1. What all logs/alerts does Threat Defense for Active Directory (SETDAD) sends to Syslog/QRadar?
2. Does TDAD sends Dark corner alarm logs to syslog messages?
Release : 3.6.x
1. A syslog message is sent every time an event occurs and is in the standard syslog format.
Syslog message: USER.INFO: Dec 04 18:41:13 WIN2016-Core SymETDAD: domain:acme.com, hostName:wintest.acme.com, alarmType:NetComputer, accounts:, destination: DC1.acme.com objectName:win-fakeobject$,Deployment Manager:localhost, timeStamp:1512405658
• ‘WIN-Q171KLF6IHB’ is the Core server.
• 'domain:acme.com’ is the domain that Threat Defense for AD protects.
• ‘hostName:mc-w10-guy.mcdonalds.demo’ is the source of the attack.
• ‘alarmType:NetComputer’ is the alarm type (in this case ‘Computer Information Gathering’).
• ‘destination:MC-DC-3.McDonalds.demo’ is the domain controller that generated the alarm.
• ‘objectName:win-felicitas$’ is the item of the mask that was interacted with.
Below are the Alert Types that you will see on Syslog:
• NETUSER – User Information Gathering
• ExternalNetUser – Brute Force Attempt
• NetComputer – Computer Information Gathering
• CredOTH – Credential Theft using Over-Pass-the-Hash
• CredPTH – Credential Theft using Pass-the-Hash
• CredPTT– Credential Theft using Pass-the-Ticket
• DCSync – Malicious DCSync Replication Attack
• PLDAP – Untrusted LDAP Binding
2. Dark corners are not part of SYSLOG forwarder. It is not designed for that.
Dark corners (endpoint, domain, domain controllers) are a proactive review of weaknesses and recommendations, exposing the customer's critical misconfiguration and vulnerabilities.
There is no element of real-time and immediate urgency for the recommendations, and therefore no such integration is required for the SOC center.
Note: If the TDAD server is integrated with a Symantec Endpoint Protection Manager (SEPM) we recommend collecting syslog events from the SEPM instead.