SIEM Integration

'SIEM Integration' option allows you to forward data from ADAuditPlus to an external SIEM product or to a Syslog Server in real time.

You can choose to forward

  • All of ADAuditPlus data category wise (except Printer Audit Reports and Advanced GPO Reports).
  • ADAuditPlus Technician Audit Reports.
  • Alerts.

 

Forwarding ADAudit Plus data to a Syslog Server

Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP Receiver.

Configuring a Syslog Server:

  • Syslog daemon runs by default in udp, port 514.
  • The default settings can be modified in its configuration file /etc/syslog.conf . Remember to restart Syslog daemon for the changes to take effect.

Steps to enable Syslog Logging in ADAuditPlus:

  1. Click on 'Admin' Tab → 'SIEM Integration'.
  2. Tick the 'Enable' checkbox and choose the 'Syslog' radio button.
  3. Enter the Syslog server name. Ensure that the Syslog server is reachable from the ADAuditPlus server.
  4. Enter Syslog port number and protocol.
  5. Choose Syslog standard and data format as required by your SIEM Parser.
  6. After saving this configuration, Choose the categories to forward.

 

Forwarding ADAudit Plus data to an external SIEM product : Splunk HTTP

Configuring Splunk Http Event Collector:

  • Click on 'Settings' → 'Data Inputs' → 'Http Event Collector'.
  • Click 'New Token'. Provide a name for the token(Preferably ADAuditPlus) and leave the rest to the default values(Customize if required).
  • After saving the configuration, an auth token will be generated. This token needs to be provided in ADAuditPlus configuration.
  • Under 'Global Settings' in the 'Http Event Collector' page, Enable 'All tokens'.
  • You can also customize 'Http port number' and 'SSL' settings as required in the 'Global Settings'.

Steps to enable Splunk forwarding in ADAuditPlus:

  1. Click on 'Admin' Tab → 'SIEM Integration'.
  2. Tick the 'Enable' Checkbox and choose the 'Splunk' Radio Button.
  3. Enter the Splunk Server name. Ensure that the Splunk Server is reachable from the ADAuditPlus Server.
  4. Enter Splunk Http Event Collector port number and protocol.
  5. Specify the Http Event Collector token generated in Splunk for ADAuditPlus.
  6. After saving this configuration, Choose the categories to forward.

 

Forwarding ADAudit Plus data to an external SIEM product : ArcSight

Steps to enable ArcSight forwarding in ADAuditPlus:

  1. Click on 'Admin' Tab → 'SIEM Integration'.
  2. Tick the 'Enable' Checkbox and choose the 'ArcSight' Radio Button.
  3. Enter the ArcSight Server name. Ensure that the ArcSight Server is reachable from the ADAuditPlus Server.
  4. Enter the ArcSight collector port number and protocol.
  5. After saving this configuration, Choose the categories to forward.

ArcSight CEF Key Mappings

    CEF Key
    ADAuditPlus Column

    cat

    ADAuditPlus Category

    cn1

    Event Number

    cn2

    Record Number

    cn3

    Unique ID

    cs1

    ADAuditPlus Report Profile Name

    cs4

    ADAuditPlus Alert Profile Name

    cs3

    Event Source

    cs5

    Severity

    rt

    Event Time

    type

    Event Type

    reason

    Event Remarks

    outcome

    Event Outcome

    msg

    ADAuditPlus Message String

    fileName

    File Name

    fileLocation

    File Location

    suser

    User Name / Caller User Name

    suid

    User SID / Caller User Name

    sntdom

    Domain Name / Caller Domain Name

    shost

    User Machine / Caller Machine Name

    cs2

    User Machine IP Address

    duser

    Target User Name

    duid

    Target User SID

 

The forwarded ADAudit Plus events can be searched, grouped into reports and categorized as needed in your SIEM product.

  • Events from ADAuditPlus can be easily separated by the 'SOURCE' field.
  • Each log event will have a 'Category' field. The possible values for this field are defined under 'Choose categories to forward' menu in the configuration page.
  • Timestamp of each event will be available in the 'TIME_GENERATED' field.
  • Other fields pertaining to events may vary depending on the event category. So one regex can be maintained for each of the required categories in your SIEM product.
Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine
Get download link