NetWitness Community

EricPartington · ‎2017-12-18

A question for the community...

Who is using the Identity Feed to pull in AD context for log or packet events?

Active Directory Source/destination Username/workstation/domain

Curious how many people know about it, have it configured and use it in different implementations for logs or packets

Anonymous · ‎2017-12-19

We are using it. It seems to work well, but it can confuse newer ananylst who take it as gold standard of who was actually using the system because sometimes it does not get it right.

EricPartington · ‎2017-12-19

can you define the times when it doesn't get it right? digging into it more and want to understand the places that it gets it wrong and what we can do to make it better.

do you get anon user in the feed? some missing workstation names? or other items. If you can tag it to a specific event id that we miss or need to adjust please let me know. if you want to DM then you can do that to protect the innocent.

david_waugh · ‎2017-12-20

It only ever handles logon events and not logoff events unfortunately. We raised a call which went to a Jira which said it was not possible to incorporate the logoff events.

EricPartington · ‎2018-01-03

explain the use case for adding log off events to the feed? remove events from feed based on log off events or also as a source of meta for the last logged in user to a system?

david_waugh · ‎2018-01-04

Hi Eric,

If you don't track log off events then users are associated with a particular IP address indefinitely. This then gives the false impression that this user is associated with this ip address. When you then use this meta you then have to ask yourself if it is true at this moment in time, or was it just true historically.

When analysts use meta then want to know that it is true at this moment in time, not that it may have been true last week.

someone · ‎2018-01-04

Hi Eric,

I am using it. As long as the analysts are aware of the limitations and how it works then it's good to have, however it is not accurate so all the info we get from it would be purely for indication until we have crosschecked with other systems. So it's better than nothing but cannot be trusted

I agree with David, unless the logoff events can be leveraged, this will only ever be an indicator and nothing else.

For office users that use desktop machines this would be much more accurate than on users that take the laptop around the building for meetings etc, hence constantly changing IPs. VPN users too.

Many thanks

Marinos

david_waugh · ‎2018-01-04

I have developed my own version of this feed, which i think is more accurate.

I look at the web proxy logs and these contain an ip address and the username. As users are frequently browsing the web then I have a pretty up to date list of users and IP address. With windows logon events these might not happen that frequently.

I run a report that outputs this as a CSV file and then use this as a feed.

JoshRandall · ‎2018-01-08

"users are associated with a particular IP address indefinitely" - this shouldn't be the case unless something is broken.

Th default rollover_interval setting is 3 days, which will expire entries from the cache if they have not been changed or updated within that time.

The lowest possible value would be 1, which would give you a smaller window for the feed data to populate against IPs.

And I think incorporating the logoff events to delete entries from the feed would certainly also help to keep it current and accurate.

Mr. Mongo

NetWitness Community

Identity Feed - Who is using it?