Are you aware of SIEM platforms that integrate both Active Directory auditing and security monitoring tools?
Hi, community!
Usually, when professionals administer the network, they use an Active Directory tool and a cybersecurity solution (e.g., EPP, anti-virus, or SIEM) separately.
Are you aware of SIEM platforms that integrate these tools?
Senior Network Engineer at a government with 5,001-10,000 employees
Real User
Jan 19, 2022
I agree with the users who mentioned Splunk. Splunk is a log message management platform, and they have an application called Splunk Enterprise Security. It can ingest AD, anti virus, door control systems, VPN gateways, etc, etc via the log messages they generate, and has logic to correlate events (ie log messages). I am sure there are other products but Splunk is what I am familiar with.
Search for a product comparison in Security Information and Event Management (SIEM)
With the rise in insider threats, the idea of UEBA is becoming a must-have component in SOC.
This makes it necessary to have AD users or users from any other source to be available for monitoring in SIEM platforms. RSA NWP does this and definitely many other platforms.
Also, it depends on what you want to achieve;
-You can integrate many SIEM platforms with AD so that users can authenticate into SIEM using credentials from AD (external source).
-To monitor the behavior of AD users in order to identify malicious activity.
I agree with Shibu Splunk it's probably the best fit (or single point of truth) you can get at the market. With Splunk as a platform, it's natural to push forward to SOC and SOAR.
Don't forget to use the ingested data for several additional use cases in ITOps and other purposes to better up the ROI of the investment in Splunk.
Recently, we combined Tanium and Splunk as the best suite approach, it's very promising for bigger companies or if you go for an MSSP.
At one customer we connected several Point of Sales systems in an ITOps Usecase and several additional use cases for sales and marketing dropped out.
Chief Marketing Officer at Lepide Software Pvt. Ltd.
Real User
Oct 3, 2022
It is worth checking out Lepide. It is not a SIEM, but Lepide brings together AD auditing and security monitoring, and also integrates with most SIEM solutions.
Practice Lead- Network & Info Security at Inknowtech
User
Top 5
Jan 20, 2022
SIEM platform is one of the intelligent platforms which collects all the events from a given source. But generally admins only integrate security events with SIEM tools.
All the infra tools and equipment can integrate with the SIEM platform. The most important bit is that when the events get captured, the logger should be capable of translating these events to the human-readable format.
Here are some of the SIEM platforms:
ArcSight, Splunk, IBM QRadar, LogRhythm, ELK, etc.
I have been looking into the same thing. I am taking a very close look at Sentinel. It really comes down to what you are running. Azure AD with Azure Cloud and if you were running Defender for the enterprise. The integrations within Sentinel would be unmatched.
There are many tools that can integrate with SIEM platforms. With our SIEM team, we have integrated AD and security monitoring tools with Splunk & Securonix.
To get further information, can you share which security monitoring tools are you using and plan to integrate?
SIEM integrates real-time monitoring with advanced analysis of security events. It consolidates functions to provide comprehensive threat detection and response, enhancing organizational security measures.SIEM solutions offer extensive threat intelligence, enabling security teams to detect anomalies and incidents effectively. They provide a centralized view of an organization's security posture, combining various data sources and offering sophisticated correlation and monitoring tools....
I agree with the users who mentioned Splunk. Splunk is a log message management platform, and they have an application called Splunk Enterprise Security. It can ingest AD, anti virus, door control systems, VPN gateways, etc, etc via the log messages they generate, and has logic to correlate events (ie log messages). I am sure there are other products but Splunk is what I am familiar with.
Hi @Giusel,
With the rise in insider threats, the idea of UEBA is becoming a must-have component in SOC.
This makes it necessary to have AD users or users from any other source to be available for monitoring in SIEM platforms. RSA NWP does this and definitely many other platforms.
Also, it depends on what you want to achieve;
-You can integrate many SIEM platforms with AD so that users can authenticate into SIEM using credentials from AD (external source).
-To monitor the behavior of AD users in order to identify malicious activity.
Thanks
Hi @Giusel,
I agree with Shibu Splunk it's probably the best fit (or single point of truth) you can get at the market. With Splunk as a platform, it's natural to push forward to SOC and SOAR.
Don't forget to use the ingested data for several additional use cases in ITOps and other purposes to better up the ROI of the investment in Splunk.
Recently, we combined Tanium and Splunk as the best suite approach, it's very promising for bigger companies or if you go for an MSSP.
At one customer we connected several Point of Sales systems in an ITOps Usecase and several additional use cases for sales and marketing dropped out.
Hope this helps a little.
Best Regards,
Norman
It is worth checking out Lepide. It is not a SIEM, but Lepide brings together AD auditing and security monitoring, and also integrates with most SIEM solutions.
SIEM platform is one of the intelligent platforms which collects all the events from a given source. But generally admins only integrate security events with SIEM tools.
All the infra tools and equipment can integrate with the SIEM platform. The most important bit is that when the events get captured, the logger should be capable of translating these events to the human-readable format.
Here are some of the SIEM platforms:
ArcSight, Splunk, IBM QRadar, LogRhythm, ELK, etc.
Hi @Giusel
I have been looking into the same thing. I am taking a very close look at Sentinel. It really comes down to what you are running. Azure AD with Azure Cloud and if you were running Defender for the enterprise. The integrations within Sentinel would be unmatched.
Hi @Giusel,
There are many tools that can integrate with SIEM platforms. With our SIEM team, we have integrated AD and security monitoring tools with Splunk & Securonix.
To get further information, can you share which security monitoring tools are you using and plan to integrate?