Cisco Cisco Firepower Management Center 4000
35-30
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Creating a Network Discovery Policy
Restricting User Logging
License:
FireSIGHT
When you apply a network discovery policy with rules that discover users, users are discovered in traffic
that uses the AIM, IMAP, LDAP, Oracle, POP3, and SIP protocols. These users are added to the users
table, accessible through the Analysis menu. You can restrict the protocols where user activity is
discovered to reduce the total number of detected users so you can focus on users likely to provide the
most complete user information.
that uses the AIM, IMAP, LDAP, Oracle, POP3, and SIP protocols. These users are added to the users
table, accessible through the Analysis menu. You can restrict the protocols where user activity is
discovered to reduce the total number of detected users so you can focus on users likely to provide the
most complete user information.
The total number of detected users the Defense Center can store depends on your FireSIGHT license.
After you reach the licensed limit, in most cases the system stops adding new users to the database. To
add new users, you must either manually delete old or inactive users from the database, or purge all users
from the database. Restricting protocol detection helps minimize user name clutter and preserve
FireSIGHT user licenses.
After you reach the licensed limit, in most cases the system stops adding new users to the database. To
add new users, you must either manually delete old or inactive users from the database, or purge all users
from the database. Restricting protocol detection helps minimize user name clutter and preserve
FireSIGHT user licenses.
For example, obtaining user names through protocols such as AIM, POP3, and IMAP may introduce user
names not relevant to your organization due to network access from contractors, visitors, and other
guests.
names not relevant to your organization due to network access from contractors, visitors, and other
guests.
As another example, AIM, Oracle, and SIP logins may create extraneous user records. This occurs
because these login types are not associated with any of the user metadata that the system obtains from
an LDAP server, nor are they associated with any of the information contained in the other types of login
that your managed devices detect. Therefore, the Defense Center cannot correlate these users with other
types of users.
because these login types are not associated with any of the user metadata that the system obtains from
an LDAP server, nor are they associated with any of the information contained in the other types of login
that your managed devices detect. Therefore, the Defense Center cannot correlate these users with other
types of users.
Keep in mind that only managed devices can detect non-LDAP user logins. If you are using only User
Agents installed on Microsoft Active Directory servers to detect user activity, restricting non-LDAP
logins has no effect. Also, you cannot restrict SMTP logging. This is because users are not added to the
database based on SMTP logins; although the system detects SMTP logins, the logins are not recorded
unless there is already a user with a matching email address in the database.
Agents installed on Microsoft Active Directory servers to detect user activity, restricting non-LDAP
logins has no effect. Also, you cannot restrict SMTP logging. This is because users are not added to the
database based on SMTP logins; although the system detects SMTP logins, the logins are not recorded
unless there is already a user with a matching email address in the database.
You can choose whether or not to record failed login attempts for failed user logins detected in LDAP,
POP3, or IMAP traffic. A failed login attempt does not add a new user to the list of users in the database.
Note that the User Agent does not report failed login activity. The user activity type for detected failed
login activity is Failed User Login.
POP3, or IMAP traffic. A failed login attempt does not add a new user to the list of users in the database.
Note that the User Agent does not report failed login activity. The user activity type for detected failed
login activity is Failed User Login.
To restrict the protocols where user logins are detected:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Network Discovery
.
The Network Discovery Policy page appears.
Step 2
Click
User
.
The User page appears.
Step 3
Select check boxes for protocols where you want to detect logins or clear check boxes for protocols
where you do not want to detect logins.
where you do not want to detect logins.
Step 4
Click
Save
to save the network policy.
Note
You must apply the network discovery policy for your changes to take effect. For more
information, see
information, see
.