Monitoring ManageEngine ADManager Plus

EventLog Analyzer integrates with ManageEngine's ADManager Plus, an advanced tool for managing and reporting on Active Directory, to provide enhanced monitoring and security for your AD environment.

By collecting access and audit logs from ADManager Plus, EventLog Analyzer allows you to track and analyze activities within your AD infrastructure. This integration focuses on ensuring that all critical actions are logged, helping you identify potential security threats and providing valuable insights into the management of your ADManager Plus instance.

Before you begin, ensure you have configured ADManager Plus as an application source to EventLog Analyzer for monitoring.

Monitoring ADManager Plus

EventLog Analyzer centralizes audit and access logs from ADManager Plus, enabling comprehensive monitoring through the following use cases:

Use Case Description Why implement it? Available Reports
User access monitoring Audit user logons and logoffs to ADManager Plus, including information on both successful and failed attempts. To analyze logon trends and detect suspicious or unauthorized access to the application. Successful Logins, Failed Logins
Web console traffic monitoring Monitor and audit HTTP status codes and errors from web accesses to ADManager Plus. To detect and troubleshoot issues related to web access and ensure reliable and secure web interactions. HTTP Status Success, HTTP Bad Gateway, HTTP Internal Server Error, HTTP Gateway Timeout, HTTP Request URI Too Large, HTTP Unsupported Media Type, HTTP Request Entity Too Large, HTTP Forbidden, HTTP Server Not Found, HTTP Request Timeout, HTTP Bad Request, HTTP Unauthorized
Health and performance monitoring Monitor the health, performance, and operational integrity of ADManager Plus by tracking key events. To ensure ADManager Plus operates smoothly by promptly detecting and addressing performance issues, access problems, and potential security threats that could disrupt Active Directory management tasks. Success Reports, Responses Over Time, Client Error Reports, Server Error Reports
Error monitoring Track and analyze errors related to client and server operations, including HTTP and other error responses. To identify and address issues in real-time, ensuring minimal downtime and improved user experience. Information Reports, Success Reports, Responses over time , Client Error Reports, Server Error Reports
System overload detection Excessive or malformed HTTP requests can overload the ADManager Plus server, potentially causing a denial of service. Monitoring for system overloads allows proactive management of server load, preventing downtime and maintaining availability. HTTP Request Entity Too Large, HTTP Request URI Too Large
Resource overuse Resource-intensive operations can lead to server strain, reducing performance and potentially causing system failures. Monitoring resource usage ensures optimal performance, allowing for adjustments before issues escalate. HTTP Internal Server Error, HTTP Request Timeout

Securing ADManager Plus

Securing ADManager Plus is critical to maintaining the integrity, availability, and confidentiality of your Active Directory environment. Below are some of the key use cases where ADManager Plus can be secured using predefined threat detection rules, allowing for defense against potential vulnerabilities.

Use Case Description Why implement Available threat detection rules
System overload detection Excessive or malformed HTTP requests can overload the ADManager Plus server, potentially causing a denial of service. Monitoring for system overloads allows proactive management of server load, preventing downtime and maintaining availability. HTTP Request Entity Too Large, HTTP Request URI Too Large
Resource overuse Resource-intensive operations can lead to server strain, reducing performance and potentially causing system failures. Monitoring resource usage ensures optimal performance, allowing for adjustments before issues escalate. HTTP Internal Server Error, HTTP Request Timeout
Preventing unauthorized data access Monitor and alert on attempts to access restricted data or areas within ADManager Plus, signaled by HTTP 403 Forbidden errors. To safeguard sensitive data by detecting and responding to unauthorized access attempts. HTTP Forbidden
Identifying web-based attacks Detect unusual HTTP requests or patterns that may suggest cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks. To protect the application from web-based vulnerabilities and maintain the integrity of user interactions. Client Error Reports, HTTP Bad Request, HTTP Unauthorized
Service misconfigurations Alert on HTTP 404 and other related errors indicating potential misconfigurations that could be exploited. To identify and rectify configuration issues that could expose the system to security vulnerabilities. HTTP Server Not Found, HTTP Bad Request
Security policy violations Unapproved attempts to access or modify sensitive AD objects could signal a breach of security policies within ADManager Plus. Enforcing security policies through real-time detection ensures that all operations are compliant, reducing the risk of internal and external threats. HTTP Forbidden, HTTP Internal Server Error

Compliance

The following compliance regulations mandate you to centralize audit and access logs from applications deployed in the secure network for monitoring and analysis. They also recommend that you detect suspicious trends from these analyses to ensure your overall security posture is intact. EventLog Analyzer helps you meet these requirements by centralizing and analyzing ADManager Plus logs.

