Server name. Ensure that the Splunk Server is reachable from the ADAuditPlus Server.
- Enter Splunk Http Event Collector port number and protocol.
- Specify the Http Event Collector token generated in Splunk for ADAuditPlus.
- After saving this configuration, Choose the categories to forward.
Forwarding ADAudit Plus data to an external SIEM product : ArcSight
Steps to enable ArcSight forwarding in ADAuditPlus:
- Click on 'Admin' Tab → 'SIEM Integration'.
- Tick the 'Enable' Checkbox and choose the 'ArcSight' Radio Button.
- Enter the ArcSight Server name. Ensure that the ArcSight Server is reachable from the ADAuditPlus Server.
- Enter the ArcSight collector port number and protocol.
- After saving this configuration, Choose the categories to forward.
ArcSight CEF Key Mappings
| CEF Key |
ADAuditPlus Column |
| cat |
ADAuditPlus Category |
| cn1 |
Event Number |
| cn2 |
Record Number |
| cn3 |
Unique ID |
| cs1 |
ADAuditPlus Report Profile Name |
| cs4 |
ADAuditPlus Alert Profile Name |
| cs3 |
Event Source |
| cs5 |
Severity |
| rt |
Event Time |
| type |
Event Type |
| reason |
Event Remarks |
| outcome |
Event Outcome |
| msg |
ADAuditPlus Message String |
| fileName |
File Name |
| fileLocation |
File Location |
| suser |
User Name / Caller User Name |
| suid |
User SID / Caller User Name |
| sntdom |
Domain Name / Caller Domain Name |
| shost |
User Machine / Caller Machine Name |
| cs2 |
User Machine IP Address |
| duser |
Target User Name |
| duid |
Target User SID |
To search for ADAuditPlus Data in your SIEM product
The forwarded ADAudit Plus events can be searched, grouped into reports and categorized as needed in your SIEM product.
- Events from ADAuditPlus can be easily separated by the 'SOURCE' field.
- Each log event will have a 'Category' field. The possible values for this field are defined under 'Choose categories to forward' menu in the configuration page.
- Timestamp of each event will be available in the 'TIME_GENERATED' field.
- Other fields pertaining to events may vary depending on the event category. So one regex can be maintained for each of the required categories in your SIEM product.
Don't see what you're looking for?
-
Visit our community
Post your questions in the forum.
-
Request additional resources
Send us your requirements.
-
Need implementation assistance?
Try onboarding
