Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
ADAudit Plus Alerts | ✅ | adaudit_plus_alerts | Key value | S3 | |||
ADAudit Plus Reports | ✅ | adaudit_plus_reports | Key value | S3 |
Overview
ADAudit Plus helps keep your Windows Server ecosystem secure and compliant by providing full visibility into all activities. ADAP does so by collecting event log data from most of your environment’s licensed components, creating Alerts and Reports above it.
Hunters ingest both ADAP Alerts and Reports, and generate alerts for ADAP Alerts, connecting them to other detected activities from other products in your Environment.
Supported data types
Hunters currently support all ADAudit Plus log types. While doing so, these are separated into two distinct logic datatypes (based on the category field):
ADAudit Plus Alerts
Table name: adaudit_plus_alerts
Based on ADAPAlerts category only - Alerts created by ADAudit Plus.
ADAudit Plus Reports
Table name: adaudit_plus_reports
Based on all the other categories, containing ADAudit Reports about actions that occur in your environment.
Send data to Hunters
Hunters supports the ingestion of ADAudit Plus logs via an intermediary AWS S3 bucket.
To connect ADAudit Plus logs:
Export your logs from ADAudit Plus to an AWS S3 bucket.
📘Learn more
Read this article from ManageEngine and this Hunters article section to learn how to achieve this.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
The logs should be exported from the console. There, it is possible to define separators between the different fields and between the key and the value using the Syslog/SIEM Export in the ADAP SIEM Integration.
Find below two examples of rows in a key-value format Hunters expect to receive the data, with an explicit field separator (here ;) and key-value separator (here = ) :
Sample Alert row
Category = ADAPAlerts;UNIQUE_ID = 14613552;ALERT_PROFILE = Group Membership Changes;REPORT_PROFILE = Security Group Membership Changes,SEVERITY = 2;TIME_GENERATED = 1638482054;FORMAT_MESSAGE = Member 'CN=User Name,OU=Users,DC=corp,DC=com' was removed from Global Security Group 'SecurityGroup' by 'DOMAIN\admin'.;SOURCE = computer.domain.com,DOMAIN = domain.com
Sample Report row
Category = LocalLogonLogoffReports;REPORT_PROFILE = Local Logon Success for Computers;USER