Cisco Cisco Firepower Management Center 2000
35-5
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
•
the IP address involved in the login, which can be the IP address of the user’s host (for LDAP, POP3,
IMAP, and AIM logins), the server (for SMTP and Oracle logins), or the session originator (for SIP
logins)
IMAP, and AIM logins), the server (for SMTP and Oracle logins), or the session originator (for SIP
logins)
•
the user’s email address (for POP3, IMAP, and SMTP logins)
•
the name of the device that detected the login
If the user was previously detected, the Defense Center updates that user’s login history. Note that the
Defense Center can use the email addresses in POP3 and IMAP logins to correlate with LDAP users.
This means that, for example, if the Defense Center detects a new IMAP login, and the email address in
the IMAP login matches that for an existing LDAP user, the IMAP login does not create a new user,
rather, it updates the LDAP user’s history.
Defense Center can use the email addresses in POP3 and IMAP logins to correlate with LDAP users.
This means that, for example, if the Defense Center detects a new IMAP login, and the email address in
the IMAP login matches that for an existing LDAP user, the IMAP login does not create a new user,
rather, it updates the LDAP user’s history.
If the user has never been detected before, the Defense Center adds the user to the users database. Unique
AIM, SIP, and Oracle logins always create new user records, because there is no data in those login
events that the Defense Center can correlate with other login types.
AIM, SIP, and Oracle logins always create new user records, because there is no data in those login
events that the Defense Center can correlate with other login types.
The Defense Center does not log user activity or user identities in the following cases:
•
if you configured the network discovery policy to ignore that login type, as described in
•
if a managed device detects an SMTP login, but the users database does not contain a previously
detected LDAP, POP3, or IMAP user with a matching email address
detected LDAP, POP3, or IMAP user with a matching email address
User Agents
License:
FireSIGHT
If your organization uses Microsoft Active Directory LDAP servers, Cisco recommends that you install
User Agents to monitor user activity via your Active Directory servers. If you want to perform user
control, you must install and use User Agents; the agents associate users with IP addresses, which in
turn allows access control rules with user conditions to trigger. You can use one agent to monitor user
activity on up to five Active Directory servers.
User Agents to monitor user activity via your Active Directory servers. If you want to perform user
control, you must install and use User Agents; the agents associate users with IP addresses, which in
turn allows access control rules with user conditions to trigger. You can use one agent to monitor user
activity on up to five Active Directory servers.
To use an agent, you must configure a connection between each Defense Center connected to the agent
and the monitored LDAP servers. This connection not only allows you to retrieve metadata for the users
whose logins and logoffs were detected by User Agents, but also is used to specify the users and groups
you want to use in access control rules. For more information on configuring LDAP servers for user
discovery, see
and the monitored LDAP servers. This connection not only allows you to retrieve metadata for the users
whose logins and logoffs were detected by User Agents, but also is used to specify the users and groups
you want to use in access control rules. For more information on configuring LDAP servers for user
discovery, see
.
Each agent can monitor logins using encrypted traffic, either through regularly scheduled polling or
real-time monitoring. Logins are generated by the Active Directory server when a user logs into a
computer, whether at the workstation or through a Remote Desktop login.
real-time monitoring. Logins are generated by the Active Directory server when a user logs into a
computer, whether at the workstation or through a Remote Desktop login.
Agents can also monitor and report user logoffs. Logoffs are generated by the agent itself when it detects
a user logged out of a host IP address. Logoffs are also generated when the agent detects that the user
logged into a host has changed, before the Active Directory server reports that the user has changed.
Combining logoff data with login data develops a more complete view of the users logged into the
network.
a user logged out of a host IP address. Logoffs are also generated when the agent detects that the user
logged into a host has changed, before the Active Directory server reports that the user has changed.
Combining logoff data with login data develops a more complete view of the users logged into the
network.
Polling an Active Directory server allows an agent to retrieve batches of user activity data at the defined
polling interval. Real-time monitoring transmits user activity data to the agent as soon as the Active
Directory server receives the data.
polling interval. Real-time monitoring transmits user activity data to the agent as soon as the Active
Directory server receives the data.
You can configure the agent to exclude reporting any logins or logoffs associated with a specific user
name or IP address. This can be useful, for example, to exclude repeated logins to shared servers, such
as file shares and print servers, as well as exclude users logging into machines for troubleshooting
purposes.
name or IP address. This can be useful, for example, to exclude repeated logins to shared servers, such
as file shares and print servers, as well as exclude users logging into machines for troubleshooting
purposes.