Cisco Cisco FirePOWER Appliance 7020
38-55
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Users
Your search results appear in the default third-party vulnerabilities workflow. To use a different
workflow, including a custom workflow, click
workflow, including a custom workflow, click
(switch workflow)
. For information on specifying a
different default workflow, see
•
Click
Save
if you are modifying an existing search and want to save your changes.
•
Click
Save as New Search
to save the search criteria. The search is saved (and associated with your
user account if you selected
Save As Private
), so that you can run it at a later time.
Working with Users
License:
FireSIGHT
When either an Active Directory Agent or a managed device detects a user login for a user who is not
already in the database, the user is added to the database, unless you have specifically restricted that
login type (see
already in the database, the user is added to the database, unless you have specifically restricted that
login type (see
Note
Although the system detects SMTP logins, the system does not record them unless there is already a user
with a matching email address in the database; users are not added to the database based on SMTP
logins.
with a matching email address in the database; users are not added to the database based on SMTP
logins.
The type of login that the system detected determines what information is stored about the new user, as
described in the following table.
described in the following table.
If you configured Defense Center-LDAP server connections, the Defense Center queries the LDAP
servers every five minutes and obtains metadata for the new users in the user database. At the same time,
the Defense Center also queries the LDAP servers for updated information on users whose records in the
Defense Center database are more than 12 hours old. It may take five to ten minutes for the Defense
Center database to update with user metadata after the system detects a new user login. From the LDAP
servers, the Defense Center obtains the following information and metadata about each user:
servers every five minutes and obtains metadata for the new users in the user database. At the same time,
the Defense Center also queries the LDAP servers for updated information on users whose records in the
Defense Center database are more than 12 hours old. It may take five to ten minutes for the Defense
Center database to update with user metadata after the system detects a new user login. From the LDAP
servers, the Defense Center obtains the following information and metadata about each user:
•
LDAP username
•
first and last names
•
email address
•
department
Table 38-13
Login Types and User Data Stored
Login Type
User Data Stored
LDAP
AIM
Oracle
SIP
•
username
•
current IP address
•
login type (
aim
,
ldap
,
oracle
, or
sip
)
POP3
IMAP
•
username
•
current IP address
•
email address
•
login type (
pop3
or
imap
)