Active Session Count
|
The number of active sessions associated with the user.
|
No
|
Yes
|
No
|
Authentication Type
|
The type of authentication: No Authentication, Passive Authentication, Active Authentication, Guest Authentication, Failed Authentication, or VPN Authentication.
For more information about the supported identity sources for each Authentication Type, seeAbout User Identity Sources.
|
Yes
|
No
|
Yes
|
Available for Policy
|
A value of Yes means the user was retrieved from the user store (for example, Active Directory).
A value of No means the FMC received a report of a login for that user but the user is not in the user store. One way this can happen is
if a user in an excluded group logs in to the user store. You can exclude groups from being downloaded when you configure
a realm.
Users not available for policy are recorded in the FMC but are not sent to managed devices.
|
No
|
Yes
|
No
|
Count
|
Note
|
The Count field is displayed only after you apply a constraint that creates two or more identical rows.
|
Depending on the table, the number of sessions, users, or activity events that match the information that appears in a particular
row.
|
Yes
|
Yes
|
Yes
|
Current IP
|
The IP address associated with the host that the user is logged into.
This field is blank in the Users table if there are no active sessions for a user.
|
Yes
|
Yes
|
No
|
Department
|
The user’s department, as obtained by a realm. If there is no department explicitly associated with the user on your servers,
the department is listed as whatever default group the server assigns. For example, on Active Directory, this is Users (ad). This field is blank if:
-
You have not configured a realm.
-
The Firepower Management Center cannot correlate the user in the FMC database with an LDAP record (for example, for users added to the database via an AIM, Oracle, or SIP login).
|
Yes
|
Yes
|
No
|
Description
|
More information, if available, about the session, user, or user activity.
|
No
|
No
|
Yes
|
Device
|
For user activity detected by traffic-based detection or an active authentication identity source, the name of the device
that identified the user.
For other types of user activity, the managing Firepower Management Center.
Note
|
If you have configured your VPN in a high-availability deployment, the device name displayed against active VPN sessions can
be the primary or secondary device that identified the user session.
|
|
Yes
|
No
|
Yes
|
Discovery Application
|
The application or protocol used to detect the user.
-
For user activity detected by traffic-based detection, one of the following: ldap, pop3, imap, oracle, sip, http, ftp, mdns,
or aim.
Note
|
Users are not added to the database based on SMTP logins.
|
-
For all other user activity: ldap.
|
Yes
|
Yes
|
Yes
|
Current IP Domain/Domain
|
In the Active Sessions table, the multitenancy domain where the user activity was detected.
In the Users table, the multitenancy domain associated with the user's realm.
In the User Activity table, the multitenancy domain where the user activity was detected. This field is only present
if you have ever configured the
Firepower Management Center
for multitenancy. |
Yes
|
Yes
|
Yes
|
E-Mail
|
The user’s email address. This field is blank if:
|
Yes
|
Yes
|
No
|
End Port
|
If the user was reported by the TS Agent and their session is currently active, this field identifies the end value for the
port range assigned to the user. This field is blank if the user's TS Agent session is inactive or if the user was reported
by another identity source.
|
Yes
|
No
|
Yes
|
Endpoint Location
|
The IP address of the network device that used ISE to authenticate the user, as identified by ISE. If you do not configure
ISE, this field is blank.
|
No
|
No
|
Yes
|
Endpoint Profile
|
The user's endpoint device type, as identified by Cisco ISE. If you do not configure ISE, this field is blank.
|
No
|
No
|
Yes
|
Event
|
The user activity event type.
|
No
|
No
|
Yes
|
First Name
|
The user’s first name, as obtained by a realm. This field is blank if:
-
You have not configured a realm.
-
The Firepower Management Center cannot correlate the user in the FMC database with an LDAP record (for example, for users added to the database via an AIM, Oracle, or SIP login).
-
There is no first name associated with the user on your servers.
|
Yes
|
Yes
|
No
|
IP Address
|
For User Login user activity, the IP address or internal IP address involved in the login:
-
LDAP, POP3, IMAP, FTP, HTTP, MDNS, and AIM logins — the address of the user’s host
-
SMTP and Oracle logins — the address of the server
-
SIP logins — the address of the session originator
An associated IP address does not mean the user is the current user for that IP address; when a non-authoritative user logs
into a host, that login is recorded in the user and host history. If no authoritative user is associated with the host, a
non-authoritative user can be the current user for the host. However, after an authoritative user logs into the host, only
a login by another authoritative user changes the current user.
For other types of user activity, this field is blank.
|
No
|
No
|
Yes
|
Last Name
|
The user’s last name, as obtained by a realm. This field is blank if:
-
You have not configured a realm.
-
The Firepower Management Center cannot correlate the user in the FMC database with an LDAP record (for example, for users added to the database via an AIM, Oracle, or SIP login).
