User to IP Address Mapping Through Active Directory

We have added support for extracting successful user logins through MS Active Directory for Silver and Gold subscriptions. You can now install a MetaFlows agent (nsm_logc) on your Active Directory servers to export Windows logs to your sensor(s). The agent will also export other critical Windows events to the sensor so that you can record that information and perhaps correlate it with other security events. Although we recommend installing the MetaFlows agent nsm_logc, this mechanism will also work if you install Snare (commercial) or eventlog-to-syslog (open source) instead of nsm_logc. One advantage of nsm_logc is that the logs are exported through an encrypted channel rather than being sent in clear text.

In any case, the end result will be that any time a user logs in from a specific IP Address, (1) a real-time service discovery alert is generated and logged, and (2) his/her identity is associated with any alert which involves that IP Address. The user identity is appended to the alert messages and is therefore searchable as any other string. Information on how to install the AD agents and some screen shots are here.

As always, do not hesitate to contact us if you have any questions or if you encounter any problems implementing this exciting new feature.

Happy Hunting!

The MetaFlows Team

One thought on “User to IP Address Mapping Through Active Directory”

Comments are closed.