Cisco Cisco Firepower Management Center 4000

Page of 1844
 
38-61
FireSIGHT System User Guide
 
Chapter 38      Working with Discovery Events
  Working with User Activity
  –
SMTP logins are not recorded unless there is already a user with a matching email address in 
the database. 
  –
Failed logins are only for LDAP, IMAP, and POP3, and only when detected in traffic. Users are 
not added to the detected users database as a result of a failed login, but the activity is optionally 
recorded in the user activity database, based on the user logging configuration in the network 
discovery policy.
  –
A user login is not recorded if you have specifically restricted its login type; see 
.
Note that when a non-authoritative user logs into a host, that login is recorded in the user and host 
history. If no authoritative user is associated with the host, a non-authoritative user can be the current 
user for the host. However, after an authoritative user logs into the host, only a login by another 
authoritative user changes the current user. In addition, when a non-authoritative user is the current 
user on a host, that user still cannot be used for user control.
Delete User Identity
This event is generated when you manually delete a user from the database.
User Identity Dropped: User Limit Reached
This event is generated when the system detects a user that is not in the database, but cannot add the 
user because you have reached the maximum number of users in the database as determined by your 
FireSIGHT license.
The total number of detected users the Defense Center can store depends on your FireSIGHT 
license. After you reach the licensed limit, in most cases the system stops adding new users to the 
database. To add new users, you must either manually delete old or inactive users from the database, 
or purge all users from the database.
However, the system favors authoritative users. If you have reached the limit and the system detects 
a login for a previously undetected authoritative user, the system deletes the non-authoritative user 
who has remained inactive for the longest time, and replaces it with the new authoritative user.
When the system detects user activity, it is logged to the database. You can view, search, and delete user 
activity; you can also purge all user activity from the database.
Whenever possible the FireSIGHT System correlates user activity with other types of events. For 
example, intrusion events can tell you the users who were logged into the source and destination hosts 
at the time of the event. This can tell you who owns the host that was targeted by an attack, or who 
initiated an internal attack or portscan. 
You can also use user activity in correlation rules. Based on the type of user activity as well as other 
criteria that you specify, you can build correlation rules that, when used in a correlation policy, launch 
remediations and alert responses when network traffic meets your criteria. For more information on user 
activity, see 
For more information, see the following sections:
  •
  •
  •
Viewing User Activity Events
License: 
FireSIGHT