Skip to main content
Version: Next

User Identity Enrichment

User Identity Mapping is one of NFO’s most critical enrichment capabilities. It bridges the gap between anonymous network addresses and human accountability by correlating flow records with authentication events in real-time.

By integrating with your Identity Providers (IdP), NFO moves your analysis from identifying an IP address (e.g., 10.0.1.5) to identifying the actual person (e.g., jdoe@example.com) responsible for the traffic.

The Identity Lifecycle

NFO utilizes the External Data Feeder (EDFN) to act as the bridge between your identity infrastructure and the flow processing engine.

  1. Event Monitoring: The EDFN Identity Agent monitors logon and logoff events from your configured IdP.
  2. Mapping Table: EDFN builds a high-speed, in-memory table of IP Address ↔ Username.
  3. Real-Time Enrichment: As flows enter the NFO engine, they are cross-referenced against this table. The sourceUserName and destinationUserName fields are then appended to the flow records.
  4. Continuous Updates: As users move between offices, change IPs via DHCP, or disconnect from VPNs, NFO updates the mapping instantly to maintain forensic accuracy.

Supported Identity Systems

Configuration varies based on your authentication source. Choose the guide below that matches your environment:

Microsoft Active Directory

Environment: On-premises Windows domains. Uses WMI or WinRM to poll security event logs directly from your Domain Controllers.

Microsoft Entra ID

Environment: Cloud or Hybrid Azure environments. Uses the Microsoft Graph API to ingest sign-in logs from your Azure tenant.

Okta

Environment: SaaS-based Single Sign-On. Uses API tokens to pull authentication events from the Okta System Log.

Identity via Syslog

Environment: VPNs, RADIUS, or non-standard LDAP. Allows you to define custom regex patterns to parse identity data from any source that exports logs via Syslog.

Next Steps

Identify your primary Identity Provider above to begin the technical configuration. If you use multiple providers (e.g., AD for on-prem and Okta for SaaS), you can configure multiple Identity Agents within EDFN.