User-ID Agent Ignore a group of users

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID Agent Ignore a group of users

L2 Linker

Hello together,

 

Is it possible to ignore a group of users with the User-ID Agent, and also on the firewall without the agent?

 

I tryed to add a group ( example\Ignore User-ID ) to the ignore_user_list.txt for the Agent. But it seemed not to work.

 

I also tryed:

example\Ignore User-ID

Ignore User-ID

"example\Ignore User-ID"

"Ignore User-ID"

'example\Ignore User-ID'

'Ignore User-ID'

 

Maybe it is only prossible for singe user accounts and not for groups? But I think this would be a really good feature.

It would be nice if anyone can give me a hint on this

 

Best Regards

 

Marco

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

You can't ignore a user group

The user-id agent records user ID's as they come in through events and then simply matches the user ID to the ignore list to see if it needs to be ignored, there is no group membership lookup

 

There is a feature request, however. So you can reach out to your local sales team and have them add your vote to FR ID: 1172

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

14 REPLIES 14

L7 Applicator

i cant see how this would be possible as user-ip mappings are per user not group.

 

I can't see why you would want to ignore a group of users... if its for a security policy then just use the group information in the policy and deny it...

Cyber Elite
Cyber Elite

You can't ignore a user group

The user-id agent records user ID's as they come in through events and then simply matches the user ID to the ignore list to see if it needs to be ignored, there is no group membership lookup

 

There is a feature request, however. So you can reach out to your local sales team and have them add your vote to FR ID: 1172

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you vermy much for your replay.

I want to ignore a group of users to prevent the "normal" accounts of the administrators to be overwritten by the administrative account of that user.

For example there is a rule for Internet traffic with User-ID. Traffic is allowed for all normal users. Not for administrative accounts.

I'm working on my computer with my normal account "marco". Then I connect to a Server via RDP using my administrative account "marco-admin". Sometimes User-ID then thinks my computer is assigned to "marco-admin" and i can not access the internet.

 

hi @Clermont

 

This is very unfortunate!

Do you have a lot of admins? You can use wildcards in usernames in the ignore list, but only as the last character

 

so if you could change your usernames, you would be able to ignore all admin-*

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

wow... how odd... i can understand the "server ip" to marco-admin but was not aware that the "clent device ip" could also be associated to the username used to logon to the server...

 

is this because of some network level authentication?

 

I'll need to watch out for that.....

 

cheers for the info.

ok just rdp'd with my test account and client ip mapping also changed to test account.

I can now see how this could be useful...

 

thanks again for the info/explanation.

Thanks for your fast reply.

 

Unfortunatelly our admins end with "*adm" 😕

I have about 30 accounts. I think I will add them manuelly.

 

Just to make sure: Do I have to add them with the domain prefix "domain\marco-admin" or is the username "marco-admin" enough?

 

Have a nice weekend

Is this a bug or a feature? We are just getting started with user-ID, and I can see this being an issue for us working in the IT dept. We use RDP a lot.

Maybe something of both, because the RDP-Logon on a Server is linked for your local machine in User-ID.  So we decided to ignore the administrative accounts for User-ID. Which would be much easier with a group.

@TerjeLundbo, not sure if I would class this as a bug, more of a feature with some annoying aspects.

 

I have used user-id for some time now and have never had this issue, but only because my user logon also has server admin rights.

 

I have only become aware of this via this post, love this site....

 

if you use a different account for RDP  then it will/could be an issue.

 

 

@Clermont I'd recommend adding the domain while you're at it (not sure if mandatory but have always done it that way)

 

@TerjeLundbo which part are you referring to exactly? 🙂 the rdp anamoly is kinda how microsoft handles authentications (it passes along your source IP with the auth so the user-id agent gets the log and sees your admin pc's ip even though you're logging in remotely)

The ignore user list is there to help prevent this issue, and also in case there are automated scripts running on a workstation that could trigger after a user has logged on and cause a new authentication log for the workstation's ip, with a service account

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

If we want to have user-ID based rules also for admin accounts, to grant access to management systems etc, that won't work of course if we filter out those accounts in user-ID agents.

that's correct, depending on the scenario:

when RDPing into a remote system, the ip mapping of the source will be affected, to which the admin is already logged in

If the admin then starts performing locat tasks "as administrator" there'll be a secondary authetication that affects the remoted system

 

 

You can also enable probes (netbios or WMI) which will periodically poll workstations for their actually 'logged in' user, so if the ip is hijacked by an admin or service account, the probe will correct that mapping also

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello,

So I ran into a similar situation and found that using exchange logs instead of a domain controllers security logs refreshed faster since outlook is constantly authenticating to exchange. Not sure if that will work in you environment.

 

Regards,

  • 1 accepted solution
  • 5996 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!