Cisco Cisco FirePOWER Appliance 8250
38-61
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with User Activity
–
SMTP logins are not recorded unless there is already a user with a matching email address in
the database.
the database.
–
Failed logins are only for LDAP, IMAP, and POP3, and only when detected in traffic. Users are
not added to the detected users database as a result of a failed login, but the activity is optionally
recorded in the user activity database, based on the user logging configuration in the network
discovery policy.
not added to the detected users database as a result of a failed login, but the activity is optionally
recorded in the user activity database, based on the user logging configuration in the network
discovery policy.
–
A user login is not recorded if you have specifically restricted its login type; see
.
Note that when a non-authoritative user logs into a host, that login is recorded in the user and host
history. If no authoritative user is associated with the host, a non-authoritative user can be the current
user for the host. However, after an authoritative user logs into the host, only a login by another
authoritative user changes the current user. In addition, when a non-authoritative user is the current
user on a host, that user still cannot be used for user control.
history. If no authoritative user is associated with the host, a non-authoritative user can be the current
user for the host. However, after an authoritative user logs into the host, only a login by another
authoritative user changes the current user. In addition, when a non-authoritative user is the current
user on a host, that user still cannot be used for user control.
Delete User Identity
This event is generated when you manually delete a user from the database.
User Identity Dropped: User Limit Reached
This event is generated when the system detects a user that is not in the database, but cannot add the
user because you have reached the maximum number of users in the database as determined by your
FireSIGHT license.
user because you have reached the maximum number of users in the database as determined by your
FireSIGHT license.
The total number of detected users the Defense Center can store depends on your FireSIGHT
license. After you reach the licensed limit, in most cases the system stops adding new users to the
database. To add new users, you must either manually delete old or inactive users from the database,
or purge all users from the database.
license. After you reach the licensed limit, in most cases the system stops adding new users to the
database. To add new users, you must either manually delete old or inactive users from the database,
or purge all users from the database.
However, the system favors authoritative users. If you have reached the limit and the system detects
a login for a previously undetected authoritative user, the system deletes the non-authoritative user
who has remained inactive for the longest time, and replaces it with the new authoritative user.
a login for a previously undetected authoritative user, the system deletes the non-authoritative user
who has remained inactive for the longest time, and replaces it with the new authoritative user.
When the system detects user activity, it is logged to the database. You can view, search, and delete user
activity; you can also purge all user activity from the database.
activity; you can also purge all user activity from the database.
Whenever possible the FireSIGHT System correlates user activity with other types of events. For
example, intrusion events can tell you the users who were logged into the source and destination hosts
at the time of the event. This can tell you who owns the host that was targeted by an attack, or who
initiated an internal attack or portscan.
example, intrusion events can tell you the users who were logged into the source and destination hosts
at the time of the event. This can tell you who owns the host that was targeted by an attack, or who
initiated an internal attack or portscan.
You can also use user activity in correlation rules. Based on the type of user activity as well as other
criteria that you specify, you can build correlation rules that, when used in a correlation policy, launch
remediations and alert responses when network traffic meets your criteria. For more information on user
activity, see
criteria that you specify, you can build correlation rules that, when used in a correlation policy, launch
remediations and alert responses when network traffic meets your criteria. For more information on user
activity, see
For more information, see the following sections:
•
•
•
Viewing User Activity Events
License:
FireSIGHT