I'm noticing that when a user connects to a server using RDP with a different username, the PAN-Agent is reading that username and associating it the user's computer.
For instance, a programmer named 'jdoe' connects to a web server from his PC using IP address 172.16.3.3 using the username 'webadmin'. The traffic logs now read that 'webadmin' is logged on to 172.16.3.3.
Is anyone else having this problem?
According to some docs the following eventid's are being monitored for by the pan agent:
So I find it interresting that your eventid 4624 would have something to do with this... has the pan agent been updated to cover even the 4624 events for some odd reason?
I'm seeing the same problem. User1 logs into PC1, then RDP's to SERVER1 as User2. The PA then shows User2 mapped to the address of PC1.
Are you saying that if you wait log enough the WMI probing will resolve the mappings and the PA will see User2->SERVER1 and User1->PC1?
Can anyone from PaloAlto comment if this behavior was by design? Any plans or suggestions how to address this?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!