User tab

The User tab consists of a number of widgets that are used to view the user login events from a configured Active Directory Domain Controller.

Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the plus icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Host IP or Username.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove minus button next to its entry. Delete all the selected filters by clicking the cancel/close icon. This also collapses the Filters widget.

Click Apply reload to apply the selected filters.

Host IP

Restrict displayed events to a specific source IP address, IP address range, or CIDR block.

Username

Restrict displayed events to a specific Username. The full username must be provided.

Active Directory login events

The Active Directory login events widget provides additional information about the users that were logged in during or 12 hours before an event. This can be useful to pinpoint specific login times and to extract Windows UUID information of relevant users.

Click redo to manually refresh the list. Click code (source) to view the data in XML/JSON format.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 20 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

The list is sorted by first seen (most recent at the top) and includes the following fields:

First seen

The first time the user was seen in the time window (event/incident time to 12 hours before the event/incident).

The user may have logged in multiple times. The first seen indicates the first time they were seen within this timeframe.

Last seen

The last time the user was seen in this time window. This does not necessarily mean the user logged out at this time. It does mean that they were not present on the machine when the domain controller was polled.

Click the sort icon in the list header to sort the licenses by last seen.

IP address

IP address of the host the user was logged into.

Click the sort icon in the list header to sort the licenses by IP address.

Username

The username that the user logged in with on the Active Directory network.

Click the sort icon in the list header to sort the licenses by username.

Log type

The type of login on the Active Directory network.

Click the sort icon in the list header to sort the licenses by log type.

User UUID

Windows user UUID that is provided by the domain controller.

Click the sort icon in the list header to sort the licenses by user UUID.