browse
Issue
The Activity Search Report in Cisco Umbrella is a nearly live report of all the DNS queries your users are making. If you have set up the Cisco Umbrella Active Directory (AD) integration, you might expect to see your AD users populating the Identity column in your Activity Search. However, there are situations where the users are missing from the Identity column.
Resolution
If you think you should be seeing AD users directly in the Identity column in the Activity Search, but aren't seeing them, or are seeing a few, but not as many as you expected, here are a few things to check:
- Sites and Active Directory
- Check all of your AD Components to make sure that there are no reported errors or issues. If you see any grey, orange, or red status indicators on any of the components, grab the following details and open a support ticket (umbrella-support@cisco.com):
- Diagnostic Test from an affected user (a user that is not showing up in the Activity Search);
- Screenshot of the Virtual Appliance (VA) Console, with any error messages expanded;
- AD Connector Audit Logs
- Check all of your AD Components to make sure that there are no reported errors or issues. If you see any grey, orange, or red status indicators on any of the components, grab the following details and open a support ticket (umbrella-support@cisco.com):
- Logging settings
- In the Advanced Settings of every policy, there's a section at the bottom that concerns how much to log. You can set it to:
- Log All Requests
- Log Only Security Events
- Don't Log Any Requests
- If your policy is currently set to "Log Only Security Events", that can explain why you are not seeing as many queries as you expect, or no results at all from some users.
- In the Advanced Settings of every policy, there's a section at the bottom that concerns how much to log. You can set it to:
- Correct policy precedence
- If you have a policy applying to a Network Identity that is higher in the list of policies than your AD user policy, the Network Identity policy is likely going to apply. This in turn means that on the Activity Search, you're going to see the Network as the reported Identity. Please check the Cisco Umbrella documentation on Best Practices and Policy Precedence as well.
Cause
Where does the Activity Search get the "Identity"?
When a DNS query comes into Umbrella, assuming your AD Integration is working as expected, the following information is passed along in the query:
- Internal IP address
- AD Identity hash (user, host, or both)
- Egress IP
- Domain being queried
Note: The AD Identity Hash is added to the query by the Virtual Appliance, who is passed that information, and the corresponding Internal IP address for the logon event from the AD Connector.
Cisco Umbrella then uses this information to find the organization and to determine which policy to apply. If you have no policies specifically applied to your AD users, but do have one for your Networks or Sites, then Cisco Umbrella will apply the policy using that Identity. This means that when the query, identity, and response are reported in the Activity Search, the Identity that triggered the policy that will be reported. The other information is still tagged in the request, so you can still search for an AD user and get the activity that reports a network as the Identity. Additionally, if you export the Activity Search data to a CSV file, it will show you all the identity information that is associated with the query.
Additional information
If you are still not seeing any AD users, please reach out to Support (umbrella-support@cisco.com), with a diagnostic test result, and any AD Connector Audit Logs that are relevant.