1. What all logs/alerts does Threat Defense for Active Directory (SETDAD) sends to Syslog/QRadar?
2. Does TDAD send Dark corner alarm logs to syslog messages?
Release : 3.6.x
1. A syslog message is sent every time an event occurs and is in the standard syslog format.
For example:
Syslog message: USER.INFO: Dec 04 18:41:13 <TDAD Core server> SymETDAD: domain:example.com, hostName:<Hostname>.example.com, alarmType:NetComputer, accounts:, destination:<Domain Controller>.example.com objectName:<Fake Computer Object>$,Deployment Manager:localhost, timeStamp:1512405658
Explanation:
• '<TDAD Core server>' is the Threat Defense for AD server.
• 'domain:example.com’ is the domain that Threat Defense for AD protects.
• ‘hostName:<Hostname>.example.com’ is the source of the attack.
• ‘alarmType:NetComputer’ is the alarm type (in this case ‘Computer Information Gathering’).
• ‘destination:<Domain Controller>.example.com’ is the domain controller that generated the alarm.
• ‘objectName:<Fake Computer Object>$’ is the item of the mask that was interacted with.
Below are the Alert Types that you will see on Syslog:
• NETUSER – User Information Gathering
• ExternalNetUser – Brute Force Attempt
• NetComputer – Computer Information Gathering
• CredOTH – Credential Theft using Over-Pass-the-Hash
• CredPTH – Credential Theft using Pass-the-Hash
• CredPTT– Credential Theft using Pass-the-Ticket
• DCSync – Malicious DCSync Replication Attack
• PLDAP – Untrusted LDAP Binding
2. Dark corners are not part of SYSLOG forwarder. It is not designed for that.
Dark corners (endpoint, domain, domain controllers) are a proactive review of weaknesses and recommendations, exposing the customer's critical misconfiguration and vulnerabilities.
There is no element of real-time and immediate urgency for the recommendations, and therefore no such integration is required for the SOC center.
Note: If the TDAD server is integrated with a Symantec Endpoint Protection Manager (SEPM) we recommend collecting syslog events from the SEPM instead.