When you view the user activities extracted from the log files in Audit, they are associated with the user IDs instead of the original IP addresses. If you have enabled the CloudSOC anonymization feature, the Audit app displays machine-generated IDs in place of the actual user IDs. If necessary, you can reveal the actual user IDs with approval from a Data Protection Officer (DPO). You can create the mapping file manually, or you can configure your DHCP server or another network device to produce the file. For a sample mapping file, on the Identity Mappings tab of the SpanVA web interface, then click Show Sample File Info . Detailed information about creating the mapping file is beyond the scope of this Tech Note.
Note: This feature is only directly supported for Blue Coat Proxy SG and Cisco ASA-series firewalls. However, it is also supported for the Flex universal log processor, which processes logs for virtually any firewall or proxy.
To configure the mapping file retrieval settings:
- In SpanVA, click the Identity Mappings tab.
- Use the tools in the upper half of the page to configure the file transfer via SCP, SFTP, or FTP. SpanVA uses these parameters to login to your server and fetch the mapping file from the specified file location.
- If you want to use the SSH key for authentication when using SCP or SFTP, mark the Use SSH Key checkbox and then click Renew SSH Key . SpanVA displays the public SSH key corresponding to RSA key that it uses to connect to your server. Configure your server to authenticate the provisioned username using the SSH key shown.
- Use the tools in the File Format area to configure SpanVA so that it correctly parses the mapping file that it retrieves from the server that allocates your network IP addresses.
- If the mapping file starts with a header row that identifies the contents of each comma-separated column, mark the Mapping file has header checkbox. Then enter the headers that correspond to the user ID and IP address columns.
- If the mapping file does not start with a header row, clear the checkbox. Then enter the numbers of the comma-separated columns (starting from 0 at the leftmost) that contain the user ID and the IP addresses. In the examples below, the user ID is in the fourth column from the left, and the IP address is in the third column from the left.
- In the Fetch Interval area, click the button that matches the the interval at which you want SpanVA to fetch the mapping file. Your choices are 30 minutes, one hour, two hours, or six hours.We recommend that you set a fetch interval so that it is the same interval at which the server updates the file.
- In the Expire After area, type the number of days for which the mappings remain valid. This value applies to user IDs mappings that are not updated by subsequent fetches. Forexample, if a mapping file matches 192.168.0.1 with user_1, that mapping remains valid until a new mapping for 192.168.0.1 appears in a subsequent mapping file, or until the Expire After time elapses.
- Click Save to save the identity mapping settings.