topic Re: User-ID Agent in General Topics

User-ID Agent

aveva_palo — Fri, 11 Feb 2011 17:03:20 GMT

Is it possible to use the User-ID Agent to scan the logs from a machine configured as an Event Collector. I have an event log called "Forwarded Events" which holds centralised logon/logoff events for another tool. It would be good to leverage that information for Palo too.

Regards

Gary

Re: User-ID Agent

gswcowboy — Fri, 11 Feb 2011 18:05:28 GMT

Hi Gary,

That sounds like an enhancement request for your local SE as here's what the agent is intended to do:

Pan-agent is a Windows application/service doing the following tasks:

Get Groups/Users from the configured domain controller and send to Pan Device
Get the IP-Username mapping for the configured domain and send to Pan Device

Ø Read security logs from the configured domain controllers to analyze the domain user logon event

Ø If enabled, probe the user IP detected from the security log reading to see if the user is sill logged on that IP

Ø Enumerate the net sessions from the configured domain controllers to get the IP-Username mappings for the net session

Forward the NTLM message received from Pan Device to the domain controllers and vice versa to support NTLM authentication

Thanks,

Renato

Re: User-ID Agent

James — Fri, 11 Feb 2011 18:21:44 GMT

Hi Gary,

You may be able to script something and use our XML API into the user-ID agent.

Thanks

James

Re: User-ID Agent

kimalat — Thu, 26 Apr 2012 01:14:13 GMT

how would i do that, any help would be apperciated