This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

The mechanism of agentless user-id between firewall and monitored server.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

The mechanism of agentless user-id between firewall and monitored server.

Go to solution
wxiao
L2 Linker

‎04-27-2023 09:10 PM

The customer wants to know the query mechanism of agentless user-id. I can see the following description from the documentation. 

 

With server monitoring a User-ID agent—either a Windows-based agent running on a domain server in your network, or the PAN-OS integrated User-ID agent running on the firewall—monitors the security event logs for specified Microsoft Exchange Servers, Domain Controllers, or Novell eDirectory servers for login events. For example, in an AD environment, you can configure the User-ID agent to monitor the security logs for Kerberos ticket grants or renewals, Exchange server access (if configured), and file and print service connections. For these events to be recorded in the security log, the AD domain must be configured to log successful account login events. In addition, because users can log in to any of the servers in the domain, you must set up server monitoring for all servers to capture all user login events.

 

However, the customer asked two questions. I did not find the answers. Can you help answer.

1) When querying, does PA first pull the security event log of AD to PA's local location and then check again.

2) If it is an action to pull AD logs to the local location, how much log volume does pa pull at a time (defined by the number of log entries or time period).

 

User-ID 

User-ID
Thumbnail of User-ID
Palo Alto Networks
User-ID
Network Security
View on Product Page
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎04-28-2023 02:00 PM

Hello,

I will do my best to answer your questions:

1) When querying, does PA first pull the security event log of AD to PA's local location and then check again.

  • The palo alto searches the logs for the events and then creates a mapping of user-id to IP address, it thes uses the mapping for current and future lookups until they timeout (configurable): 
    • The event IDs for the required events are 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), and 4624 (Logon Success). 

2) If it is an action to pull AD logs to the local location, how much log volume does pa pull at a time (defined by the number of log entries or time period).

  • This one I dont know but think it will look past the configured 'timeout', ie if its set to 1 hour, its not going to look at logs older than 1 hour. But the agent check every hour by default and can be changed. Mine is set to 5 minutes.

Also here is an article with a bunch of links just for user-id: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC

Regards,

View solution in original post

0 Likes Likes
1 REPLY 1

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎04-28-2023 02:00 PM

Hello,

I will do my best to answer your questions:

1) When querying, does PA first pull the security event log of AD to PA's local location and then check again.

  • The palo alto searches the logs for the events and then creates a mapping of user-id to IP address, it thes uses the mapping for current and future lookups until they timeout (configurable): 
    • The event IDs for the required events are 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), and 4624 (Logon Success). 

2) If it is an action to pull AD logs to the local location, how much log volume does pa pull at a time (defined by the number of log entries or time period).

  • This one I dont know but think it will look past the configured 'timeout', ie if its set to 1 hour, its not going to look at logs older than 1 hour. But the agent check every hour by default and can be changed. Mine is set to 5 minutes.

Also here is an article with a bunch of links just for user-id: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC

Regards,

0 Likes Likes
  • 1 accepted solution
  • 1332 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks