Setting Up User Mapping

Map Users in SecurityCoach

In SecurityCoach, you can map users to identifiers such as hostnames or usernames. Mapping users helps link risky activity detected by your integrated vendors to specific users.

You can configure user mapping rules to automatically map users, upload a CSV file to manually map users, or use both of these methods. SecurityCoach also provides mapping recommendations for you to review.

For general information about SecurityCoach, see our SecurityCoach Product Manual.

Users are automatically mapped to their email addresses in KSAT. Depending on your integrated vendors, you may also need to map users to other identifiers, such as their hostname or username. To map your users, you can configure user mapping rules, upload a CSV file, or use both of these methods.

Tip:To ensure that all detected risky activity has been linked to users, you can review the Unmapped Events Report. For more information, see the Using the Unmapped Events Report subsection of this article.

To learn how to map users by configuring user mapping rules or uploading a CSV file, see the subsections below.

Configuring User Mapping Rules

User mapping rules automatically map your users based on data from your integrated vendors and KSAT console. We offer a variety of system rules that are enabled by default, but you can also create your own custom rules.

To create and manage your user mapping rules, follow the steps below:

  1. In your KSAT console, navigate to SecurityCoach > Setup.
  2. From the menu on the left side of the page, select User Mapping Setup.
  3. Then, select Configure User Mapping Rules.

The User Mapping Rules page includes the System Rules section and Custom Rules section. To learn more about each of these user mapping rules sections, see the subsections below.

Custom User Mapping Rules

In the Custom Rules section, you can view your custom user mapping rules and create new user mapping rules. To learn more about the Custom Rules section, see the screenshot and list below:

  1. Create Rule: You can click this button to open the Create New Rule pop-up window. Then, you can create a new user mapping rule by selecting your criteria and clicking Add Rule.
    Note:When selecting a vendor, you can select No Vendor if the rule should apply to all vendors.
  2. Toggle: You can use this toggle to either enable or disable an existing custom rule.
  3. Delete:You can click this icon to delete an existing custom rule.

System User Mapping Rules

In the System Rules section, you can view our built-in user mapping rules. You can use the toggles to enable or disable each rule.

Note:System rules cannot be deleted or edited.

Uploading a User Mapping CSV File

You also have the option to map your users by uploading a CSV file.

Tip:If you don’t want to create a brand new CSV file, you can use our example CSV file template. To use this template, navigate to SecurityCoach > Setup > User Mapping Setup > User Mapping CSV in your KSAT console. Then, click the Example CSV link.

To map your users with a CSV file, follow the steps below:

  1. Prepare a CSV file for import. For information about the required and optional CSV file fields, see the User Mapping CSV File Fields section of this article.
    Important:The email addresses in your CSV file must exist on the Users tab of your KSAT console. If you would like to include a user whose email address isn’t on the Users tab, you will need to add that user to your console before uploading a CSV file.
  2. Log in to your KSAT console and navigate to SecurityCoach > Setup.
  3. From the menu on the left side of the page, select User Mapping Setup.
  4. Click User Mapping CSV.
  5. Click Browse and select your CSV file.
  6. Click Upload CSV.

User Mapping CSV File Fields

To map your users with a CSV file, you will need to fill out the file with information about your users. For more information about the available fields in the file, see the table below:

Important:To have a successful import, the header fields in your CSV file must match the information in the CSV File Field column below.
User Mapping CSV File Import Fields
CSV File Field Description
Email In this field, enter the user’s work email address. This field is required.
Hostname In this field, enter the user’s hostname. This field is optional, but both the Hostname and Username fields cannot be empty.
Username In this field, enter the user’s username. This field is optional, but both the Hostname and Username fields cannot be empty.

Using the Unmapped Events Report

The Unmapped Events Report lists events from your integrated vendors that are not currently mapped to a user in your KSAT console. You can use this information to map new users or update the mapping for existing users. Then, you can rerun user mapping to map the events to users.

