Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=manage-engine-overview

ManageEngine ADAudit Plus integration overview

Log collector Identity

You can integrate ManageEngine ADAudit Plus with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Product overview

Manage Engine's ADAudit Plus is a comprehensive Active Directory (AD) audit solution that offers real-time monitoring, user and entity behavior analytics, and change auditing. It provides detailed reports on changes to AD objects, user logon activities, and Group Policy settings, ensuring compliance, security, and forensic readiness.

Sophos documents

Integrate ManageEngine ADAudit Plus

What we ingest

Sample alerts seen by Sophos include the following:

  • Logon Failures for Admin Users
  • Group Membership Changes
  • Privilege Escalation - First time Utilizing a Privilege
  • Folder Permission Changes
  • Users Created
  • Password Never Expire Enabled
  • Unusual Activity - User Management Activity
  • Deleted Users
  • Recently Detected Replay Attack report was viewed for the domain DOMAIN
  • Special Groups have been assigned to a New Logon. report was viewed for the domain DOMAIN
  • Certificate Request Status
  • Failed to update the domain values for the domain DOMAIN, Domain Already Exists, Please check with Admin Privileges
  • Power BI Group Membership Modified
  • Problem while modifying the Servers, Error : Error while updating server(s), Changed Computers :
  • Successfully updated the Alert Profile, Alert Profile Name : Modified Admin Groups
  • System Shutdown report was viewed for the domain DOMAIN
  • Unusual Activity - Logon Time on Host

Filtering

We filter alerts as follows:

  • ALLOW valid CEF.
  • DROP various reviewed and non-security related messages and logs.

Sample threat mappings

{"alertType": "LAPS Password read - DOMAIN report was viewed for the domain DOMAIN", "threatId": "TA0006", "threatName": "Credential Access"}
{"alertType": "Successfully scheduled the event collection from selected computer(s) Domain : DOMAIN", "threatId": "T1070", "threatName": "Indicator Removal on Host"}
{"alertType": "Domain DOMAIN deletion process started", "threatId": "TA0040", "threatName": "Impact"}

Vendor documentation

SIEM Integration: Forwarding ADAudit Plus data to a Syslog Server