You can easily create an Identity feed and populate it to selected Decoders and Log Decoders. After completing this procedure, you will have created an Identity feed.
In order to create an identity feed, you need to have:
- A Log Collector service with an Identity Feed Event Processor
- A Log Collector service with Windows Collection configured and enabled.
Create an Identity Feed
In the Security Analytics menu, select Live > Feeds.
The Feeds grid is displayed.
The Setup Feed dialog is displayed, with Identity Feed selected by default.
Select Identity Feed and click Next.
The Configure Identity Feed panel opens with the Define Feed tab displayed.
(Conditional) You can create an on-demand or recurring feed.
- To define an on-demand Identity feed task that executes once, select Adhoc in the Feed Task Type field, type the feed Name, and browse for and open the feed.
To define a recurring Identity Feed task that executes on a recurring basis, select Recurring in the Feed Task Type field.
The Define Feed form includes the fields for a recurring feed.
Note: Security Analytics verifies the location where the file is stored, so that Security Analytics can check for the latest file automatically before each recurrence.
In the URL field, enter the URL where the feed data file is located. For example:
http://<LogCollector>:50101/event-processors/<ID Event processor name>?msg=getFile&force-content-type=application/octet-stream&expiry=600
- (Optional) If the URL has restricted access and requires authentication using your username and password, select Authenticated. Security Analytics provides your user name and password for authentication to the URL.
To define the interval for recurrence, do one of the following:
- Specify the number of minutes, hours, or days between recurrences of the feed.
- To define the date range for the execution of the feed to recur, specify the Start Date and time and the End Date and time.
- Click Verify to verify your identity feed configuration before you proceed to the Select Services form.
The Select Services form is displayed.
- To identify services on which to deploy the feed, select one or more Decoders and Log Decoders and click Next.
Click the Groups tab, select a group, and click Next.
The Review form is displayed.
Note: If a group of devices with Decoders and Log Decoders is used to create recurring or custom feeds and this group is deleted, you can edit the feed and add a new group to the feed.
Anytime before you click Finish, you can:
- Click Cancel to close the wizard without saving your feed definition.
- Click Reset to clear the data in the wizard.
- Click Next to display the next form (if not viewing the last form).
- Click Prev to display the previous form (if not viewing the first form).
- Review the feed information, and if correct, click Finish.
Upon successful creation of the feed definition file, the Create Feed wizard closes, and the feed and corresponding token file are listed in the Feed grid and progress bar tracks completion. You can expand or collapse the entry to see how many services are included, and which services were successful.
Investigate an Identity Feed
An identity feed tracks interactive log on events from the Windows operating system. Identity feeds do not track interactive log off events.
In order for an identity feed to process events and tag them, the events need to be collected using a Windows Log Collection module where an Active Domain Controller/non-Domain Controller is configured. Note that identity feeds can only be processed via an Identity Feed Event Processor.
Note: An identity feed only tracks one log in at a time. If two users log in to a system at the same time, the second user will overwrite the first user's data in the identity feed.
Once you have created an identity feed, you can view the results by investigating on the feed.
To investigate a configured identity feed:
- Go to the Security Analytics menu.
Select Investigate > Navigate.
The Investigation screen is displayed.
- Select Conc (Concentrator) and select Navigate.
- Select Load Values to retrieve Meta Keys.
In the lower panel, scroll down to find the Meta Keys shown in the following illustration.
The identity feed provides information to "selected" Decoders and Log Decoders. It associates the Host IP data from the Windows operating system to the user logging in to that Host in order to tag all logs associated with that IP and investigate.