The Umbrella Virtual Appliance (VA) technically only has visibility of which source IP address it receives a DNS query from. In order for a user to be associated with the DNS request, the VA works in conjunction with the Connector which results in a user-to-IP mapping taking place. The connector reads events with specific event IDs from the Security Event Logs on your Domain Controllers. These events are then parsed and the username and source IP address are sent to the VA, which then creates a mapping between that source IP and user.
If these events are not being audited by your domain controllers, the VAs mapping process may not take place properly. This article outlines exactly which type of event IDs the Connector watches for by default.
Event 4624 documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account.
Event 528 is logged whenever an account logs on to the local computer, except for in the event of network logons. Event 528 is logged whether the account used for logon is a local SAM account or a domain account.
Event 540 gets logged when a user elsewhere on the network connects to a resource (e.g. shared folder) provided by the Server service on this computer.
This event is logged on domain controllers only and both success and failure instances of this event are logged.
Windows uses this event ID for both successful and failed service ticket requests.
If your Connector is unable to read events directly from the Security Event Logs of the domain controller, you can raise a support ticket with Umbrella asking for this to be changed to WMI subscription. In the case of WMI subscriptions, the connector will subscribe to all the events listed above. In addition, the Connector will also subscribe to logoff events with EventIDs as mentioned below. Note that by default, the Connector does not read these logoff events from the Security Event Logs.
Event 538 is logged whenever a user logs off, whether from a network connection, interactive logon, or other logon type. (See event 528 for a chart of logon types)
This event signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID
This event also signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID.