This article applies to:
Question:
- What is the best setting for "Age Limit for Identity Match entries (in days)"?
- How does this "Age Limit" setting affect account accuracy and the percentage of events that are associated with accounts?
Information:
The ID Match process receives logon events from domain controllers, and tracks DHCP changes by reading DHCP logs from a share. This information is held in a database table on the Collectors. The data is held in the table for the time defined in "Age Limit for Identity Match entries (in days)" which is entered on the ID Match tab in the Collector User Interface. Old entries are removed nightly by a process that runs at 2:15 AM.
A logon event is not generated when a workstation is unlocked (unless domain controllers are configured for it). This event is normally only generated with a network logon, and usually only required after a shutdown or reboot, depending on the configuration.
When a captured raw session becomes an Event, the database table is queried using the IP address from the Event and time of the event. The table is queried for that IP address, and the entry used will have the most recent logon date/time prior to the Event date/time.
Keeping data in the ID Match table longer will create more Events with Account ID information. However keeping this data longer has an accuracy trade-off. The data in the tables is only accurate if all domain controllers send all logon data to the Collector and all DHCP changes are also tracked and sent. If any logon data is missing, an event could be associated with the Account ID of the previous person to use the IP address.
For example, user JohnD logs in to his laptop and receives the IP 10.1.1.2 which is used for a few days until JohnD shuts down for the weekend. The DHCP lease on the IP expires and JohnD logs in on Monday getting a different IP. SamH logs in some days later and receives the 10.1.1.2 IP, but due to a network issue the Collector does not receive the SamH logon data. If the original JohnD logon data has been retained, any Event created by SamH on the 10.1.1.2 IP address will be attributed to the JohnD account.
Generally, the longer the data is retained in the ID Match table, the less accurate it becomes. The shorter the retention period, the lower the percentage of Events with Account IDs.
Conclusion:
When setting the "Age Limit for Identity Match entries (in days)" in the Collector UI, consider which is most important - accuracy, or associating an Account ID with every event.
- For accuracy, set a shorter limit.
- To ensure that more events have associated IDs, set a longer limit.
- Review the results and fine-tune the setting as required.
