How to ingest ADAudit data

[kspringer-maf]

Version

2.4.120

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

many

RAM

much

Storage for /

lots

Storage for /nsm

lots

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello, we have a system called AD Audit Plus. It has a section that allows it to send it's data to a SIEM. I was wondering if anyone out there has AD Audit Plus and has connected it to their Security Onion SIEM, and was hoping for some instructions. What do I need to do on the SO side to ingest the data, and what do I define on the ADAudit side to send the data. Here's a screenshot of the ADAudit screen.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[gustavoberman]

Hello there,
I do not know that software, but it looks like you can send syslog messages. So if you put your securityonion IP in that field and allows the adaudit IP in securityonion firewall you will see adaudit data in kibana. You can read the syslog part in documentation https://docs.securityonion.net/en/2.4/syslog.html

[kspringer-maf]

It was super easy to accomplish this. I allowed the source IP into Administration>Configuration>firewall>hostgroups>syslog
Then I simply enabled the service on the AD Audit server, and I can see the logs coming into Security Onion. Very smooth!

[kspringer-maf]

Here's some additional details for context.
#14310