Note:The Unmapped Events Report includes only the most recent 10,000 events.

To use the Unmapped Events Report, follow the steps below:

  1. Log in to your KSAT console and navigate to SecurityCoach > Setup.
  2. From the menu on the left side of the page, select User Mapping Setup.
  3. Click Unmapped Events Report. For more information about the Unmapped Events Report, see below:
  1. Vendor: You can use this drop-down menu to select which vendor you want to view unmapped events for.
  2. Start Date: You can select the beginning of the date range that you want to view unmapped events for.
  3. End Date: You can select the end of the date range that you want to view unmapped events for.
  4. View Unmapped Events: You can click this button to generate data for your selected criteria.
  5. Generate CSV: You can click this button to generate a CSV file of the report.
  6. Rerun Event Mapping: You can click this button to rerun user mapping to map the events to users. For the best results, we recommend mapping additional users before clicking this button.
  7. This table displays the unmapped events for your selected criteria.
  8. All Event Mapping Reruns: You can click this button to view your history of user mapping reruns.

Mapping Recommendations

SecurityCoach recommends mappings of your KSAT users to various identifiers. To view your recommendations, you can use the Automatic Device Discovery feature, our User Mapping Recommendations, and the Discovered Users Report.

For more information about these recommendation options, see the subsections below.

Automatic Device Discovery

The Automatic Device Discovery feature automatically maps users to devices using the data from your integrated vendors. You can then review these mappings on the User Mapping View page.

To enable the Automatic Device Discovery, follow the steps below:

  1. Log in to your KSAT console and navigate to SecurityCoach > Setup.
  2. From the menu on the left side of the page, select User Mapping Setup.
  3. Use the toggle to enable Automatic Device Discovery.

User Mapping Recommendations

You can use our User Mapping Recommendations to help map your users to various identifiers. You can accept or reject these recommendations.

To review your user mapping recommendations, follow the steps below:

  1. Log in to your KSAT console and navigate to SecurityCoach > Setup.
  2. From the menu on the left side of the page, select User Mapping Setup.
  3. Click User Mapping Recommendations. For more information about your user recommendations, see below:
  1. Search: You can use this search bar to filter the list by first name, last name, or email.
  2. + Filters: You can click this button to filter the list of recommended mappings by Active Users, Archived Users, or Confidence Score.
  3. Approve Selected: You can click this button to approve the selected mappings in the table.
  4. Reject Mapping: You can click this button to reject the selected mappings in the table.
  5. This table lists mapping recommendations by Confidence Score. The Confidence Score is a number between 0 and 100 with higher scores indicating a greater confidence that the match is correct. For each recommendation, you can see the email, first name, last name, status, and the Confidence Score of the email being recommended to be mapped to the alias. An alias may have more than one recommendation available.

Discovered Users Report

You can use the Discovered Users Report to discover users who may not have been created in your KSAT console based on data from your integrated vendors. This report is enabled by default.

To view the Discovered Users Report, follow the steps below:

  1. Log in to your KSAT console and navigate to SecurityCoach > Setup.
  2. From the menu on the left side of the page, select User Mapping Setup.
  3. Click Discovered Users.

Viewing Your Mapped Users

Once you have mapped your users, you can view your mappings at any time. To view your mapped users, follow the steps below:

  1. In your KSAT console, navigate to SecurityCoach > Setup.
  2. From the menu on the left side of the page, select User Mapping Setup.
  3. Click the Review Mapped Users button. Once you click this button, the Mapped Users page will display. For more information about the fields on this page, see below:
  1. Search: You can enter a keyword to search for a user in the table.
  2. Show/Hide Columns: You can click this icon to show or hide columns in the table.
  3. This table displays your current user mappings.
  4. Edit: You can click this button to open the Mapped User pop-up window. In this pop-up window, you can add or remove aliases for the user.

Can't find what you're looking for?

Contact Support