The mechanism of agentless user-id between firewall and monitored server.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

The mechanism of agentless user-id between firewall and monitored server.

L2 Linker

The customer wants to know the query mechanism of agentless user-id. I can see the following description from the documentation. 

 

With server monitoring a User-ID agent—either a Windows-based agent running on a domain server in your network, or the PAN-OS integrated User-ID agent running on the firewall—monitors the security event logs for specified Microsoft Exchange Servers, Domain Controllers, or Novell eDirectory servers for login events. For example, in an AD environment, you can configure the User-ID agent to monitor the security logs for Kerberos ticket grants or renewals, Exchange server access (if configured), and file and print service connections. For these events to be recorded in the security log, the AD domain must be configured to log successful account login events. In addition, because users can log in to any of the servers in the domain, you must set up server monitoring for all servers to capture all user login events.

 

However, the customer asked two questions. I did not find the answers. Can you help answer.

1) When querying, does PA first pull the security event log of AD to PA's local location and then check again.

2) If it is an action to pull AD logs to the local location, how much log volume does pa pull at a time (defined by the number of log entries or time period).

 

User-ID 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

I will do my best to answer your questions:

1) When querying, does PA first pull the security event log of AD to PA's local location and then check again.

  • The palo alto searches the logs for the events and then creates a mapping of user-id to IP address, it thes uses the mapping for current and future lookups until they timeout (configurable): 
    • The event IDs for the required events are 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), and 4624 (Logon Success). 

2) If it is an action to pull AD logs to the local location, how much log volume does pa pull at a time (defined by the number of log entries or time period).

  • This one I dont know but think it will look past the configured 'timeout', ie if its set to 1 hour, its not going to look at logs older than 1 hour. But the agent check every hour by default and can be changed. Mine is set to 5 minutes.

Also here is an article with a bunch of links just for user-id: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC

Regards,

View solution in original post

1 REPLY 1

Cyber Elite
Cyber Elite

Hello,

I will do my best to answer your questions:

1) When querying, does PA first pull the security event log of AD to PA's local location and then check again.

  • The palo alto searches the logs for the events and then creates a mapping of user-id to IP address, it thes uses the mapping for current and future lookups until they timeout (configurable): 
    • The event IDs for the required events are 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), and 4624 (Logon Success). 

2) If it is an action to pull AD logs to the local location, how much log volume does pa pull at a time (defined by the number of log entries or time period).

  • This one I dont know but think it will look past the configured 'timeout', ie if its set to 1 hour, its not going to look at logs older than 1 hour. But the agent check every hour by default and can be changed. Mine is set to 5 minutes.

Also here is an article with a bunch of links just for user-id: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC

Regards,

  • 1 accepted solution
  • 1819 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!