https://live.paloaltonetworks.com/t5/next-generation-firewall/the-mechanism-of-agentless-user-id-between-firewall-and/m-p/540515#M1188 <P>Hello,</P> <P>I will do my best to answer your questions:</P> <P lang="zh-CN"><STRONG>1) When querying, does PA first pull the security event log of AD to PA's local location and then check again.</STRONG></P> <UL> <LI lang="zh-CN">The palo alto searches the logs for the events and then creates a mapping of user-id to IP address, it thes uses the mapping for current and future lookups until they timeout (configurable):&nbsp; <UL> <LI lang="zh-CN"><SPAN>The event IDs for the required events are 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), and 4624 (Logon Success).&nbsp;</SPAN></LI> </UL> </LI> </UL> <P lang="zh-CN"><STRONG>2) If it is an action to pull AD logs to the local location, how much log volume does pa pull at a time (defined by the number of log entries or time period).</STRONG></P> <UL> <LI lang="zh-CN">This one I dont know but think it will look past the configured 'timeout', ie if its set to 1 hour, its not going to look at logs older than 1 hour. But the agent check every hour by default and can be changed. Mine is set to 5 minutes.</LI> </UL> <P>Also here is an article with a bunch of links just for user-id:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC</A></P> <P>Regards,</P> Fri, 28 Apr 2023 21:00:50 GMT OtakarKlier 2023-04-28T21:00:50Z https://live.paloaltonetworks.com/t5/next-generation-firewall/the-mechanism-of-agentless-user-id-between-firewall-and/m-p/540417#M1186 <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;" lang="zh-CN">The customer wants to know the query mechanism of agentless user-id. I can see the following description from the documentation.&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;" lang="zh-CN">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;" lang="zh-CN">With server monitoring a User-ID agent—either a Windows-based agent running on a domain server in your network, or the PAN-OS integrated User-ID agent running on the firewall—monitors the security event logs for specified Microsoft Exchange Servers, Domain Controllers, or Novell eDirectory servers for login events. For example, in an AD environment, you can configure the User-ID agent to monitor the security logs for Kerberos ticket grants or renewals, Exchange server access (if configured), and file and print service connections. For these events to be recorded in the security log, the AD domain must be configured to log successful account login events. In addition, because users can log in to any of the servers in the domain, you must set up server monitoring for all servers to capture all user login events.</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;" lang="zh-CN">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;" lang="zh-CN"><STRONG>However, the customer asked two questions. I did not find the answers.&nbsp;Can you help answer.</STRONG></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;" lang="zh-CN"><STRONG>1) When querying, does PA first pull the security event log of AD to PA's local location and then check again. </STRONG></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;" lang="zh-CN"><STRONG>2) If it is an action to pull AD logs to the local location, how much log volume does pa pull at a time (defined by the number of log entries or time period).</STRONG></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;" lang="zh-CN">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;" lang="zh-CN"><STRONG><LI-PRODUCT title="User-ID" id="User-ID"></LI-PRODUCT>&nbsp;</STRONG></P> Fri, 28 Apr 2023 04:10:23 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/the-mechanism-of-agentless-user-id-between-firewall-and/m-p/540417#M1186 wxiao 2023-04-28T04:10:23Z https://live.paloaltonetworks.com/t5/next-generation-firewall/the-mechanism-of-agentless-user-id-between-firewall-and/m-p/540515#M1188 <P>Hello,</P> <P>I will do my best to answer your questions:</P> <P lang="zh-CN"><STRONG>1) When querying, does PA first pull the security event log of AD to PA's local location and then check again.</STRONG></P> <UL> <LI lang="zh-CN">The palo alto searches the logs for the events and then creates a mapping of user-id to IP address, it thes uses the mapping for current and future lookups until they timeout (configurable):&nbsp; <UL> <LI lang="zh-CN"><SPAN>The event IDs for the required events are 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), and 4624 (Logon Success).&nbsp;</SPAN></LI> </UL> </LI> </UL> <P lang="zh-CN"><STRONG>2) If it is an action to pull AD logs to the local location, how much log volume does pa pull at a time (defined by the number of log entries or time period).</STRONG></P> <UL> <LI lang="zh-CN">This one I dont know but think it will look past the configured 'timeout', ie if its set to 1 hour, its not going to look at logs older than 1 hour. But the agent check every hour by default and can be changed. Mine is set to 5 minutes.</LI> </UL> <P>Also here is an article with a bunch of links just for user-id:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC</A></P> <P>Regards,</P> Fri, 28 Apr 2023 21:00:50 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/the-mechanism-of-agentless-user-id-between-firewall-and/m-p/540515#M1188 OtakarKlier 2023-04-28T21:00:50Z