Cisco Cisco Firepower Management Center 2000
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
1-3
FireSIGHT User Agent Configuration Guide
Chapter 1 Introduction
Understanding User Agents
The type of login detected determines how the agent reports the login and how the login appears in the
host profile. An authoritative user login for a host causes the current user mapped to the host IP address
to change to the user from the new login. Other logins either do not change the current user or only
change the current user for the host if the existing user on the host did not have an authoritative user
login to the host. In these cases, if the expected user is no longer logged in, this generates a logoff for
that user. User logins detected by network discovery only change the current user for the host if the
existing user on the host did not have an authoritative user login to the host. Agent-detected logins have
the following effect on the network map:
host profile. An authoritative user login for a host causes the current user mapped to the host IP address
to change to the user from the new login. Other logins either do not change the current user or only
change the current user for the host if the existing user on the host did not have an authoritative user
login to the host. In these cases, if the expected user is no longer logged in, this generates a logoff for
that user. User logins detected by network discovery only change the current user for the host if the
existing user on the host did not have an authoritative user login to the host. Agent-detected logins have
the following effect on the network map:
•
When the agent detects an interactive login to a host by a user or a remote desktop login, the agent
reports an authoritative user login for the host and changes the current user for the host to the new
user.
reports an authoritative user login for the host and changes the current user for the host to the new
user.
•
If the agent detects a login for file-share authentication, the agent reports a user login for the host,
but does not change the current user on the host.
but does not change the current user on the host.
•
If the agent detects a computer account login to a host, the agent generates a NetBIOS Name Change
discovery event and the host profile reflects any change to the NetBIOS name.
discovery event and the host profile reflects any change to the NetBIOS name.
•
If the agent detects a login from an excluded user name, the agent does not report a login to the
Defense Center.
Defense Center.
When a login or other authentication occurs, the agent sends the following information to the Defense
Center:
Center:
•
the user’s LDAP user name
•
the time of the login or other authentication
•
the IP address of the user’s host, and the link-local address if the agent reports an IPv6 address for
a computer account login
a computer account login
Note
If a user uses a Linux computer to log in via Remote Desktop to a Windows computer, once the agent
detects the login, it reports the Windows computer IP address, not the Linux computer IP address, to the
Defense Center.
detects the login, it reports the Windows computer IP address, not the Linux computer IP address, to the
Defense Center.
The Defense Center records login and logoff information as user activity. When a User Agent reports
user data from a user login or logoff, the reported user is checked against the list of users. If the reported
user matches an existing user reported by an agent, the reported data is assigned to the user. Reported
users that do not match existing users cause a new user to be created.
user data from a user login or logoff, the reported user is checked against the list of users. If the reported
user matches an existing user reported by an agent, the reported data is assigned to the user. Reported
users that do not match existing users cause a new user to be created.
Even though the user activity associated with an excluded user name is not reported, related user activity
may still be reported. If the agent detects a user login to a machine, then the agent detects a second user
login, and you have excluded the user name associated with the second user login from reporting, the
agent reports a logoff for the original user. However, no login for the second user is reported. As a result,
no user is mapped to the IP address, even though the excluded user is logged into the host.
may still be reported. If the agent detects a user login to a machine, then the agent detects a second user
login, and you have excluded the user name associated with the second user login from reporting, the
agent reports a logoff for the original user. However, no login for the second user is reported. As a result,
no user is mapped to the IP address, even though the excluded user is logged into the host.
Note the following limitations on user names detected by the agent:
•
User names ending with a dollar sign character (
$
) reported to a Version 5.0.2+ Defense Center
update the network map, but do not appear as user logins. Agents do not report user names ending
with a dollar sign character (
with a dollar sign character (
$
) to any other versions of Defense Centers.
•
Defense Center display of user names containing Unicode characters may have limitations.
The total number of detected users the Defense Center can store depends on your RNA or FireSIGHT
license. After you reach the licensed user limit, in most cases the system stops adding new users to the
database. To add new users, you must either manually delete old or inactive users from the database, or
purge all users from the database.
license. After you reach the licensed user limit, in most cases the system stops adding new users to the
database. To add new users, you must either manually delete old or inactive users from the database, or
purge all users from the database.