Cisco Cisco Firepower Management Center 4000
35-6
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
The agents send records of all detected logins and logoffs that do not contain an excluded user name or
IP address to Defense Centers, which log and report them as user activity. The agents detect the Defense
Center version and send the login records in the appropriate data format. This supplements any user
activity detected directly by managed devices. The logins reported by User Agents associate users with
IP addresses, which in turn allows access control rules with user conditions to trigger.
IP address to Defense Centers, which log and report them as user activity. The agents detect the Defense
Center version and send the login records in the appropriate data format. This supplements any user
activity detected directly by managed devices. The logins reported by User Agents associate users with
IP addresses, which in turn allows access control rules with user conditions to trigger.
User Agents monitor users as they log into the network or when accounts authenticate against Active
Directory credentials for other reasons. Version 2.1 of the User Agent detects interactive user logins to
a host, Remote Desktop logins, file-share authentication, and computer account logins, as well as user
logoffs and Remote Desktop sessions where the user has logged off.
Directory credentials for other reasons. Version 2.1 of the User Agent detects interactive user logins to
a host, Remote Desktop logins, file-share authentication, and computer account logins, as well as user
logoffs and Remote Desktop sessions where the user has logged off.
The type of login detected determines how the agent reports the login and how the login appears in the
host profile. An authoritative user login for a host causes the current user mapped to the host IP address
to change to the user from the new login. Other logins either do not change the current user or only
change the current user for the host if the existing user on the host did not have an authoritative user
login to the host. In these cases, if the expected user is no longer logged in, the agent generates a logoff
for that user. User logins detected by network discovery only change the current user for the host if the
existing user on the host did not have an authoritative user login to the host. Agent-detected logins have
the following effect on the network map:
host profile. An authoritative user login for a host causes the current user mapped to the host IP address
to change to the user from the new login. Other logins either do not change the current user or only
change the current user for the host if the existing user on the host did not have an authoritative user
login to the host. In these cases, if the expected user is no longer logged in, the agent generates a logoff
for that user. User logins detected by network discovery only change the current user for the host if the
existing user on the host did not have an authoritative user login to the host. Agent-detected logins have
the following effect on the network map:
•
When the agent detects an interactive login to a host by a user or a Remote Desktop login, the agent
reports an authoritative user login for the host and changes the current user for the host to the new
user.
reports an authoritative user login for the host and changes the current user for the host to the new
user.
•
If the agent detects a login for file-share authentication, the agent reports a user login for the host,
but does not change the current user on the host.
but does not change the current user on the host.
•
If the agent detects a computer account login to a host, the agent generates a NetBIOS Name Change
discovery event and the host profile reflects any change to the NetBIOS name.
discovery event and the host profile reflects any change to the NetBIOS name.
•
If the agent detects a login from an excluded user name, the agent does not report a login to the
Defense Center.
Defense Center.
When a login or other authentication occurs, the agent sends the following information to the Defense
Center:
Center:
•
the user’s LDAP user name
•
the time of the login or other authentication
•
the IP address of the user’s host, and the link-local address if the agent reports an IPv6 address for
a computer account login
a computer account login
The Defense Center records login and logoff information as user activity. When a User Agent reports
user data from a user login or logoff, the reported user is checked against the list of users. If the reported
user matches an existing user reported by an agent, the reported data is assigned to the user. Reported
users that do not match existing users cause a new user to be created.
user data from a user login or logoff, the reported user is checked against the list of users. If the reported
user matches an existing user reported by an agent, the reported data is assigned to the user. Reported
users that do not match existing users cause a new user to be created.
Even though the user activity associated with an excluded user name is not reported, related user activity
may still be reported. If the agent detects a user login to a machine, then the agent detects a second user
login, and you have excluded the user name associated with the second user login from reporting, the
agent reports a logoff for the original user. However, no login for the second user is reported. As a result,
no user is mapped to the IP address, even though the excluded user is logged into the host.
may still be reported. If the agent detects a user login to a machine, then the agent detects a second user
login, and you have excluded the user name associated with the second user login from reporting, the
agent reports a logoff for the original user. However, no login for the second user is reported. As a result,
no user is mapped to the IP address, even though the excluded user is logged into the host.
Note the following limitations on user names detected by the agent:
•
User names ending with a dollar sign character (
$
) reported to a Version 5.0.2+ Defense Center
update the network map, but do not appear as user logins. Agents do not report user names ending
with a dollar sign character (
with a dollar sign character (
$
) to any other versions of Defense Centers.
•
Defense Center display of user names containing Unicode characters may have limitations.