Re: Security Endpoint associated user to computers

ggadaleta · ‎05-19-2022

hi there,

I've enrolled some computers in AMP and now want to "link" computers to users. I've checked the documentation and I haven't found any possible solution.

When I go in Insight in SecureX and see the device, I see a field "Associated user" which is empty. So it seem there must be a way to "Associate" the computer to a user.

thanks in advance

rgds

Giovanni

Perez69 · ‎05-19-2022

Endpoint security is the practice of securing endpoints or entry points of end-user devices such as desktops, laptops, and mobile devices from being exploited by malicious actors and campaigns. Endpoint security systems protect these endpoints on a network or in the cloud from cybersecurity threats.

prepaidgiftbalance.com

Ken Stieers · ‎05-19-2022

What sources do you have available in Insights? If I remember correctly, user comes from Orbital, so if you don't have Secure Endpoint Advantage, you won't have this data.

You can also add a custom feed in Insights to tie users to machine.

I'm not sure about the MDM feeds (Intune, Jamf, etc.)

ggadaleta · ‎05-19-2022

I do have Secure Endpoint Advantage.

Would you please give some more hints on how to get this info from orbital ?

txs

ciao

Giovanni

Ken Stieers · ‎05-19-2022

In Insights, in the column on the left, click on Sources
At the top right, click on "Add More Sources"
Find Orbital in the list of Integrations, and click the "+Add button"
Make sure the Integration with Device Insights button is checked, click Save.

johnosn · ‎05-20-2022

Hello @ggadaleta

I do have Device Insights enabled with the sources from Cisco Secure Endpoint and Cisco Orbital enabled.

What I am seeing is that the Associated User field is populated from the deduplicated results of the following two Orbital queries:

SELECT username as localUsername FROM users where type == "local";

SELECT user as loggedInUser FROM logged_in_users where user != "";

The Associated User field is not carried over into the Cisco Secure Endpoint console and there is not a quick link between Device Trajectory page and the Device Insights page. There is neither a pivot menu option nor Ribbon option to move to the Device Insights information for that hostname or IP address.

Assuming that the host is online, it would be easier to just hit the "Orbital Query" button from the Device Trajectory page and enter a query for gathering user information or using Orbital in the Ribbon (clicking "Get Endpoints" and select a query for user information) than to jump out to SecureX, select "Insights" and then search for the hostname.
Hopefully future release of the Cisco Secure Endpoint console will include some better options for utilizing the Device Insights Information.

johnosn · ‎05-20-2022

Here is the current list of Orbital queries that Device Insights uses for reference.

-- users
SELECT username AS localUsername 
FROM users 
WHERE type == "local";

-- logged_in_users
SELECT user AS loggedInUser 
FROM logged_in_users 
WHERE user != "";

-- time
SELECT 
	timezone, 
	local_timezone 
FROM time;

-- certificates
SELECT 
	common_name, 
	subject, 
	issuer, 
	ca 
FROM certificates;

-- registry
SELECT 
	firewall AS "firewall", 
	autoupdate AS "autoupdate", 
	antivirus AS "antivirus", 
	antispyware AS "antispyware", 
	internet_settings AS "internet_settings", 
	windows_security_center_service AS "windows_security_center_service", 
	(SELECT 
		CASE 
			WHEN DATA = 1 THEN "Good" ELSE "Poor" 
		END AS user_account_control
		FROM registry
		WHERE PATH = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA" 
	) AS "user_account_control" 
FROM windows_security_center;

-- windows_security_products
SELECT * 
FROM windows_security_products;

-- bitlocker_info
SELECT * 
FROM bitlocker_info

-- Win32_DeviceGuard
SELECT 
	AvailableSecurityProperties, 
	CodeIntegrityPolicyEnforcementStatus, 
	RequiredSecurityProperties, 
	SecurityServicesConfigured, 
	SecurityServicesRunning, 
	UsermodeCodeIntegrityPolicyEnforcementStatus, 
	VirtualizationBasedSecurityStatus 
FROM Win32_DeviceGuard;

-- drivers
SELECT 
	device_id, 
	device_name, 
	description, 
	provider, 
	signed 
FROM drivers;

-- registry
SELECT 
	key AS reg_key, 
	path, 
	name, 
	data, 
	DATETIME(mtime, "unixepoch", "UTC") 
FROM registry 
WHERE (
	key LIKE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sharedaccess\parameters\firewallpolicy\%profile" OR 
	key LIKE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sharedaccess\parameters\firewallpolicy\%profile" OR 
	key LIKE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\%profile" OR 
	key LIKE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\%profile"
	) AND 
	name LIKE "EnableFirewall";

-- system_info
SELECT 
	uuid, 
	hostname, 
	hardware_vendor, 
	hardware_model, 
	hardware_version, 
	hardware_serial, 
	computer_name, 
	local_hostname 
FROM system_info

-- registry
SELECT 
	name, 
	key, 
	data 
FROM registry 
WHERE 
	key LIKE "HKEY_CLASSES_ROOT\Installer\Products\%%" AND 
	(
		data LIKE "%%DUO%%" OR 
		data LIKE "%%AMP%%" OR 
		data LIKE "%%AnyConnect%%"
	);

-- registry
SELECT SUBSTR(data, -24, 24) AS sid 
FROM registry 
WHERE 
	key = "HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account" AND 
	name == "V";

Ken Stieers · ‎05-20-2022

I was in the Device Insights Design Program and Beta, and asked for this... so they know it's a thing people want.
I was also using it before Orbital was included as a source, so I used a custom import from our asset tracker app to associate user and machine.
NOW... if you're using Cisco Threat Response, DI data does show up there.