TDAD Log Messages

https://knowledge.broadcom.com/external/article/229874/threat-defense-for-ad-sends-limited-mess.html

TDAD Log Messages

Base Rule

General Active Directory Information

Information

NETUSER Alert Messages

Sub Rule

Vuln Medium Severity : Information Gathering

Vulnerability

ExternalNetUser Alert Messages

Sub Rule

Brute Force Activity

Attack

NetComputer Alert Messages

Sub Rule

General Information Log Message

Information

CredOTH Alert Messages

Sub Rule

General Security Alert

Warning

CredPTH Alert Messages

Sub Rule

General Security Alert

Warning

CredPTT Alert Messages

Sub Rule

General Security Alert

Warning

DCSync Alert Messages

Sub Rule

Replication Warning

Warning

PLDAP Alert Messages

Sub Rule

General LDAP Message

Information

Header: Severity

<severity>

Text/String

N/A

N/A

N/A

N/A

Threat Defense for AD server.

N/A

<vendorinfo>

Text/String

SymETDAD

domain

<domainorigin>

Text/String

Domain that Threat Defense for AD protects.

hostName

<sname>

Text/String

Source of the attack.

alarmType

<objecttype>
<tag1>

Text/String

Alarm type (in this case ‘Computer Information Gathering’).
Below are the Alert Types that you will see on Syslog:

• NETUSER – User Information Gathering

• ExternalNetUser – Brute Force Attempt

• NetComputer – Computer Information Gathering

• CredOTH – Credential Theft using Over-Pass-the-Hash

• CredPTH – Credential Theft using Pass-the-Hash

• CredPTT– Credential Theft using Pass-the-Ticket

• DCSync – Malicious DCSync Replication Attack

• PLDAP – Untrusted LDAP Binding

accounts

N/A

N/A

N/A

destination

<dname>

Text/String

Domain controller that generated the alarm.

objectName

<objectname>

Text/String

Item of the mask that was interacted with.

dm:localhost

N/A

N/A

N/A

AlertId

<vmid>

Text/String/Number

N/A

timeStamp

N/A

N/A

N/A