9 Replies Latest reply on Mar 7, 2014 9:32 AM by stayready40

    How can I search for specific user activity in Nitro

    stayready40

      I am trying to look for specific users and see what network activity or threats that they have from within Nitro. We just got the SEIM but we havent been given much training so im just diving in and trying not to drown so any help will be greatly appreciated.

        • 1. Re: How can I search for specific user activity in Nitro
          pauliet

          The filters pane on the right of the SIEM are definately your friend here.

           

          • So, select "Physical Display" under devices on the left.
          • Select the appropriate dashboard view on the middle window
          • Finally, locate the "source user" filter on the right, enter the username and click on the "Run Query" icon, second from the right

           

          You can fine tune your search to match a date series, and many other cool things too.

           

          That may help to start with assuming your user data is being mapped to the "Source User" filter.

          1 of 1 people found this helpful
          • 2. Re: How can I search for specific user activity in Nitro
            stayready40

            Thank you that was exactly what I needed. and I do need to search by a specific dates range but do not see a feild for that unless there is a different name for dates that I dont recognize.

            • 3. Re: How can I search for specific user activity in Nitro
              pauliet

              I must get used to popping in screen shots....

               

              OK, to the right of the dashboard selector drop down menu, you'll see a date selection drop down menu. Loads of options to choose from, including a from and to date / time option.

              • 4. Re: How can I search for specific user activity in Nitro
                stayready40

                Ok thanks man it was so small and with nothing displaying what it was that I completely missed it! thanks man I really appreciate this.

                • 5. Re: How can I search for specific user activity in Nitro
                  pauliet

                  Pleasure.

                   

                  After using this system now for over 8 months, I thought it was about time I shared out the easy bits.

                  • 6. Re: How can I search for specific user activity in Nitro
                    acommons

                    Two more tips:

                     

                    (1) Select 'Aa' for the user filter to make it case insensitive. This can make a significant difference.

                    (2) Look at String Normalisation to cater for various adornements that different devices may apply to the base username.

                     

                    cheers,

                    Andrew

                    • 7. Re: How can I search for specific user activity in Nitro
                      rth67

                      Some additional tips:

                       

                      Depending on the activity, you may see the user as "USERID" and other itmes you may see it as "USERID@DOMAIN.COM" so you may want to search both as follows:

                      USERID,USERID@DOMAIN.COM (with the Aa selected for Case Insensititve)

                      You can also add the same to the "Destination User" field, then click the "or" buttons on both Source & Destination User.

                       

                      I would suggest editing your Search list and putting common items together / near the top (Red arrow pointing to Search List modification option).

                       

                      Also, if you have not tweaked your Policies you may not see all of the events for this user if they were aggregated together with other users, we analyzed most Windows Authentication Events, and changed from the Default of "Source IP / Destination IP" and changed to what actually made sense, like "Source IP / Source User", or "Source IP / Destination User" that way we can still aggregate events knowing they are for the correct user. The other thing you can do is to disable aggregation for certain events but that puts more overhead on your system.

                      Filters.png

                      • 8. Re: How can I search for specific user activity in Nitro
                        acommons

                        rth67 wrote:

                         

                        Depending on the activity, you may see the user as "USERID" and other itmes you may see it as "USERID@DOMAIN.COM" so you may want to search both as follows:

                        USERID,USERID@DOMAIN.COM (with the Aa selected for Case Insensititve)

                        You can also add the same to the "Destination User" field, then click the "or" buttons on both Source & Destination User.

                         


                        This is essentially the problem that string normlisation is aimed at solving. The advantage of string normalisation is that you can use watchlists as well as explicit usernames (as in this example) and have all the variants returned. The downsides are:

                         

                        • You have to set up all the aliases (click the little 'head and shoulders' at the top of the filter panel from memory - probably the last place you would look for this) on a per 'key value' basis. But you can import the tables.
                        • The results returned in views are not rolled up to the 'key value' so if you are using a watchlist you still have to manually aggregate results for a single entity.

                         

                        But it's better than nothing

                        • 9. Re: How can I search for specific user activity in Nitro
                          stayready40

                          Thanks Guys for all of your help I tried all of your suggestions and it helped tremendously and save me time !