NetIQ

Overview

NetIQ eDirectory is a directory service software that facilitates the centralized management of resources and user identities across different network environments. It is designed to handle the distribution of access rights and streamline the administration of various network resources, making it possible to coordinate data and access across multiple platforms.

Sending the data to Hunters allows for several detection use cases, based on login events, as well as log retention.

Supported data types

NetIQ eDirectory Audit logs

Table name: netiq_edirectory_audit

Audit logs in NetIQ eDirectory capture detailed information about events and operations performed within the directory service.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of NetIQ logs via an intermediary AWS S3 bucket.

To connect NetIQ logs:

1. Export your logs from NetIQ to an AWS S3 bucket by following this guide.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in CEF format.

NetIQ eDirectory Audit logs

CEF:0|NetIQ|eDirectory|9.1|CEF0B035C|LOGIN|1|dvc=164.99.179.194 dvchost=SLES12SP2-194 rt=Oct 31 2017 17:00:22 dtz=IST sourceServiceName=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in sproc=eDirectory#NMAS src=164.99.179.164 spt=59737 suser=CN\=admin,OU\=novell,OU\=co,O\=in duser=CN\=admin,OU\=novell,OU\=co,O\=in cs1Label=Client Address cs1=164.99.179.164:59737 cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=TEST-CEF-AGN cs4Label=Correlation ID cs4=nmas#262183# cs6Label=Server Name cs6=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in flexString1Label=Login Method flexString1=0 flexString2Label=SubEvent flexString2=DSE_NMAS_LOG_FINISH_LOGIN_STATUS flexNumber2Label=Grouping flexNumber2=386 cat=Security reason=0 outcome=Success