TDAD Log Messages

Vendor Documentation

Rule Name	Rule Type	Common Event	Classification
TDAD Log Messages	Base Rule	General Active Directory Information	Information
NETUSER Alert Messages	Sub Rule	Vuln Medium Severity : Information Gathering	Vulnerability
ExternalNetUser Alert Messages	Sub Rule	Brute Force Activity	Attack
NetComputer Alert Messages	Sub Rule	General Information Log Message	Information
CredOTH Alert Messages	Sub Rule	General Security Alert	Warning
CredPTH Alert Messages	Sub Rule	General Security Alert	Warning
CredPTT Alert Messages	Sub Rule	General Security Alert	Warning
DCSync Alert Messages	Sub Rule	Replication Warning	Warning
PLDAP Alert Messages	Sub Rule	General LDAP Message	Information

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header: Severity	<severity>	Text/String	N/A
N/A	N/A	N/A	Threat Defense for AD server.
N/A	<vendorinfo>	Text/String	SymETDAD
domain	<domainorigin>	Text/String	Domain that Threat Defense for AD protects.
hostName	<sname>	Text/String	Source of the attack.
alarmType	<objecttype> <tag1>	Text/String	Alarm type (in this case ‘Computer Information Gathering’). Below are the Alert Types that you will see on Syslog: NETUSER – User Information Gathering ExternalNetUser – Brute Force Attempt NetComputer – Computer Information Gathering CredOTH – Credential Theft using Over-Pass-the-Hash CredPTH – Credential Theft using Pass-the-Hash CredPTT– Credential Theft using Pass-the-Ticket DCSync – Malicious DCSync Replication Attack PLDAP – Untrusted LDAP Binding
accounts	N/A	N/A	N/A
destination	<dname>	Text/String	Domain controller that generated the alarm.
objectName	<objectname>	Text/String	Item of the mask that was interacted with.
dm:localhost	N/A	N/A	N/A
AlertId	<vmid>	Text/String/Number	N/A
timeStamp	N/A	N/A	N/A