SIEM Integration

'SIEM Integration' option allows you to forward data from ADAuditPlus to an external SIEM product or to a Syslog Server in real time.

You can choose to forward

• All of ADAuditPlus data category wise (except Printer Audit Reports).
• ADAuditPlus Technician Audit Reports.
• Alerts.

 

Forwarding ADAudit Plus data to a Syslog Server

Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP Receiver.

Configuring a Syslog Server:

• Syslog daemon runs by default in udp, port 514.
• The default settings can be modified in its configuration file /etc/syslog.conf . Remember to restart Syslog daemon for the changes to take effect.

Steps to enable Syslog Logging in ADAuditPlus:

1. Click on 'Admin' Tab → 'SIEM Integration'.
2. Tick the 'Enable' checkbox and choose the 'Syslog' radio button.
3. Enter the Syslog server name. Ensure that the Syslog server is reachable from the ADAuditPlus server.
4. Enter Syslog port number and protocol.
5. Choose Syslog standard and data format as required by your SIEM Parser.
6. After saving this configuration, Choose the categories to forward.

 

Forwarding ADAudit Plus data to an external SIEM product : Splunk HTTP

Configuring Splunk Http Event Collector:

• Click on 'Settings' → 'Data Inputs' → 'Http Event Collector'.
• Click 'New Token'. Provide a name for the token(Preferably ADAuditPlus) and leave the rest to the default values(Customize if required).
• After saving the configuration, an auth token will be generated. This token needs to be provided in ADAuditPlus configuration.
• Under 'Global Settings' in the 'Http Event Collector' page, Enable 'All tokens'.
• You can also customize 'Http port number' and 'SSL' settings as required in the 'Global Settings'.

Steps to enable Splunk forwarding in ADAuditPlus:

1. Click on 'Admin' Tab → 'SIEM Integration'.
2. Tick the 'Enable' Checkbox and choose the 'Splunk' Radio Button.
3. Enter the Splunk Server name. Ensure that the Splunk Server is reachable from the ADAuditPlus Server.
4. Enter Splunk Http Event Collector port number and protocol.
5. Specify the Http Event Collector token generated in Splunk for ADAuditPlus.
6. After saving this configuration, Choose the categories to forward.

 

Forwarding ADAudit Plus data to an external SIEM product : ArcSight

Steps to enable ArcSight forwarding in ADAuditPlus:

1. Click on 'Admin' Tab → 'SIEM Integration'.
2. Tick the 'Enable' Checkbox and choose the 'ArcSight' Radio Button.
3. Enter the ArcSight Server name. Ensure that the ArcSight Server is reachable from the ADAuditPlus Server.
4. Enter the ArcSight collector port number and protocol.
5. After saving this configuration, Choose the categories to forward.

ArcSight CEF Key Mappings

CEF Key	ADAuditPlus Column
cat	ADAuditPlus Category
cn1	Event Number
cn2	Record Number
cn3	Unique ID
cs1	ADAuditPlus Report Profile Name
cs4	ADAuditPlus Alert Profile Name
cs3	Event Source
cs5	Severity
rt	Event Time
type	Event Type
reason	Event Remarks
outcome	Event Outcome
msg	ADAuditPlus Message String
fileName	File Name
fileLocation	File Location
suser	User Name / Caller User Name
suid	User SID / Caller User Name
sntdom	Domain Name / Caller Domain Name
shost	User Machine / Caller Machine Name
cs2	User Machine IP Address
duser	Target User Name
duid	Target User SID

 

To search for ADAuditPlus Data in your SIEM product

The forwarded ADAudit Plus events can be searched, grouped into reports and categorized as needed in your SIEM product.

• Events from ADAuditPlus can be easily separated by the 'SOURCE' field.
• Each log event will have a 'Category' field. The possible values for this field are defined under 'Choose categories to forward' menu in the configuration page.
• Timestamp of each event will be available in the 'TIME_GENERATED' field.
• Other fields pertaining to events may vary depending on the event category. So one regex can be maintained for each of the required categories in your SIEM product.