search cancel

Threat defense for AD sends limited messages to syslog.

book

Article ID: 229874

calendar_today

Updated On:

Products

Endpoint Threat Defense for Active Directory

Issue/Introduction

1. What all logs/alerts does Threat Defense for Active Directory (SETDAD) sends to Syslog/QRadar?
2. Does TDAD sends Dark corner alarm logs to syslog messages?

Environment

Release : 3.6.x

 

Resolution

1. A syslog message is sent every time an event occurs and is in the standard syslog format.

For example:
Syslog message: USER.INFO: Dec 04 18:41:13 WIN2016-Core SymETDAD: domain:acme.com, hostName:wintest.acme.com, alarmType:NetComputer, accounts:, destination: DC1.acme.com objectName:win-fakeobject$,Deployment Manager:localhost, timeStamp:1512405658

Explanation:
• ‘WIN-Q171KLF6IHB’ is the Core server.
• 'domain:acme.com’ is the domain that Threat Defense for AD protects.
• ‘hostName:mc-w10-guy.mcdonalds.demo’ is the source of the attack.
• ‘alarmType:NetComputer’ is the alarm type (in this case ‘Computer Information Gathering’).
• ‘destination:MC-DC-3.McDonalds.demo’ is the domain controller that generated the alarm.
• ‘objectName:win-felicitas$’ is the item of the mask that was interacted with.

Below are the Alert Types that you will see on Syslog: 
• NETUSER – User Information Gathering 
• ExternalNetUser – Brute Force Attempt 
• NetComputer – Computer Information Gathering 
• CredOTH – Credential Theft using Over-Pass-the-Hash 
• CredPTH – Credential Theft using Pass-the-Hash 
• CredPTT– Credential Theft using Pass-the-Ticket 
• DCSync – Malicious DCSync Replication Attack 
• PLDAP – Untrusted LDAP Binding


2. Dark corners are not part of SYSLOG forwarder. It is not designed for that.
Dark corners (endpoint, domain, domain controllers) are a proactive review of weaknesses and recommendations, exposing the customer's critical misconfiguration and vulnerabilities.
There is no element of real-time and immediate urgency for the recommendations, and therefore no such integration is required for the SOC center.

Note: If the TDAD server is integrated with a Symantec Endpoint Protection Manager (SEPM) we recommend collecting syslog events from the SEPM instead.