Network Management

We saw a user download a large amount of information from an internal server  on our wireless network.
I have the bandwidth data, from Airwave.

She disconnected from the network & went to lunch.
She came back from lunch and is attached to the employee SSID.

I want to see which hosts she visited this morning.
The controller only shows remote hosts visited during the existing sesssion.

Are there any logs which keep forensic information about user activity from hours or even days earlier ?

Also,,is there anyway to get "timestamp" info from the Clients/User Firewall State" menu.
We can see what IP Addresses her mobile device connected to.

I don't see what time she was at each host.

Hi,

For this specific topic,  Aruba has a superb solution called Aruba IntroSpect (UEBA). Please refer to
https://www.arubanetworks.com/resource/ueba-use-case-compromised-users-and-host-detection-using-behavioral-analytics/

Hope this helps.

Yep, but that solution - like many similar others - can't act retroactively...eventually some collected data can be inferred by logging into systems already available (sysloggers, AirWave, AD, etc.)...systems that logged user activity already concluded but it can't create a user profile based on data not collected yet (by means of supervised/unsupervised systems)...once implemented that solution is potentially optimum...but if the OP needs to implement that solution today or tomorrow and the alleged data breach/suspicious activity happened just two days ago...that solution will not be useful enough for an event happened in the past. Isn't it?

I agree, 

If the solution was not in place when something happened, it will be a problem to gather information from such solution. Considering that there might be some memory for logs in place for a certain period of time, there might be chances to poll information into those platforms.

If not, In such cases, you need special applications/tools which deal with Cyber Security Forensics.

Parnassus

I believe that every time a user authenticates to the Wireless SSID, a log files is created,, ,, but which device holds the log files with the informatoin needed ?
Does the Master Controller, the local controller.
What informatoin is sent to AirWave from the controllers.
Airwave has dozens of log files .
Which log file on Airwave contains information about authenticated connections, amount of time connected, or sites visted while connected?

We see all of this information in real time,, but does Airwave store this information about end users in a log file someplace ?

Hi tomgilmore, I agree with you. Somewhere, spread out on various systems, many log files exist...but this doesn't necessarily means you have the correct combination to unlock the "who-what-where-why-how" door.

Points I see here are (OT?):

1. Nobody will grant you that even collecting, synchronizing, filtering and manually analyzing those logs you will be able to infer enough to say a definitive word about the direct/indirect purposes, the outcomings and the strategies followed by a user performing a particular action on a particular device connected to a particular network (not necessarily speaking about a potential insider/outsider attempting force enterprise systems and/or stole corporate data)...at best you can gather a lot of information fragments from many different systems and you can use this set like connecting single black dots on a blank paper sheet (logged actions, e.g connection logging, authentication logging, etc.) obtaining a picture. But that's a part of the story. Is it enough? it depends.
2. The lack of a system designed to collect (invasively?), aggregate, correlate and infer on huge amount of network events means, on one hand, the lack of any predictive/trending capability and, on the other, means also the lack of a system able to help you decide quickly if something wrong really happened in near/far past.