Cisco Cisco Firepower Management Center 4000
35-8
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
You can view the contents of the users database with the Defense Center web interface. For information
on viewing, search for, and deleting detected users, see
on viewing, search for, and deleting detected users, see
User Activity Database
License:
FireSIGHT
The user activity database contains records of user activity on your network, either from a connection to
an Active Directory LDAP server that is also monitored by a User Agent, or though network discovery.
The system logs events in the following circumstances:
an Active Directory LDAP server that is also monitored by a User Agent, or though network discovery.
The system logs events in the following circumstances:
•
when it detects individual logins or logoffs
•
when it detects a new user
•
when you manually delete a user
•
when the system detects a user that is not in the database, but cannot add the user because you have
reached your FireSIGHT licensed limit
reached your FireSIGHT licensed limit
You can view the user activity detected by the system using the Defense Center web interface. For
information on viewing, searching for, and deleting user activity, see
information on viewing, searching for, and deleting user activity, see
. If you plan to use Version 2.1 of the FireSIGHT System User Agent to send LDAP login
data to your Defense Centers, you must configure a connection for each agent on each Defense Center
where you want the agent to connect. That connection allows the agent to establish a secure connection
with the Defense Center, over which it can send login data. If the agent is configured to exclude specific
user names, login data for those user names are not reported to the Defense Center.
where you want the agent to connect. That connection allows the agent to establish a secure connection
with the Defense Center, over which it can send login data. If the agent is configured to exclude specific
user names, login data for those user names are not reported to the Defense Center.
In addition, if you are planning to implement user access control, you must set up a connection to each
Microsoft Active Directory server where you plan to collect data, with user awareness parameters
configured.
Microsoft Active Directory server where you plan to collect data, with user awareness parameters
configured.
Whenever possible the FireSIGHT System correlates user activity with other types of events. For
example, intrusion events can tell you the users who were logged into the source and destination hosts
at the time of the event.
example, intrusion events can tell you the users who were logged into the source and destination hosts
at the time of the event.
The system also uses user activity to generate host histories, which track the hosts that each user has
logged into, and user histories, which track the users that have logged into each individual host. The
system provides a graphical representation of the last twenty-four hours of each user’s activity and the
last twenty-four hours of the logins to each host. For more information, see
logged into, and user histories, which track the users that have logged into each individual host. The
system provides a graphical representation of the last twenty-four hours of each user’s activity and the
last twenty-four hours of the logins to each host. For more information, see
and
Access-Controlled Users Database
License:
Control
The access-controlled users database contains the users and groups that you can use in access control
rules, so that you can perform user control with the FireSIGHT System. These users can be one of two
types:
rules, so that you can perform user control with the FireSIGHT System. These users can be one of two
types:
•
An access-controlled user is a user that you can add to access control rules to perform user control.
You specify the groups that access-controlled users must belong to when you configure the Defense
Center-LDAP server connection.
You specify the groups that access-controlled users must belong to when you configure the Defense
Center-LDAP server connection.
•
A non-access-controlled user is any other detected user.
You specify the groups that access-controlled users must belong to when you configure the Defense
Center-LDAP server connection, as described in
Center-LDAP server connection, as described in