This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ED
Advisor
‎2019-01-10 02:27 AM
Jump to solution

Application log shows different usernames

Hi,

This is a screenshot from an Application log which shows me two different usernames.

Marked with orange and number 1 have the same username. Marked with blue is a different username. Why is destination user name different from the User field?

0 Kudos
1 Solution

Accepted Solutions
Norbert_Bohusch
Advisor
‎2019-01-10 03:19 AM
In response to ED
Jump to solution

Because user b logged in to the database server (on the windows system) and the IP of the server was associated with this user.

A session from user a only shows this information as this information was not deleted (has not timed out).

View solution in original post

8 Replies
Norbert_Bohusch
Advisor
‎2019-01-10 02:46 AM
Jump to solution

Destination Username is the one associated to destination IP.

0 Kudos
ED
Advisor
‎2019-01-10 03:05 AM
In response to Norbert_Bohusch
Jump to solution

Associated in which way? Can you explain more please. 

0 Kudos
Norbert_Bohusch
Advisor
‎2019-01-10 03:07 AM
Jump to solution

By identity awareness depending on your configuration. I assume ADquery or IDC.

0 Kudos
ED
Advisor
‎2019-01-10 03:14 AM
In response to Norbert_Bohusch
Jump to solution

I understand that. But if user a access a MS-SQL database, why is a different user b shown on destination username?

0 Kudos
Norbert_Bohusch
Advisor
‎2019-01-10 03:19 AM
In response to ED
Jump to solution

Because user b logged in to the database server (on the windows system) and the IP of the server was associated with this user.

A session from user a only shows this information as this information was not deleted (has not timed out).

ED
Advisor
‎2019-01-10 03:31 AM
In response to Norbert_Bohusch
Jump to solution

Thanks for explaining. Since this was a correlated log showing user a accessing a database I don't see the point in this log of having the information about user b that is associated with that server. Do you?

0 Kudos
Norbert_Bohusch
Advisor
‎2019-01-10 03:33 AM
In response to ED
Jump to solution

I wouldn't need this information, but better have an information I don't need, than omitting it 🙂

Btw. if you don't need identity awareness on your servers (as source), you could exclude the server networks generally from IDC or ADquery.

0 Kudos
Sean_OConnor
Explorer
‎2022-02-01 02:57 PM
In response to Norbert_Bohusch
Jump to solution

While I usually see omitting data as a bad thing, in this case I was misled by the wording "Destination User Name". In my experience, some logs look like user a is a compromised account that's trying to access the system at the IP that user b is associated to. I'll be updating my team and any others that ask about that feature. Maybe a name change on those fields can be considered? Also "Dst User Dn"

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top