Cisco Cisco Firepower Management Center 2000
1-5
FireSIGHT User Agent Configuration Guide
Chapter 1 Introduction
Understanding User Agents
Understanding the User Activity Database
License:
FireSIGHT
The user activity database contains records of user activity on your network, either from a connection to
an Active Directory LDAP server that is also monitored by a User Agent, or though network discovery.
The system logs events in the following circumstances:
an Active Directory LDAP server that is also monitored by a User Agent, or though network discovery.
The system logs events in the following circumstances:
•
when it detects individual logins or logoffs
•
when it detects a new user
•
when you manually delete a user
•
when the system detects a user that is not in the database, but cannot add the user because you have
reached your FireSIGHT licensed limit
reached your FireSIGHT licensed limit
You can view the user activity detected by the system using the Defense Center web interface. For
information on viewing, searching for, and deleting user activity, see the FireSIGHT System User Guide.
If you plan to use Version 2.2 of the FireSIGHT System User Agent to send LDAP login data to your
Version 5.x Defense Centers, you must configure a connection for each agent on each Defense Center
where you want the agent to connect. That connection allows the agent to establish a secure connection
with the Defense Center, over which it can send login data. If the agent is configured to exclude specific
user names, login data for those user names are not reported to the Defense Center.
information on viewing, searching for, and deleting user activity, see the FireSIGHT System User Guide.
If you plan to use Version 2.2 of the FireSIGHT System User Agent to send LDAP login data to your
Version 5.x Defense Centers, you must configure a connection for each agent on each Defense Center
where you want the agent to connect. That connection allows the agent to establish a secure connection
with the Defense Center, over which it can send login data. If the agent is configured to exclude specific
user names, login data for those user names are not reported to the Defense Center.
In addition, if you are planning to implement user access control, you must set up a connection to each
Microsoft Active Directory server where you plan to collect data, with user awareness parameters
configured.
Microsoft Active Directory server where you plan to collect data, with user awareness parameters
configured.
Understanding the Access-Controlled Users Database
License:
Control
The access-controlled users database contains the users and groups that you can use in access control
rules, so that you can perform user control with the FireSIGHT System. These users can be one of two
types:
rules, so that you can perform user control with the FireSIGHT System. These users can be one of two
types:
•
An access-controlled user is a user that you can add to access control rules to perform user control.
You specify the groups that access-controlled users must belong to when you configure the Defense
Center-LDAP server connection.
You specify the groups that access-controlled users must belong to when you configure the Defense
Center-LDAP server connection.
•
A non-access-controlled user is any other detected user.
The total number of access-controlled users the Defense Center can store depends on your FireSIGHT
license.
license.
You specify the groups that access-controlled users must belong to when you configure the Defense
Center-LDAP server connection, as described in the FireSIGHT System User Guide.
Center-LDAP server connection, as described in the FireSIGHT System User Guide.
If you plan to use Version 2.2 of the FireSIGHT System User Agent to send LDAP login and logoff data
to your Version 5.x Defense Centers, you must configure a connection for each agent on each Defense
Center where you want the agent to connect. That connection allows the agent to establish a secure
connection with the Defense Center, over which it can send the user activity data.
to your Version 5.x Defense Centers, you must configure a connection for each agent on each Defense
Center where you want the agent to connect. That connection allows the agent to establish a secure
connection with the Defense Center, over which it can send the user activity data.
If the agent is configured to exclude specific user names, user activity data for those user names are not
reported to the Defense Center. These excluded user names remain in the database, but are not associated
with IP addresses.
reported to the Defense Center. These excluded user names remain in the database, but are not associated
with IP addresses.