ManageEngine ADAudit Plus¶
About¶
ManageEngine crafts comprehensive IT management software with a focus on making your job easier. Our 100+ products and free tools cover everything your IT needs, at prices you can afford. ADAudit Plus helps keep your Windows Server ecosystem secure and compliant by providing full visibility into all activities.
Product Details¶
Vendor URL: ManageEngine ADAudit Plus | A UBA-driven change auditor
Product Type: OS
Product Tier: Tier III
Integration Method: Syslog
Integration URL: SIEM Integration - ManageEngine
Log Guide: Help documents | ManageEngine ADAudit Plus
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 75%
Data Label: ADAUDIT_PLUS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| vendor | metadata.vendor_name |
| product | metadata.product_name |
| version | metadata.product_version |
| GENERIC_EVENT | metadata.event_type |
| source_domain | principal.administrative_domain |
| target_sid | target.user.windows_sid |
| display_name | principal.user.user_display_name |
| report_profile | additional.fields |
| AUTHTYPE_UNSPECIFIED | extensions.auth.type |
| status_description | security_result.description |
| Statically Defined | metadata.event_type |
| status - reason | security_result.description |
| target_name | target.resource.name |
| sport | principal.port |
| description | metadata.description |
| sid | principal.user.windows_sid |
| app | src.application |
| src | principal.hostname |
| src | principal.ip |
| dst | target.hostname |
| dst | target.ip |
| dhost | target.hostname |
| dhost | target.ip |
| shost | principal.hostname |
| shost | principal.ip |
| target_domain | target.administrative_domain |
| suser | principal.user.userid |
| target_user | target.user.userid |
| summary | security_result.summary |
| observer | observer.hostname |
| observer | observer.ip |
| product_event | metadata.product_event_type |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | GENERIC_EVENT | ||
| 4771 | USER_LOGIN | ||
| 4741 | USER_RESOURCE_CREATION | ||
| 4742, 4750, 4751 | USER_RESOURCE_UPDATE_CONTENT |
Log Sample¶
<110>Dec 17 12:22:17 10.10.10.209 ADAuditPlus: [ Category = LogonReports ] [ REPORT_PROFILE = All Users Logon ] [ USERNAME = john.doe ] [ CLIENT_IP_ADDRESS = 10.10.10.4 ] [ CLIENT_HOST_NAME = hostname1.domain.com ] [ TIME_GENERATED = 1639761737 ] [ RECORD_NUMBER = 1567233738 ] [ EVENT_TYPE = 8 ] [ EVENT_TYPE_TEXT = Success ] [ DOMAIN = companyname.com ] [ SOURCE = hostname2.domain.com ] [ LOGON_SERVICE = krbtgt ] [ USER_SID = %{sid} ] [ ERROR_CODE = 0x0 ] [ ERROR_CODE_TEXT = - ] [ EVENT_NUMBER = 4768 ] [ REMARKS = A Kerberos authentication ticket (TGT) was requested. ] [ PRE_AUTHENTICATION_TYPE = 2 ] [ TRANSITED_SERVICES = null ] [ TICKET_OPTIONS = 0x40800000 ] [ TICKET_ENCRYPTION_TYPE = 0x12 ] [ CLIENT_PORT = 57982 ] [ CERTIFICATE_THUMBPRINT = null ] [ CERTIFICATE_SERIAL_NUMBER = null ] [ CERTIFICATE_ISSUER_NAME = null ] [ USER_SAM_ACCOUNT_NAME = null ] [ USER_DISPLAY_NAME = service.account ] [ USER_PRINCIPAL_NAME = null ] [ USER_GUID = null ] [ USER_DISTINGUISH_NAME = CN=john.doe,OU=Service,DC=domain,DC=local ] [ USER_OU_GUID = {guid} ] [ USER_DEPARTMENT = null ] [ USER_MANAGER_NAME = null ] [ CLIENT_HOST_DOMAIN_NAME = null ] [ SOURCE_NAME = null ] [ LOG_FILE_NAME = null ] [ KEYWORDS_NAME = null ] [ TASK_CATEGORY_NAME = null ] [ TASK_CATEGORY_ID = null ] [ EXTRA_COLUMN1 = null ] [ EXTRA_COLUMN2 = null ] [ EXTRA_COLUMN3 = null ] [ EXTRA_COLUMN4 = null ] [ EXTRA_COLUMN5 = null ] [ EXTRA_COLUMN6 = null ] [ EXTRA_COLUMN7 = null ] [ EXTRA_COLUMN8 = null ] [ EXTRA_COLUMN9 = null ] [ EXTRA_COLUMN10 = null ] [ CONFIGURED_DOMAIN_NAME = null ]
Sample Parsing¶
metadata.event_timestamp = "2021-12-17T12:22:17Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "ManageEngine"
metadata.product_name = "ADAuditPlus"
metadata.product_version = "LogonReports"
metadata.product_event_type = "4768"
metadata.description = "A Kerberos authentication ticket (TGT) was requested."
metadata.ingested_timestamp = "2021-12-17T18:18:51.141962Z"
additional.REPORT_PROFILE = "All Users Logon"
principal.hostname = "hostname1.domain.com"
principal.user.userid = "john.doe"
principal.user.user_display_name = "john.doe"
principal.user.windows_sid = "sid"
principal.ip = "10.10.10.4"
principal.port = 57982
principal.asset.ip = "10.10.10.4"
src.application = "krbtgt"
target.hostname = "hostname2.domain.com"
target.administrative_domain = "domain.com"
target.asset.hostname = "hostname2"
observer.ip = "10.10.10.209"
security_result.summary = "KDC_ERR_NONE"
security_result.description = "No error"
security_result.action = "ALLOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon