User-ID Best Practices for Dynamic User Groups
Expand all | Collapse all
User-ID Best Practices for Dynamic User Groups
Steps to help you plan, deploy, and maintain Dynamic
User Groups with User-ID.
Dynamic user groups allow
you to respond to changes in user behavior, business needs, or potential
threats without manual policy changes or creating and updating the
groups. Dynamic user groups help you create a security policy that
provides:
Time-bound resource access for users
Auto-remediation for anomalous user behavior and malicious activity
while maintaining user visibility
After you define
the group’s criteria using tags and commit the changes, the membership
of the dynamic user group is automatically updated based on the
user’s tags.
Plan User-ID Best Practices for Dynamic User Group Deployment
Based on factors
such as changes in business needs or user behavior, identify how
you want the firewall to control user access:
Do you want to allow or restrict
access through security policy?
Do you want to require MFA for users?
Do you want to decrypt the user’s traffic to gain more visibility
into user activity?
Determine the duration of the user’s membership in a specific
dynamic user group.
Should the
firewall automatically remove the user from the group based on time
(for example, the number of hours a contractor needs for temporary
resource access)?
Should the firewall require a specific event to associate or
disassociate users from the group (for example, malicious activity)?
Evaluate what events the firewall generates that can identify
a change in user behavior or business needs. You can assign tags
through the API,
auto-tagging, or manually
using the web interface.
Based
on your use cases, determine what tags you will use to group users
and how you will generate the tag.
For example, one possible use case would be to evaluate the
user’s risk level based on their behavior such as “high-risk,” “medium-risk,”
and “low-risk” based on analysis from Palo Alto Networks firewalls
and applications or third-party devices, applications and services,
then automatically assign tags to users based on those events.
Identity the user information sources for the tags:
Firewall logs
For Authentication,
Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs,
create a
log forwarding profile and
use the Built-In Actions.
For User-ID, HIP Match, GlobalProtect, and IP-Tag logs, configure
the
log settings.
Cortex XSOAR
Security Information and Event Management Systems (SIEMS), such
as Splunk
Combine tags from multiple sources to define the criteria for
dynamic user groups. For example, you may want to deny the user
access only if you receive alerts from multiple security applications
that the user’s credentials have been compromised, instead of just
a single application, based on confidence level.
Deploy Dynamic User Groups Using Best Practices for User-ID
If you have
a large number of users that you want to add to a dynamic user group
or if you want to add users based on events from other security
applications, use
APIs to add the users
instead of the web interface.
Use the API or manually define the
Timeout
that
represents when to remove users from this group (for example on
contract expiration).
Create security policy rules that use the dynamic user group
as the Source User to control user access, enable MFA or decrypt
the traffic for users who are members of the dynamic users groups.
Configure sources to provide information for user tags:
If you use firewall logs, configure
auto-tagging to tag the
user.
Use
playbooks in Cortex XSOAR
or other Security Orchestration, Automation, and Response (SOAR)
platforms to apply tags to users based on specific events.
If you use custom scripts, modify the script to populate the
tags using the API.
Add users to the groups manually using the firewall’s web interface.
Use Dynamic User Group Post-Deployment Best Practices for
User-ID
Review your
group membership to ensure that only the users you want to include
are members of the group. If the group includes users who do not
belong in the group (for example, permanent employees in the “contractor-access”
group),
Unregister Users
to remove their
username-to-tag mappings and
Delete
them
from the group.
Review the User-ID logs to verify that the firewall correctly
generates tags for users.
Use the
CLI commands learn more
about your dynamic user groups (for example, to see which users
are associated with groups).
Use the dynamic user group column on Traffic and Threat logs
to ensure that the firewall matches the groups to the expected security
policies.
Redistribute the user tags to other firewalls to ensure all
firewalls consistently apply the security policy. Keep in mind that
you can redistribute the user tags for only one hop.