Skip to main content
Version: Next

Configuring User Identity Enrichment

Integrating user identity data into flow data enriches the information available for analysis, expediting incident investigations and enhancing overall security measures. By enriching flow data with user identity details, such as username, organizations can swiftly identify suspicious activities, detect unauthorized access, and respond promptly to security incidents. This enrichment enables security teams to gain deeper insights into network behavior and user interactions, ultimately reducing the time required for incident response and bolstering the overall security posture of the network environment.

User identity is provided by EDFN agent User identity monitor and It builds two lookup lists:

  • IPv4, idp, username
  • IPv6, idp, username

Where

  • idp is identity provider that reported IP address and username
  • IPv4 is IP address from which the user logged on
  • username is the name of the user or account name reported by identity provider

In this release the agent supports the following methods:

  • Integration with Active Directory Domain Controller
  • Integration with Microsoft Entra ID
  • Integration with Okta
  • Integration with any identity management system reporting login/logout events via syslog

Configuration Steps

note

To configure integration with User Identity system, on the left navigation bar select Modules, open Network Conversations Monitor set by clicking on ..., and click on Module configuration 10062: Network Conversations Monitor. Scroll down to EDFN Agent User identity monitor and click on it.

You will be presented with the following configuration screen.

Set common parameters, and select an appropriate tab to configure the intetration with your identity systems.

note

Select Excluded IP addresses tab to specify IP addresses not to be included in user udentity enrichment, for example your Terminal Server IP address where multiple users are signing from.

Don't forget!

Make sure that the user identity fields are included in the Module output.

For details, visit Network Conversations Output configuration