Supported firewall without delivering usernames?

Iron Contributor

Hi there,

currently I'm struggling with the first tests in MCAS. I'm executing the tests in my DEV tenant or in a customer tenant. In both I have no possibility to use Defender for Endpoint. So I'm relying on the firewall logs.

So I already tested with the continuous logfile upload via logfile collector. But the results are never sufficient. I already found the troubleshooting guide for log parsing errors , but it is not helpful for an "internal error".


But I wondered, why are there so many firewalls without having the usernames in the Syslog beeing supported by MCAS?
Supported firewalls and proxies

Shouldn't be the username one of the main criteria to visualize senseful data in MCAS?
If you are able to successfully upload firewall data without usernames, how do the results look like?

Kind regards,
woelki
 

 

1 Reply
Well, the fact is that many firewalls (whether by design or by implementation) do not support identifying the identity of the user. Guess what?!? Neither does MDE integration. MDE is device-centric, as is the approach of using source IP when no user id is available.

Regarding the perspective on visualizing senseful data, the problem is the fidelity of the original data. It is just flow data about http/s connections. That's it. There is no info about what is actually happening or even whether that was a place the user navigated to in a browser or was hit via a drive-by ad or something embedded in a page, like Facebook and Twitter login.