From 6aa1a379dc18b1e302ffe6ff5067cef45318b586 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Mon, 16 Oct 2023 17:55:58 +0200 Subject: [PATCH 1/2] feat(ManageEngine): add AuditAD Plus documentation --- .../application/manageengine_auditadplus.md | 59 +++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 60 insertions(+) create mode 100644 docs/xdr/features/collect/integrations/application/manageengine_auditadplus.md diff --git a/docs/xdr/features/collect/integrations/application/manageengine_auditadplus.md b/docs/xdr/features/collect/integrations/application/manageengine_auditadplus.md new file mode 100644 index 0000000000..c041621fe6 --- /dev/null +++ b/docs/xdr/features/collect/integrations/application/manageengine_auditadplus.md @@ -0,0 +1,59 @@ +uuid: 890207d2-4878-440d-9079-3dd25d472e0a +name: ManageEngine AuditAD Plus +type: intake + + +## Overview + +ManageEngine AuditAd Plus is a robust Active Directory auditing and compliance solution, empowering organizations to track and monitor changes, detect security threats, and ensure regulatory compliance within their Active Directory environment. + +!!! warning + Important note - This format is currently in beta. We highly value your feedback to improve its performance. + +## Supported events + +This integration supports the following events from AuditAD Plus: + +- Alerts (`ADAPAlerts`) +- Group managements reports (`GroupMgmtReports`) +- User managements reports (`UserMgmtReports`) +- Logon reports (`LogonReports`) +- Audit reports (`DNSAuditReports` and `ADObjectsAuditReports`) + + +## Configure + +### Prerequisites + +An internal log concentrator is required to collect and forward events to Sekoia.io. + +### Enable Syslog forwarding + +In the ADAudit Plus console: + +1. Click on 'Admin' Tab → 'SIEM Integration'. +2. Check the 'Enable forwarding of ADAudit Plus Data' checkbox +3. Choose the 'ArcSight (CEF)' radio button. +4. Enter the log concentrator server name. +5. Enter the log concentrator port number and protocol. +6. Save the configuration +7. After saving this configuration, Choose the categories to forward. + + +## Create the intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `ManageEngine AuditADPlus`. + +## Forward logs to Sekoia.io + +Please consult the [Syslog Forwarding](../../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. + + +{!_shared_content/operations_center/detection/generated/suggested_rules_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md!} + +## Futher Readings + +- [SIEM Integration](https://www.manageengine.com/products/active-directory-audit/help/admin-settings/siem-integration.html) +- [Collected logs in CEF format](https://pitstop.manageengine.com/portal/en/community/topic/collected-syslog-files-in-cef-format) diff --git a/mkdocs.yml b/mkdocs.yml index 8b5a488ae6..1a9f84733c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -79,6 +79,7 @@ nav: - FreeRADIUS: xdr/features/collect/integrations/application/freeradius.md - HAProxy: xdr/features/collect/integrations/application/haproxy.md - ISC DHCP: xdr/features/collect/integrations/application/dhcpd.md + - ManageEngine AuditAD Plus: xdr/features/collect/integrations/application/manageengine_auditadplus.md - Nginx: xdr/features/collect/integrations/application/nginx.md - OpenLDAP: xdr/features/collect/integrations/application/openldap.md - OpenSSH: xdr/features/collect/integrations/application/openssh.md From b971f321924a5700581db341e40f561ff608f5c5 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Mon, 23 Oct 2023 14:44:43 +0200 Subject: [PATCH 2/2] fix(ManageEngine): fix name --- ...eengine_auditadplus.md => manageengine_adauditplus.md} | 8 ++++---- mkdocs.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) rename docs/xdr/features/collect/integrations/application/{manageengine_auditadplus.md => manageengine_adauditplus.md} (89%) diff --git a/docs/xdr/features/collect/integrations/application/manageengine_auditadplus.md b/docs/xdr/features/collect/integrations/application/manageengine_adauditplus.md similarity index 89% rename from docs/xdr/features/collect/integrations/application/manageengine_auditadplus.md rename to docs/xdr/features/collect/integrations/application/manageengine_adauditplus.md index c041621fe6..31356dd5cd 100644 --- a/docs/xdr/features/collect/integrations/application/manageengine_auditadplus.md +++ b/docs/xdr/features/collect/integrations/application/manageengine_adauditplus.md @@ -1,18 +1,18 @@ uuid: 890207d2-4878-440d-9079-3dd25d472e0a -name: ManageEngine AuditAD Plus +name: ManageEngine ADAudit Plus type: intake ## Overview -ManageEngine AuditAd Plus is a robust Active Directory auditing and compliance solution, empowering organizations to track and monitor changes, detect security threats, and ensure regulatory compliance within their Active Directory environment. +ManageEngine ADAudit Plus is a robust Active Directory auditing and compliance solution, empowering organizations to track and monitor changes, detect security threats, and ensure regulatory compliance within their Active Directory environment. !!! warning Important note - This format is currently in beta. We highly value your feedback to improve its performance. ## Supported events -This integration supports the following events from AuditAD Plus: +This integration supports the following events from ADAudit Plus: - Alerts (`ADAPAlerts`) - Group managements reports (`GroupMgmtReports`) @@ -42,7 +42,7 @@ In the ADAudit Plus console: ## Create the intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `ManageEngine AuditADPlus`. +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `ManageEngine ADAuditPlus`. ## Forward logs to Sekoia.io diff --git a/mkdocs.yml b/mkdocs.yml index 1a9f84733c..bd4e0ea7ee 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -79,7 +79,7 @@ nav: - FreeRADIUS: xdr/features/collect/integrations/application/freeradius.md - HAProxy: xdr/features/collect/integrations/application/haproxy.md - ISC DHCP: xdr/features/collect/integrations/application/dhcpd.md - - ManageEngine AuditAD Plus: xdr/features/collect/integrations/application/manageengine_auditadplus.md + - ManageEngine ADAudit Plus: xdr/features/collect/integrations/application/manageengine_adauditplus.md - Nginx: xdr/features/collect/integrations/application/nginx.md - OpenLDAP: xdr/features/collect/integrations/application/openldap.md - OpenSSH: xdr/features/collect/integrations/application/openssh.md