However, having the user identity directly in flow monitoring system is not that difficult. All you need is a reliable source of user identities providing IP address, user identity and time stamp. This general concept enables to integrate information about users in flow data from various sources like Active Directory, Cisco Identity Services Engine, Checkpoint firewall, VPN or using simple DHCP server (having as user identity name of PC). All you have to do is send these logs to Flowmon Collector using syslog protocol and adjust the parsing rule to understand the log and retrieve information about IP, user identity and time. And you have to do it online so Flowmon can create a map of user identities related to active IPs and store this information as part of flow data as they reach to Collector. Adding user identities retrospectively in GUI when needed is not an approach that can work.
Figure 1: General concept of user identity awareness in Flowmon.
Each flow record than contains items “source IP user ID” and “destination IP user ID” which enables you to look for particular traffic related to concrete user. When investigating security incident that happened one week ago you still have accurate information about users hidden behind involved hosts. New top N statistics based on user identities are available which means that you can use this attribute in online analysis as well as long term reporting.
Figure 2: Top N destination user identities based on amount of transferred data. First one (blue) is my laptop and second one (red) is my cell phone.
Moreover, this attribute can be used for filtering using keyword “uid” or “src uid” or “dst uid” to show only traffic related to particular users. Information about user identity is part of each flow record.
Figure 3: Flow listing showing user identity for each flow.
This feature is available since Flowmon 7.02.00 as part of Flowmon Collector without the need of any additional licenses. Using Flowmon Configuration Center you can configure external syslog sources as well as parsing rules for individual log formats. Looking into third party systems for user identities while analyzing flow data is no longer needed therefore troubleshooting and investigation of security incidents is more efficient and less time consuming.