User attribution is one of the things I’m asked for most frequently by customers who are looking at network traffic analytics. The use case is quite simple. In a DHCP environment it can be really cumbersome to see who was actually logged in to a machine when an incident occurred. Beyond that, once you capture authentication data, a system can use it in a machine learning algorithm that tracks abnormal behavior.
All sounds good, right? The only problem is that the most varieties of network metadata do not include username inside the flow records. Luckily, there are vendors out there that do provide this information. It’s just a matter of accessing it.
Scrutinizer has a database table that is specifically used for IP Address to Username correlation. We have worked with customers to integrate identity services such as Active Directory, Cisco ISE, Palo Alto, and now CounterACT with our incident response platform.
Integration with ForeScout CounterACT
The first step is to ensure that you have the proper licensing from ForeScout. They require the ForeScout Open Integration Module License – luckily you can request a 90-day trial if you don’t have it now.
The next step is to set up the connection to Scrutinizer’s database. The DB Name is plixer, the username is scrutremote, the port is 5432, and the password is whatever you set it to during the installation process.
Once you have confirmed connectivity to the Scrutinizer database, you will need to build the query statement to insert user information into the database. Select ‘Add’ from the General pane of the Add Query Statement wizard.
Here is an example query you can use to populate this database table within Scrutinizer.
INSERT INTO plixer.summary_authentication_ip( ipaddress, username, domain, datasource, first_seen, last_login, last_logoff) VALUES (inet_a2b('{ip}'),'{user}','{nbtdomain}','counteract',UNIX_TIMESTAMP(NOW()),UNIX_TIMESTAMP(NOW()),UNIX_TIMESTAMP(NOW() + '86400 seconds')) ON CONFLICT (ipaddress,username,machine_name) DO UPDATE SET last_login = UNIX_TIMESTAMP(NOW());
Accessing the Data:
Once this integration is complete, new reports and data will become available automatically. One of the more useful reports, User name by IP, will become available under the ‘Source’ or ‘Destination’ categories held within our report menu.
Usernames will also automatically be added to the Alarms tab as an attribution point when any of the Network Traffic Analytics Policies are violated within the system.
Scrutinizer also provides the ability to query your entire data set with a search by user name. Customer find that asking the system to show them everything ‘Bob’ did over the course of a week is a lot more useful then asking what IP address x.x.x.x did.
Lastly, the next release of Scrutinizer will include an algorithm that baselines normal user behavior and alerts if credentials may have been stolen or compromised. In today’s incident response world, user attribution is a must-have. Please contact support if setting up the integration with CounterACT is something you would like help with!
