I will preface this by saying i think we have things setup correctly…
In InsightVM - when i review an asset under the “Rapid7 Insight Agents” group/site, I can see a list of Users/Groups that are on the machine. On some machines, i can see the actual users account, as oppose to the usual service accounts etc that appear on machines. However, as an example, on my own machine, it doesnt list me as a user.
This is the same across multiple other assets.
If i look at InsightIDR at my user account, it does not have an “Assets” menu item down the left hand side. Some users do, however, most dont.
Are there any explanations for this lack of Attribution between Hostnames and Usernames?
I cant see any issues with the Domain Controller logs etc. We are still getting IDR alerts that rely on logon/logoff events, so cant imagine its that.
Agents all running 3.1+
Hi @ross_palmer , IDRs attribution engine is driven by Host to IP Observations and Asset Authentication.
Initially we need to observe an IP->Hostname mapping for an asset, we can see this from DHCP, a VPN logon, or an agent running on Windows that has access to a collector (windows agents send their own host to IP event if its able to reach a collector).
Once a host to ip observation is made, you should be able to see an asset in IDR - by searching via the top search box, or via host to IP observations.
Next up is the user attribution, we rely on logon events which are populated in Asset Authentication to attribute users to machines. If there is a particular user in mind which has no asset listed on their user page, I’d advise that you search for this user in Asset Authentication, and see what activity is shown. It’s possible that we do see the users logon activity, but the asset is unknown due to a lack of host to IP observations.
We have the Insight Agent deployed, so in theory, this should be able to do this IP->User Mapping, correct?
If we take my laptop again as an example, i have the agent installed and running, but searching for my user account doesnt show any Assets in the left hand menu. Searching for my Hostname doesnt show my username attributed to it.
There are no Endpoint → Collector issues that i can see.
We have Windows DC events feeding in, as well as DHCP logs etc.
All the data should be there to be able to do the attribution. Although, the Insight Agent alone should accomplish this without anything else.
Funnily enough though, when searching for my username in IDR, under Authentication Activity (Last 24 Hours), it outlines a failed login event to my endpoint from this morning (mistyped password). So it know i tried to login to the correct endpoint, but doesnt associate me generally to this endpoint.
Not really sure the best way to troubleshoot this…?
The end-goal of ours is to be able to do an API query for an asset a determine the logged in user. When i was testing, i found these discrepancies.
I’d be happy to take a closer look at this over a call, please raise a support case and we can take a closer look
Thanks David, appreciate it.
Ill go over all the log sources etc again to double check im not missing anything obvious, then ill raise a case.
Just to close the loop here, as we discussed privately, the issue here was that the audit policy on some machines was not logging the relevant event codes for successful logons (4624 events). Therefore IDR was not associating your user with your asset. Once the audit policy was corrected, we were able to see the Asset details on the user page.
Thanks @ross_palmer for getting to the bottom of it. That was an interesting one.