Cisco Cisco Firepower Management Center 2000
38-58
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Users
Department
The user’s department, as obtained from the optional Defense Center-LDAP server connections. If
there is no department explicitly associated with the user on your LDAP servers, the department is
listed as whatever default group the server assigns. For example, on Active Directory, this is
there is no department explicitly associated with the user on your LDAP servers, the department is
listed as whatever default group the server assigns. For example, on Active Directory, this is
Users
(ad)
. This field is blank if:
–
you have not configured a Defense Center-LDAP server connection
–
the Defense Center cannot correlate the user in the Defense Center database with an LDAP
record (for example, for users added to the database via an AIM, Oracle, or SIP login)
record (for example, for users added to the database via an AIM, Oracle, or SIP login)
Phone
The user’s telephone number, as obtained from the optional Defense Center-LDAP server
connections. This field is blank if:
connections. This field is blank if:
–
you have not configured a Defense Center-LDAP server connection
–
the Defense Center cannot correlate the user in the Defense Center database with an LDAP
record (for example, for users added to the database via an AIM, Oracle, or SIP login)
record (for example, for users added to the database via an AIM, Oracle, or SIP login)
–
there is no telephone number associated with the user on your LDAP servers
User Type
The protocol used to detect the user. For example, for users added to the database when detects a
POP3 login, the user type is
POP3 login, the user type is
pop3
.
Count
The number of users that match the information that appears in each row. Note that the Count field
appears only after you apply a constraint that creates two or more identical rows.
appears only after you apply a constraint that creates two or more identical rows.
Understanding User Details and Host History
License:
FireSIGHT
From any event view that associates user identity data with other kinds of events, as well as from a table
view of users, you can display the User Identity pop-up window to learn more about a specific user. User
information also appears in the terminating page for users workflows.
view of users, you can display the User Identity pop-up window to learn more about a specific user. User
information also appears in the terminating page for users workflows.
The user data you see is the same as you would see in the table view of users; for more information, see
.
The host history provides a graphic representation of the last twenty-four hours of the user’s activity. A
list of IP addresses of the hosts that the user logged into and logged off of approximates login and logout
times with bar graphs. A typical user might log on to and off of multiple hosts in the course of a day. For
example, periodic automated logins to a mail server would display as multiple short sessions, while
longer logins (such as during working hours) display longer sessions.
list of IP addresses of the hosts that the user logged into and logged off of approximates login and logout
times with bar graphs. A typical user might log on to and off of multiple hosts in the course of a day. For
example, periodic automated logins to a mail server would display as multiple short sessions, while
longer logins (such as during working hours) display longer sessions.
Note that when a non-authoritative user login to a host is detected, that login is recorded in the user and
host history. If no authoritative user is associated with the host, a non-authoritative user can be the
current user for the host. However, after an authoritative user login is detected for that host, only another
authoritative user login changes the current user. In addition, when a non-authoritative user is the current
user on a host, that user still cannot be used for user control. If you configure capture of failed logins in
the network discovery policy, the host history also includes hosts where the user failed to log in.
host history. If no authoritative user is associated with the host, a non-authoritative user can be the
current user for the host. However, after an authoritative user login is detected for that host, only another
authoritative user login changes the current user. In addition, when a non-authoritative user is the current
user on a host, that user still cannot be used for user control. If you configure capture of failed logins in
the network discovery policy, the host history also includes hosts where the user failed to log in.