browse
Introduction
The Activity Search Report is a nearly live report of all the DNS queries your users are making. If you have set up our Active Directory Integration, you might expect to see your AD Users populating the Identity Column in your Activity Search; however, there are situations where this does not happen. First, we need to talk about how the Identity is picked for the Activity Search.
Where does the Activity Search get the "Identity"?
When a DNS query comes into Umbrella, assuming your AD Integration is working as expected, the following information is passed along in the query:
- Internal IP address
- AD Identity hash (user, host, or both)
- Egress IP
- Domain being queried
Note:
The AD Identity Hash is added to the query by the Virtual Appliance, who is passed that information, and the corresponding Internal IP address for the logon event from the AD Connector.
Umbrella then uses this information to find the organization and to determine which policy to apply. If you have no policies specifically applied to your AD Users, but do have one for your Networks or Sites, then Umbrella will apply the policy using that Identity. This means that when the query, identity and response are reported in the Activity Search, it is the Identity that triggered the policy that will be reported. The other information still tagged in the request, so you can still search for an AD User, and get activity that reports a network as the Identity. Additionally, if you export the Activity Search data to a .CSV file, it will show you all the identity information that is associated with the query.
What should I check to make sure it's working as expected?
If you think you should be seeing AD Users directly in the Identity column in the Activity Search, but aren't seeing them, or are seeing a few, but not as many as you expected, here's a few things to check:
- Sites and Active Directory
- Check all your AD Components to make sure that there are no reported errors or issues. If you see any grey, orange, or red status indicators on any of the components, grab the following details and open a support ticket (umbrella-support@cisco.com):
- Diagnostic Test from an affected user (ie someone not showing up in the Activity Search);
- Screenshot of the VA Console, with any error messages expanded;
- AD Connector Audit Logs.
- Check all your AD Components to make sure that there are no reported errors or issues. If you see any grey, orange, or red status indicators on any of the components, grab the following details and open a support ticket (umbrella-support@cisco.com):
- Logging Settings
- In the Advanced Settings of every policy, there's a section at the bottom that concerns how much to log. You can have it set to Log All Requests, Log Only Security Events, or Don't Log Any Requests. If your policy is currently set to "Log Only Security Events", that can explain why you are not seeing as many queries as you expect, or no results at all from some users.
- In the Advanced Settings of every policy, there's a section at the bottom that concerns how much to log. You can have it set to Log All Requests, Log Only Security Events, or Don't Log Any Requests. If your policy is currently set to "Log Only Security Events", that can explain why you are not seeing as many queries as you expect, or no results at all from some users.
- Correct Policy Precedence
- If you have a policy applying to a Network Identity that is higher in the list of policies than your AD User policy, the Network Identity policy is likely going to apply. This in turn means that on the Activity Search, you're going to see the Network as the reported Identity. Please check our documentation on Best Practices and Policy Precedence as well.
It's still not showing any AD Users, what should I do?
If you are still not seeing any AD Users, please reach out to Support (umbrella-support@cisco.com), with a diagnostic test result, and any AD Connector Audit Logs that are relevant.