User identity mapping

Tracking user activity is an integral part of identifying security anomalies in an organization. Often, a user is logging activity from different devices and platforms in the network. It is important to map all these activities to the same user, otherwise you may mistake all these activities as being carried out by different users, which can be problematic for effective user behavior monitoring.

What is user identity mapping, and how does it work?

In an organization, users may be using different devices and platforms to organize and carry out their routine tasks. All these different platforms might use different user IDs for tracking a user's behavior.

User identity mapping links a user's IDs from different domains to the user ID of the back-end system. By applying user identity mapping, the user and entity behavior analytics (UEBA) system can ascertain the activity of a single user across multiple domains and correlate these activities to identify anomalies.

How is user identity mapping implemented in an organization?

Suppose an employee named John logs in to his organization's network using his Windows device. Using data from Active Directory, the UEBA system can determine that the logon activity was performed by John. However, suppose John updated some permissions in his organization's firewall. The firewall might require a different set of credentials from John.

Without a UEBA solution, these activities will be logged as two activities from two different users. This is where UEBA comes into play; it maps the user ID of John in Active Directory to the user ID of John in the firewall. As a result, the activities on both platforms will be attributed to John and logged as two actions carried out by a single user.