4 Replies Latest reply on Jul 21, 2014 4:10 PM by rth67

    Adding Domain Controllers into ESM




      I am new to ESM, and I have got a list of 16 domain controllers in the environment, mixture of windows 2003 and 2012.


      Does anyone know what's the best way to add them into ESM, and do I really need to add all of them?


      Thanks in advance.



        • 1. Re: Adding Domain Controllers into ESM

          Your best bet is to create a system profile for Windows Logs...





          Then you can just choose that profile for each of your DC's.  Makes setting them up a lot faster.

          • 2. Re: Adding Domain Controllers into ESM

            Actually, especially since you have 16 DC's the Best Practice approach would be to use DC's Profile. Create System Profile for your DC's, using the method above as described by @mperrin. Then you could actually, do a autolearn, and automatically add them via a create rule, based on there system name, or IPs. Presuming you have naming standards in place for server roles.

            • 3. Re: Adding Domain Controllers into ESM

              To answer the question "do all DCs need to be added as data sources?"   In my experience, Yes.   Mainly because of security group changes.  Events for changes to a security group remains on the DC it was made on.  It does not get transferred to the PDC.  We alert on changes to high access groups such as Domain Admins, Enterprise Admins, etc.  Those events can come from anywhere.  You'll also want to be able to see all authentications on all of your DCs.


              In addition, I have set up correlations and alerts to notify the SOC that a DC has been promoted or demoted.   These two Signatures, 43-263051370 and 43-263051410, show that a server object is added to or removed from AD Sites and Services (where the server object set up connections to other DCs for AD replication).   My two correlations, "server added" and "server removed", each look for that Signature ID along with "CommandID (In) [server]".   I then alert on that correlation signature ID when it is triggered, then it gets emailed to the SOC.  Works great.  Sometimes the domain admins forget to tell us when they make changes to domain controllers.



              • 4. Re: Adding Domain Controllers into ESM

                You can either create the Data Sources manually using the instructions provided, or you can import them from a CSV file to mass import the systems. The easiest way to do this is to create one, then export from the Receiver's Data Source Tab, then add the new devices to that CSV and import it back in. The 2 things to remember are when importing, is that column "A" is for "add, remove, or change" and column "B" is for the Receivers "Device ID" - make sure to change the field to "Text" then copy and paste from the "Name and Description" page of the Receiver Properties.


                Yes you should have all of your DC's in the SIEM.


                If you really want to be secure / be able to meet your Compliance requirements (SOX;PCI;COBIT;ISO27001/27002;GLBA;etc), you will have logs from all of your Servers in the SIEM, DC's, Member Servers, Workgroup Servers, Linux/Unix/AIX Servers, etc...