Identity and Location Dashboard

In many situations, you would like to know which user is using an IP address and where the user connected from. The Identity and Location Dashboard provides you an audit trail of this information by providing the linkage between:

  • Network Identity - IP address, or MAC address
  • User identity - user name, host name, or domain
  • Location - a wired switch port, a wireless LAN controller, or VPN gateway

The following sections provide more information about Identity and Location Dashboard:

Data Source

This association is built over time by combining information from the following events:

  • Active Directory logon events – such as Win-Security-540 and Win-Security-4624 that provide IP Address, User, and Domain information
  • DHCP events – these provide IP, MAC address, and sometimes host name information. Events include:
    • WIN-DHCP-IP-LEASE-RENEW
    • WIN-DHCP-IP-ASSIGN
    • FortiGate-event-DHCP-response-Request
    • FortiGate-event-DHCP-response-Ack
    • AO-WUA-DHCP-IP-LEASE-RENEW
    • AO-WUA-DHCP-IP-ASSIGN
    • Linux_DHCPACK
    • Generic_DHCPACK
    • Cradlepoint-dhcp-updated
  • VPN logon events – these provide IP and user information. Events include:
    • ASA-713228
    • Juniper-SecureAccess-Session-Start
    • Cisco-VPN3K-IKE/25
    • ASA-722022
    • ASA-713049-Client-VPN-Logon-success
    • FortiGate-ssl-vpn-session-tunnel-up
    • ASA-113019
  • WLAN logon events – these provide IP and user information. Events include:
    • Aruba-1014-wlsxNUserEntryCreated,
    • FortiGate-Wireless-Client-IP-Assigned
    • Cisco-WLC-53-bsnDot11StationAssociate
  • Cloud Service logon events – these provide IP and user information. Events include:
    • AWS-CloudTrail-SIGNIN-ConsoleLogin-Success
    • Google_Apps_login_login_success
    • Salesforce_Login_Success
    • OKTA-USER-AUTH-LOGIN-SUCCESS
    • MS_OFFICE365_UserLoggedIn_Succeeded
  • AAA Authentication events - these provide IP and user information. Events include:
    • Win-IAS-PassedAuth
    • CisACS_01_PassedAuth
  • FortiSIEM Discovery events – these provide IP, user, and location information. Events include:
    • PH_DISCOV_HOST_LOCATION
    • PH_DISCOV_CISCO_WLAN_HOST_LOCATION
    • PH_DISCOV_ARUBA_WLAN_HOST_LOCATION
    • PH_DISCOV_GEN_WLAN_HOST_LOCATION

Adding to the Data Source

You can modify the file /opt/phoenix/config/identityDef.xml file to add new events. Remember to restart the phIdentityMaster and phIdentityWorker modules on all nodes after the changes are done.

Viewing Identity and Location Dashboard

Identity and Location Dashboard is a spreadsheed style tabular dashboard that displays the following information:

  • IP Address - IP address of a host whose identity and location is recorded in this result. You can view IP addresses with country flags in a map by clicking Locations.
  • MAC Address - MAC address of the host
  • User Name - User associated with this IP Address. Obtained from one of these event types in the Data Source section.
  • Host Name - Host Name from which IP Address was used. Obtained from one of these event types in the Data Source section.
  • Domain - Provides context for the User. The Information displayed here depends on the logon event type it was obtained from:
    • Windows Domain Logon: Domain name
    • VPN Logon: reporting IP address of the VPN gateway
    • WLAN Logon: reporting IP address of the WLAN controller
    • AAA Logon: reporting IP of the AAA server
  • VLAN ID- For hosts directly attached to a switch, this is the VLAN ID of the switch port,
  • Connected to - For hosts attached to a switch port, this is the switch name, reporting IP address, and interface name,
  • First Seen - The time at which this entry was first created in the AccelOps Identity and Location database,
  • Last Seen - The time at which some attribute of this entry was last updated. If there is a conflict, for example, a host acquiring a new IP address because of DHCP, then the original entry is closed and a new entry is created. A closed entry will never be updated.
  • Organization - Displays the Organization to which the IP address belongs for Service Provider installations in a Super/Global View.

Searching for Specific Information

You can search in two ways:

  • Search single field - use the search box.
    • For Time Range, choose the time ranges in the time range field on the top right
    • For other fields, select the fields in the Search area and enter the value to be searched
  • Search multiple fields at the same time – use the Filter area
    • Select the field, enter the searched value and click OK. The condition will diaplay on the top
    • Select another field and so on.
    • You can clear a condition by clicking the x button.