Threat defense for AD sends limited messages to syslog.
search cancel

Threat defense for AD sends limited messages to syslog.


Article ID: 229874


Updated On:


Endpoint Threat Defense for Active Directory


1. What all logs/alerts does Threat Defense for Active Directory (SETDAD) sends to Syslog/QRadar?
2. Does TDAD send Dark corner alarm logs to syslog messages?


Release : 3.6.x



1. A syslog message is sent every time an event occurs and is in the standard syslog format.

For example:
Syslog message: USER.INFO: Dec 04 18:41:13 <TDAD Core server> SymETDAD:, hostName:<Hostname>, alarmType:NetComputer, accounts:, destination:<Domain Controller> objectName:<Fake Computer Object>$,Deployment Manager:localhost, timeStamp:1512405658

• '<TDAD Core server>' is the Threat Defense for AD server.
• '’ is the domain that Threat Defense for AD protects.
• ‘hostName:<Hostname>’ is the source of the attack.
• ‘alarmType:NetComputer’ is the alarm type (in this case ‘Computer Information Gathering’).
• ‘destination:<Domain Controller>’ is the domain controller that generated the alarm.
• ‘objectName:<Fake Computer Object>$’ is the item of the mask that was interacted with.

Below are the Alert Types that you will see on Syslog: 
• NETUSER – User Information Gathering 
• ExternalNetUser – Brute Force Attempt 
• NetComputer – Computer Information Gathering 
• CredOTH – Credential Theft using Over-Pass-the-Hash 
• CredPTH – Credential Theft using Pass-the-Hash 
• CredPTT– Credential Theft using Pass-the-Ticket 
• DCSync – Malicious DCSync Replication Attack 
• PLDAP – Untrusted LDAP Binding

2. Dark corners are not part of SYSLOG forwarder. It is not designed for that.
Dark corners (endpoint, domain, domain controllers) are a proactive review of weaknesses and recommendations, exposing the customer's critical misconfiguration and vulnerabilities.
There is no element of real-time and immediate urgency for the recommendations, and therefore no such integration is required for the SOC center.

Note: If the TDAD server is integrated with a Symantec Endpoint Protection Manager (SEPM) we recommend collecting syslog events from the SEPM instead.