Industry Regulatory mandate Requirements
Healthcare HIPAA
  • Security Management Process: Requirement 164.308(a)(1)
  • Information System Activity Review: Requirement 164.308(a)(1)(ii)(D)
  • Audit Controls: Requirement 164.312(b)
  • Access Control: Requirement 164.312(a)(1)
  • Integrity: Requirement 164.312(c)(1)
  FERPA -
Financial services PCI DSS
  • Requirement 10.1: Link all access to system components to each user.
  • Requirement 10.2: Implement automated audit trails to log key events.
  • Requirement 10.3: Record user ID, event type, date/time, success/failure, event origin, and affected data.
  • Requirement 10.5: Secure audit trails from unauthorized access and modifications.
  • Requirement 10.7: Retain the audit trail history for at least one year, with three months readily available.
  GLBA Safeguards Rule (16 CFR Part 314)Information Security Program (314.4)
  SOX
  • Section 302: Establish and maintain internal controls for financial reporting; disclose control deficiencies.
  • Section 404: Annual internal control report on the effectiveness of the internal control structure for financial reporting.
  • Section 409: Real-time disclosure of material changes in the financial condition or operations of the company.
Government FISMA
  • NIST SP 800-53, AU-2: Audit Events
  • NIST SP 800-53, AU-3: Content of Audit Records
  • NIST SP 800-53, AU-4: Audit Storage Capacity
  • NIST SP 800-53, AU-5: Response to Audit Processing Failures
  • NIST SP 800-53, AU-6: Audit Review, Analysis, and Reporting
  NERC
  • CIP-007-6 R4: Logging
  • CIP-007-6 R5: Security Event Monitoring
  • CIP-008-6 R1: Incident Reporting and Response Planning
  NRC
  • 10 CFR 73.54: Protection of Digital Computer and Communication Systems and Networks
  • Requirement Guide 5.71, Section C.5.5.4: Audit & Accountability
  CMMC
  • AU.2.041: Trace actions to individual users.
  • AU.3.045: Review and update logged events.
  • AU.3.046: Alert on audit log failures.
  • AU.3.048: Centralize audit logs.
  • AU.3.049: Correlate and analyze audit logs for suspicious activity.
Data privacy GDPR
  • Article 30: Records of Processing Activities
  • Article 32: Security of Processing
  CCPA and CPRA
  • 1798.100(e): Implement and maintain reasonable security procedures.
  • 1798.145(i): Secure personal information.
  PDPA
  • Section 21: Security Measures for Personal Data Protection
  • Section 22: Rights of Data Subjects
  POPIA
  • Section 19: Security Safeguards
  • Section 21: Security Measures on Information Systems
  LGPD
  • Article 6: Principles for Processing Personal Data
  • Article 46: Security and Confidentiality of Data
Information security ISO 27001:2013
  • A.12.4.1: Event Logging
  • A.12.4.3: Administrator and Operator Logs
  NIST CSF
  • PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with the policy.
  • DE.AE-3: Event data is collected and correlated from multiple sources and sensors.
  Cyber Essentials
  • User Access Control: Ensure that user activities are tracked and logged.
  • Security Monitoring: Implement measures to detect and alert on unauthorized access.
  GPG
  • Audit Trail: Maintain records of system activities.
  • Monitoring and Review: Regularly review logs for anomalies.
  ISLP
  • Logging and Monitoring: Implement and maintain logging mechanisms.
  • Incident Response: Use logs for incident investigation.
  TISAX
  • Logging and Monitoring: Ensure all relevant actions are logged.
  • Incident Management: Use logs to detect and respond to incidents.
  SAMA
  • 4.1.4: Monitor and log access to critical systems.
  • 4.1.5: Regular review of audit logs for unauthorized activities.
Others UAE-NESA
  • Section 3.8: Logging and Monitoring
  • Section 4.6: Security Incident Management
  QCF
  • CS-12: Log and Monitor Activities
  • CS-13: Incident Management and Response
  CJDN
  • Policy Area 7.1: Auditing and Accountability
  • Policy Area 7.2: Incident Response
  ECC
  • Control 10: Log Management
  • Control 11: Security Event Monitoring