Can alternate usernames be used for Credential Detection?

marroz — Fri, 17 May 2019 03:48:32 GMT

We are using Multiple Username Formats under Group Mapping and E-mail address as one of the alternate usernames. Output for CLI command show user user-attributes user all displays e-mail address as Alt Username.
We have also User Credential Detection enabled and using Group Mapping mode.

The problem is when a user enters credentials in some website, Credential detection works only if primary username is used. If an e-mail address (in our case alternate username) is used as a username, Credential Detection does not detect it at all.

So the question is: should Credential Detection be able to use alternate usernames and I am missing something or there is no such feature (yet)?

Re: Can alternate usernames be used for Credential Detection?

BPry — Thu, 16 May 2019 20:55:19 GMT

What method are you actually using to check for submissions?

Re: Can alternate usernames be used for Credential Detection?

marroz — Fri, 17 May 2019 03:55:37 GMT

I'm not sure I fully understand Your question.

User Credential Detection is enabled under URL Filtering Profile and Group Mapping mode is used to check for valid corporate usernames - if that is what You are asking.

Re: Can alternate usernames be used for Credential Detection?

Retired Member — Fri, 18 Oct 2019 13:22:57 GMT

@marroz

Answer is - no. Multiple Username Formats cannot be used with Credential Phishing Prevention because Data Plane is only made aware of the Primary Username. Can be called a limitation of the current design.

Information confirmed by PANW SE.

I have written Custom Vulnerability Object to detect transfer of e-mail address in HTTP. Should be used with Packet Capture feature of Vulnerability Protection profile.

<vulnerability-threat version="8.1.0"> <entry name="43999"> <signature> <standard> <entry name="E-Mail_in_HTTP_Headers"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> <entry name="req-hdr-type"> <value>AUTHORIZATION</value> </entry> </qualifier> <pattern>(([A-Za-z]+|[A-Za-z]+\.[A-Za-z]+)(@EXAMPLE\.ORG|@example\.org))</pattern> <context>http-req-headers</context> <negate>no</negate> </pattern-match> </operator> </entry> <entry name="Or Condition 2"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>POST</value> </entry> <entry name="req-hdr-type"> <value>AUTHORIZATION</value> </entry> </qualifier> <pattern>(([A-Za-z]+|[A-Za-z]+\.[A-Za-z]+)(@EXAMPLE\.ORG|@example\.org))</pattern> <context>http-req-headers</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <order-free>no</order-free> <scope>protocol-data-unit</scope> </entry> <entry name="E-Mail_in_HTTP_Body"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>(([A-Za-z]+|[A-Za-z]+\.[A-Za-z]+)(@EXAMPLE\.ORG|@example\.org))</pattern> <context>http-req-message-body</context> <negate>no</negate> </pattern-match> </operator> </entry> <entry name="Or Condition 2"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>POST</value> </entry> </qualifier> <pattern>(([A-Za-z]+|[A-Za-z]+\.[A-Za-z]+)(@EXAMPLE\.ORG|@example\.org))</pattern> <context>http-req-message-body</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <order-free>no</order-free> <scope>protocol-data-unit</scope> </entry> <entry name="E-Mail_in_HTTP_MIME"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>(([A-Za-z]+|[A-Za-z]+\.[A-Za-z]+)(@EXAMPLE\.ORG|@example\.org))</pattern> <context>http-req-mime-form-data</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <order-free>no</order-free> <scope>protocol-data-unit</scope> </entry> <entry name="E-Mail_in_HTTP_Params"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>(([A-Za-z]+|[A-Za-z]+\.[A-Za-z]+)(@EXAMPLE\.ORG|@example\.org))</pattern> <context>http-req-params</context> <negate>no</negate> </pattern-match> </operator> </entry> <entry name="Or Condition 2"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>POST</value> </entry> </qualifier> <pattern>(([A-Za-z]+|[A-Za-z]+\.[A-Za-z]+)(@EXAMPLE\.ORG|@example\.org))</pattern> <context>http-req-params</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <order-free>no</order-free> <scope>protocol-data-unit</scope> </entry> </standard> </signature> <default-action> <alert/> </default-action> <threatname>E-Mail_in_HTTP</threatname> <severity>high</severity> <direction>client2server</direction> <vendor> <member>Asseco Poland S.A.</member> </vendor> <comment>Identification of the business email address transfer in HTTP</comment> <affected-host> <client>yes</client> </affected-host> </entry> </vulnerability-threat>

Re: Can alternate usernames be used for Credential Detection?

marroz — Fri, 18 Oct 2019 13:42:20 GMT

Thank you @Retired Member!

I will check the workaround with your Custom Vulnerability.

topic Can alternate usernames be used for Credential Detection? in General Topics

Can alternate usernames be used for Credential Detection?

Re: Can alternate usernames be used for Credential Detection?

Re: Can alternate usernames be used for Credential Detection?

Re: Can alternate usernames be used for Credential Detection?

Re: Can alternate usernames be used for Credential Detection?