This article explains how to ingest your ADAudit Plus data to Hunters.
ADAudit Plus helps keep your Windows Server ecosystem secure and compliant by providing full visibility into all activities. ADAP does so by collecting event log data from most of your environment’s licensed components, creating Alerts and Reports above it.

Hunters ingest both ADAP Alerts and Reports, and populate to the Portal ADAP Alerts, connecting them to other detected activities from other products in your Environment.

In order to integrate your ADAudit Plus logs into Hunters, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) which should be shared with Hunters.

Supported data types

Hunters currently support all ADAudit Plus log types. While doing so, these are separated into two distinct logic datatypes (based on the category field):

  • ADAudit Plus Alerts: based on ADAPAlerts category only - Alerts created by ADAudit Plus.

  • ADAudit Plus Reports: based on all the other categories, containing ADAudit Reports about actions that occurred in your environment.

Expected Log Format

The logs should be exported from the console. There, it is possible to define separators between the different fields and between the key and the value using the Syslog/SIEM Export in the ADAP SIEM Integration.

Find below two examples of rows in a key-value format Hunters expect to receive the data, with explicit field separator (here ;) and key-value separator (here = ) :

  • The first one is an Alert row:

Category = ADAPAlerts;UNIQUE_ID = 14613552;ALERT_PROFILE = Group Membership Changes;REPORT_PROFILE = Security Group Membership Changes,SEVERITY = 2;TIME_GENERATED = 1638482054;FORMAT_MESSAGE = Member 'CN=User Name,OU=Users,DC=corp,DC=com' was removed from Global Security Group 'SecurityGroup' by 'DOMAIN\admin'.;SOURCE = computer.domain.com,DOMAIN = domain.com
  • The second one is a Report row:

    Category = LocalLogonLogoffReports;REPORT_PROFILE = Local Logon Success for Computers;USER