Trustwave Becomes First Pure-Play MDR Provider to Attain FedRAMP Authorization. Learn More

Submit RFP
Contact Us
Login

Fusion Platform Login

What is the Trustwave Fusion Platform?

Support Download/Forum Login

MailMarshal Cloud Login
Incident Response
Experiencing a security breach?

Get access to immediate incident response assistance.

24 HOUR HOTLINES
AMERICAS +1 855 438 4305

EMEA +44 8081687370

AUSTRALIA +61 1300901211

SINGAPORE +65 68175019

Recommended Actions

Submit RFP
Contact Us
Login

login

Fusion Platform Login

What is the Trustwave Fusion Platform?

Support Download/Forum Login

MailMarshal Cloud Login
Incident Response
Incident Response
Experiencing a security breach?

Get access to immediate incident response assistance.

24 HOUR HOTLINES
AMERICAS +1 855 438 4305

EMEA +44 8081687370

AUSTRALIA +61 1300901211

SINGAPORE +65 68175019

Recommended Actions

Trustwave Becomes First Pure-Play MDR Provider to Attain FedRAMP Authorization. Learn More

Request a Demo

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services

BY INDUSTRY

BY REGULATION

BY TOPIC

Microsoft Security

Unlock the full power of Microsoft Security

Offensive Security

Solutions to maximize your security ROI

Rapidly Secure New Environments

Security for rapid response situations

Securing the Cloud

Safely navigate and stay protected

Securing the IoT Landscape

Test, monitor and secure network objects

About Us

We reduce cyber risk and fortify organizations

Awards and Accolades

Recognition by analysts and media outlets

Trustwave SpiderLabs Team

Global researchers, ethical hackers, and responders

Trustwave Fusion Security Operations Platform

Unprecedented security visibility and control

Trustwave Security Colony

Access to cybersecurity threat protection resources

Microsoft Security

Unlock the full power of Microsoft Security

Trustwave PartnerOne Program

Join forces with Trustwave to protect against the most advance cybersecurity threats

BLOGS

UPCOMING

MEDIA & ASSETS

NOTICES

HELP

Trustwave Knowledge Base

KB Home Search Latest Additions Most Popular

Knowledgebase

Home » Knowledgebase » DLP » INFO: ID Matching accuracy and coverage

INFO: ID Matching accuracy and coverage

Show/Hide Article Tools

This article applies to:

DLP Monitor 9.X

Question:

What is the best setting for "Age Limit for Identity Match entries (in days)"?
How does this "Age Limit" setting affect account accuracy and the percentage of events that are associated with accounts?

Information:

The ID Match process receives logon events from domain controllers, and tracks DHCP changes by reading DHCP logs from a share. This information is held in a database table on the Collectors. The data is held in the table for the time defined in "Age Limit for Identity Match entries (in days)" which is entered on the ID Match tab in the Collector User Interface. Old entries are removed nightly by a process that runs at 2:15 AM.

A logon event is not generated when a workstation is unlocked (unless domain controllers are configured for it). This event is normally only generated with a network logon, and usually only required after a shutdown or reboot, depending on the configuration.

When a captured raw session becomes an Event, the database table is queried using the IP address from the Event and time of the event. The table is queried for that IP address, and the entry used will have the most recent logon date/time prior to the Event date/time.

Keeping data in the ID Match table longer will create more Events with Account ID information. However keeping this data longer has an accuracy trade-off. The data in the tables is only accurate if all domain controllers send all logon data to the Collector and all DHCP changes are also tracked and sent. If any logon data is missing, an event could be associated with the Account ID of the previous person to use the IP address.

For example, user JohnD logs in to his laptop and receives the IP 10.1.1.2 which is used for a few days until JohnD shuts down for the weekend. The DHCP lease on the IP expires and JohnD logs in on Monday getting a different IP. SamH logs in some days later and receives the 10.1.1.2 IP, but due to a network issue the Collector does not receive the SamH logon data. If the original JohnD logon data has been retained, any Event created by SamH on the 10.1.1.2 IP address will be attributed to the JohnD account.

Generally, the longer the data is retained in the ID Match table, the less accurate it becomes. The shorter the retention period, the lower the percentage of Events with Account IDs.

Conclusion:

When setting the "Age Limit for Identity Match entries (in days)" in the Collector UI, consider which is most important - accuracy, or associating an Account ID with every event.