Cisco Cisco Firepower Management Center 4000
1-2
FireSIGHT User Agent Configuration Guide
Chapter 1 Introduction
Understanding User Agents
•
•
•
•
•
•
•
Understanding User Agent Functionality
The FireSIGHT System can obtain both user identity and user activity information from your
organization’s LDAP servers. User Agents allow you to monitor users when they authenticate with
Active Directory credentials against Microsoft Active Directory servers.
organization’s LDAP servers. User Agents allow you to monitor users when they authenticate with
Active Directory credentials against Microsoft Active Directory servers.
You can install an agent on any Microsoft Windows Vista, Microsoft Windows 7, Microsoft Windows 8,
Microsoft Windows Server 2003, Microsoft Windows Server 2008, or Microsoft Windows Server 2012
computer with TCP/IP access to the Microsoft Active Directory servers you want to monitor. You can
also install on an Active Directory server running one of the supported operating systems.
Microsoft Windows Server 2003, Microsoft Windows Server 2008, or Microsoft Windows Server 2012
computer with TCP/IP access to the Microsoft Active Directory servers you want to monitor. You can
also install on an Active Directory server running one of the supported operating systems.
Each agent can monitor logins using encrypted traffic, either through regularly scheduled polling or
real-time monitoring. Logins are generated by the Active Directory server when a user logs into a
computer, whether at the workstation or through a Remote Desktop login.
real-time monitoring. Logins are generated by the Active Directory server when a user logs into a
computer, whether at the workstation or through a Remote Desktop login.
Agents can also monitor and report user logoffs. Logoffs are generated by the agent itself when it detects
a user logged out of a host IP address. Logoffs are also generated when the agent detects that the user
logged into a host has changed, before the Active Directory server reports that the user has changed.
Combining logoff data with login data develops a more complete view of the users logged into the
network.
a user logged out of a host IP address. Logoffs are also generated when the agent detects that the user
logged into a host has changed, before the Active Directory server reports that the user has changed.
Combining logoff data with login data develops a more complete view of the users logged into the
network.
Polling an Active Directory server allows an agent to retrieve batches of user activity data at the defined
polling interval. Real-time monitoring transmits user activity data to the agent as soon as the Active
Directory server receives the data.
polling interval. Real-time monitoring transmits user activity data to the agent as soon as the Active
Directory server receives the data.
You can configure the agent to exclude reporting any logins or logoffs associated with a specific
username or IP address. This can be useful, for example, to exclude repeated logins to shared servers,
such as file shares and print servers, as well as exclude users logging into machines for troubleshooting
purposes.
username or IP address. This can be useful, for example, to exclude repeated logins to shared servers,
such as file shares and print servers, as well as exclude users logging into machines for troubleshooting
purposes.
You can configure each agent to monitor up to five servers and send that encrypted data on to as many
as five Defense Centers.
as five Defense Centers.
The agents send records of all detected logins and logoffs that do not contain an excluded username or
IP address to Defense Centers, which log and report them as user activity. The agents detect the Defense
Center version and send the login records in the appropriate data format. This supplements any user
activity detected directly by managed devices. If you are using Version 5.x of the FireSIGHT System to
perform access control, the logins reported by User Agents associate users with IP addresses, which in
turn allows access control rules with user conditions to trigger.
IP address to Defense Centers, which log and report them as user activity. The agents detect the Defense
Center version and send the login records in the appropriate data format. This supplements any user
activity detected directly by managed devices. If you are using Version 5.x of the FireSIGHT System to
perform access control, the logins reported by User Agents associate users with IP addresses, which in
turn allows access control rules with user conditions to trigger.
User Agents monitor users as they log into the network or when accounts authenticate against Active
Directory credentials for other reasons. Version 2.2 of the User Agent detects interactive user logins to
a host, Remote Desktop logins, file-share authentication, and computer account logins, as well as user
logoffs and Remote Desktop sessions where the user has logged off.
Directory credentials for other reasons. Version 2.2 of the User Agent detects interactive user logins to
a host, Remote Desktop logins, file-share authentication, and computer account logins, as well as user
logoffs and Remote Desktop sessions where the user has logged off.