Cisco Cisco Firepower Management Center 4000

Page of 1844
 
38-55
FireSIGHT System User Guide
 
Chapter 38      Working with Discovery Events
  Working with Users
Your search results appear in the default third-party vulnerabilities workflow. To use a different 
workflow, including a custom workflow, click 
(switch workflow)
. For information on specifying a 
different default workflow, see 
  •
Click 
Save
 if you are modifying an existing search and want to save your changes.
  •
Click 
Save as New Search
 to save the search criteria. The search is saved (and associated with your 
user account if you selected 
Save As Private
), so that you can run it at a later time.
Working with Users
License: 
FireSIGHT
When either an Active Directory Agent or a managed device detects a user login for a user who is not 
already in the database, the user is added to the database, unless you have specifically restricted that 
login type (see 
Note
Although the system detects SMTP logins, the system does not record them unless there is already a user 
with a matching email address in the database; users are not added to the database based on SMTP 
logins.
The type of login that the system detected determines what information is stored about the new user, as 
described in the following table.
If you configured Defense Center-LDAP server connections, the Defense Center queries the LDAP 
servers every five minutes and obtains metadata for the new users in the user database. At the same time, 
the Defense Center also queries the LDAP servers for updated information on users whose records in the 
Defense Center database are more than 12 hours old. It may take five to ten minutes for the Defense 
Center database to update with user metadata after the system detects a new user login. From the LDAP 
servers, the Defense Center obtains the following information and metadata about each user:
  •
LDAP username
  •
first and last names
  •
email address
  •
department
Table 38-13
Login Types and User Data Stored 
Login Type
User Data Stored
LDAP
 
AIM
 
Oracle
 
SIP
  •
username
  •
current IP address
  •
login type (
aim
ldap
oracle
, or 
sip
)
POP3
 
IMAP
  •
username
  •
current IP address
  •
email address
  •
login type (
pop3
 or 
imap
)