Why does a user account in Cloud InSights Workload Security Activity Forensics show up like ldap:domain.com:s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX?

Applies to

• Cloud Insights (CI)
• InSights Workload Security 

Answer

Even when a User Directory Collector is configured correctly to resolve users for a given domain, the User Profile or Activity Forensics entries within Cloud InSights Workload Security  may still be unable to resolve a user. These entries may appear with a name or username similar to ldap:domain.com:s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX.

This is because the application fetches domain users based on the following query:

"(&(objectCategory=person)(objectClass=user))"

If the objectCategory of the LDAP entity does not equal "person", then it will not be fetched by the application and subsequently won't be resolved. To check the objectCategory value for an entry, SSH into the agent and query the LDAP server for the user.

Example:
ldapsearch -o ldif-wrap=no -LLL -x -b "DC=domain,DC=com" -h ldap.domain.com -p 389 -D "CN=bindAccount,OU=Accounts,DC=domain,DC=com" -W "ObjectSID=s-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX"

This will prompt for the bind account password, and then will return the entity data for the specified ObjectSID. Look for the objectCategory value to see if it is "person". If it isn't, then it will not be fetched by the User Directory Collector.

Additional Information

For computer and service accounts the objectCategory of the LDAP entity does not equal "person", therefore these SID's will not resolve.