RSA Admin

Tracking users across workstations

Discussion created by RSA Admin Employee on May 31, 2012
Hello, We have a situation where we need to collect logs of laptops being used by users in the field. They will have VPN connectivity so the collector should be able to reach them when needed. However, they will be assigned an IP address from a pool managed by the VPN gateway. And it can be a different IP each time they connect. Since enVision tracks sources by IP there is concern about traceability back to a user for any particular event. Seems to me this ought to be a clear case of a correlation rule, by user ID and Computer name over time. Has anyone worked with such a case, collecting logs from workstations that get IP address from DHCP?

Outcomes