GMS 9.2 Threats : Fails to Identify Users & Hosts
Halon5 Enthusiast ✭✭
in Water Cooler
Fundamental information is simply not reported.
Terminal Services and AD Integration is employed but IMPERATIVE INFORMATION REQUIRED to resolve potential threat targets is simply "MISSING IN ACTION".
*** USER NAMES ***
*** HOST NAMES ***
Hey ! Here all a bunch of threats(maybe). "Good Luck" ??? ARGGHHH !!
Category: Water Cooler
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
Can you show us screenshots of what you mean? Are you using GMS IPFIX or Syslog?
Yes, My Master,
NO LOGGED ON USERNAMES (Terminal Services Users) nor HOSTNAMES are Present. IP's are useless since in the case of desktops and laptops they may be dynamic. We need to be able to focus on the constants ...
WHY ???? So we can FIND THE DEVICE AND USER. Then we can do something. e.g Kill the user or the device.
While we are at it the ZONE name would also be useful. Then we would know if its "IMPORTANT". e.g Guests might not be important. Internal LAN would be important.
While there are lots of fields that can be added the CRITICAL ONES can not be found.
BTW we have setup 9.2 as FLOW , so IPFIX.
The current iteration of CSC supports user based analytics and GMS is using the same engine for reporting at the moment. It should get this capability added in the somewhat near future.
Well its pretty hopeless not being able to identify USERNAMES and HOSTNAMES that (supposedly) have viruses.
A MAJOR and a SERIOUS issue. Don't you think?
What's the point of a security product that cant identify the threat target?
I agree that having User info along with these blocked events would be helpful. As mentioned it should be something added in the future. If this level of filtering is needed now, I recommend trying a syslog based deployment of GMS 9.2 where you can filter by user name on the reports.
Hey @Brian ,
I hear they are bringing the syslog and flow data together in 9.3 ?
Today, the data presented just seems to kind of stop just before you get to the detail you need. Quite frustrating.
We also really need to be able to understand what we need to exclude out of the UTM Security and that is so difficult to identify.
e.g a terminal user is regularly opening PDF's and getting stopped by capture. Those PDF's are generated from a bona fide organisation.
We only want to challenge stuff from unknown sources so we need to be able to "see" the regular stuff getting stopped so we can "whitelist".
This also includes apps we use for backup, RMM, AV tools and so on.
Should be made easy. It ain't.