We are running Citrix terminal server with multiple user connected to it.
We collect DNS logs at the windows DC with debugging.
In the DNS queries I only see the terminal servers IP and not a Username of the user who preformed the request.
Have anyone found a solution for this?
Thanks for a great community
we attribute users to assets based on the frequency of logins combined with the number of unique users logging in to a single asset. If an asset has 4 or more users logging in to it, we will consider it a shared asset and we will not attribute a primary user to that asset. Is this what you are seeing with these terminal servers?
If there are 2 or 3 users logging in we have an algorithm to decide who is the primary user of that asset. I will say that this current logic has caused issues in the past with machines with 4 or more users logging in frequently and we have an outstanding enhancement request to be able to selectively ignore certain users, such as service accounts, from adding to the overall count of unique users.
DNS is an unauthenticated protocol, so there is nothing in the logs that identifies which user has performed the query.
The only possible indicator of the user is the IP of the client that has performed the query, but that relies on the logic of IDR (or any other SIEM) correctly associating the IP address with a user. That’s pretty easy when it’s a dedicated asset like a laptop/desktop, but very difficult when the asset is shared among many users like a Citrix server is.
What are you trying to detect? Malicious web activity?? If it is malicious web activity, then your web proxy logs will be more useful because your web proxy should be authenticating users and those logs are inherently associated with a user account, unlike DNS which is unauthenticated.