-
There is no last name associated with the user on your servers.
|
Yes
|
Yes
|
No
|
Last Seen
|
The date and time that a session was last initiated (or user data was updated) for the user.
|
Yes
|
Yes
|
No
|
Login Time
|
The date and time that the session was initiated for the user.
|
Yes
|
No
|
No
|
Phone
|
The user’s telephone number, as obtained by a realm. This field is blank if:
-
You have not configured a realm.
-
The Firepower Management Center cannot correlate the user in the FMC database with an LDAP record (for example, for users added to the database via an AIM, Oracle, or SIP login).
-
There is no telephone number associated with the user on your servers.
|
Yes
|
Yes
|
No
|
Realm
|
The identity realm associated with the user.
|
Yes
|
Yes
|
Yes
|
Security Group Tag
|
The Security Group Tag (SGT) attribute applied by Cisco TrustSec as the packet entered a trusted TrustSec network. If you
do not configure ISE, this field is blank.
|
No
|
No
|
Yes
|
Session Duration
|
The duration of the user session, calculated from the Login Time and the current time.
|
Yes
|
No
|
No
|
Start Port
|
If the user was reported by the TS Agent and their session is currently active, this field identifies the start value for
the port range assigned to the user. This field is blank if the user's TS Agent session is inactive or if the user was reported
by another identity source.
|
Yes
|
No
|
Yes
|
Time
|
The time that the system detected the user activity.
|
No
|
No
|
Yes
|
User
|
At minimum, this field displays the user's realm and username. For example, Lobby\jsmith, where Lobby is the realm and jsmith is the username.
If a realm downloads additional user data from an LDAP server and the system associates it with a user, this field also displays
the user's first name, last name, and type. For example, John Smith (Lobby\jsmith, LDAP), where John Smith is the user's name and LDAP is the type.
Note
|
Because traffic-based detection can record unsuccessful AIM logins, the Firepower Management Center may store invalid AIM users (for example, if a user misspelled his or her username).
|
|
Yes
|
Yes
|
No
|
Username
|
The username associated with the user.
|
Yes
|
Yes
|
Yes
|
VPN Bytes In
|
For Remote Access VPN-reported user activity, the total number of bytes received from the remote peer or client by the Firepower
Threat Defense.
Note
|
You can view the total number of bytes received once the user's VPN session is terminated. For ongoing VPN sessions, this
is not a dynamic counter.
|
For other types of user activity, this field is blank.
|
No
|
No
|
Yes
|
VPN Bytes Out
|
For Remote Access VPN-reported user activity, the total number of bytes transmitted to the remote peer or client by the Firepower
Threat Defense.
Note
|
You can view the total number of bytes transmitted once the user's VPN session is terminated. For ongoing VPN sessions, this
is not a dynamic counter.
|
For other types of user activity, this field is blank.
|
No
|
No
|
Yes
|
VPN Client Application
|
For Remote Access VPN-reported user activity, the remote user's AnyConnect VPN client application.
For other types of user activity, this field is blank.
|
Yes
|
No
|
Yes
|
VPN Client Country
|
For Remote Access VPN-reported user activity, the country name as reported by the AnyConnect VPN client.
For other types of user activity, this field is blank.
|
No
|
No
|
Yes
|
VPN Client OS
|
For Remote Access VPN-reported user activity, the remote user's endpoint operating system as reported by the AnyConnect VPN
client.
For other types of user activity, this field is blank.
|
Yes
|
No
|
Yes
|
VPN Client Public IP
|
For Remote Access VPN-reported user activity, the publicly routable IP address of the AnyConnect VPN client device.
For other types of user activity, this field is blank.
|
Yes
|
No
|
Yes
|
VPN Connection Duration
|
For Remote Access VPN-reported user activity, the total time (HH:MM:SS) that the session was active.
For other types of user activity, this field is blank.
|
No
|
No
|
Yes
|
VPN Connection Profile
|
For Remote Access VPN-reported user activity, the name of the connection profile (tunnel group) used by the VPN session. Connection
profiles are part of a Remote Access VPN Policy.
For other types of user activity, this field is blank.
|
Yes
|
No
|
Yes
|
VPN Group Policy
|
For Remote Access VPN-reported user activity, the name of the group policy assigned to the client when the VPN session is
established; either the statically-assigned group policy associated with the VPN Connection Profile, or the dynamically-assigned
group policy if RADIUS is used for authentication. If assigned by the RADIUS server, this group policy overrides the static
policy configured for the VPN Connection Profile. Group policies configure common attributes for groups of users in Remote
Access VPN policies.
For other types of user activity, this field is blank.
|
Yes
|
No
|
Yes
|
VPN Session Type
|
For Remote Access VPN-reported user activity, the type of session: LAN-to-LAN or Remote.
For other types of user activity, this field is blank.
|
Yes
|
No
|
Yes
|