Cisco Cisco Firepower Management Center 4000

The agents send records of all detected logins and logoffs that do not contain an excluded user name or 
IP address to Defense Centers, which log and report them as user activity. The agents detect the Defense 
Center version and send the login records in the appropriate data format. This supplements any user 
activity detected directly by managed devices. The logins reported by User Agents associate users with 
IP addresses, which in turn allows access control rules with user conditions to trigger.

User Agents monitor users as they log into the network or when accounts authenticate against Active 
Directory credentials for other reasons. Version 2.1 of the User Agent detects interactive user logins to 
a host, Remote Desktop logins, file-share authentication, and computer account logins, as well as user 
logoffs and Remote Desktop sessions where the user has logged off.

The type of login detected determines how the agent reports the login and how the login appears in the 
host profile. An authoritative user login for a host causes the current user mapped to the host IP address 
to change to the user from the new login. Other logins either do not change the current user or only 
change the current user for the host if the existing user on the host did not have an authoritative user 
login to the host. In these cases, if the expected user is no longer logged in, the agent generates a logoff 
for that user. User logins detected by network discovery only change the current user for the host if the 
existing user on the host did not have an authoritative user login to the host. Agent-detected logins have 
the following effect on the network map:

When the agent detects an interactive login to a host by a user or a Remote Desktop login, the agent 
reports an authoritative user login for the host and changes the current user for the host to the new 
user.

If the agent detects a login for file-share authentication, the agent reports a user login for the host, 
but does not change the current user on the host. 

If the agent detects a computer account login to a host, the agent generates a NetBIOS Name Change 
discovery event and the host profile reflects any change to the NetBIOS name.

If the agent detects a login from an excluded user name, the agent does not report a login to the 
Defense Center.

When a login or other authentication occurs, the agent sends the following information to the Defense 
Center:

the user’s LDAP user name 

the time of the login or other authentication

the IP address of the user’s host, and the link-local address if the agent reports an IPv6 address for 
a computer account login

The Defense Center records login and logoff information as user activity. When a User Agent reports 
user data from a user login or logoff, the reported user is checked against the list of users. If the reported 
user matches an existing user reported by an agent, the reported data is assigned to the user. Reported 
users that do not match existing users cause a new user to be created. 

Even though the user activity associated with an excluded user name is not reported, related user activity 
may still be reported. If the agent detects a user login to a machine, then the agent detects a second user 
login, and you have excluded the user name associated with the second user login from reporting, the 
agent reports a logoff for the original user. However, no login for the second user is reported. As a result, 
no user is mapped to the IP address, even though the excluded user is logged into the host.

Note the following limitations on user names detected by the agent:

User names ending with a dollar sign character (

$

) reported to a Version 5.0.2+ Defense Center 

update the network map, but do not appear as user logins. Agents do not report user names ending 
with a dollar sign character (

$

) to any other versions of Defense Centers.

Defense Center display of user names containing Unicode characters may have limitations.