The user identity service is a group of stateless web applications, each of which runs in a separate Docker container. The procedure for managing the data of each of the components is described below.
The event gathering component (Collector) collects events from the Windows event log of the domain controller and then filters the events based on rules specified in the application configuration file. The component accumulates data in RAM, and then the filtered events are transmitted to the MapApp component over an encrypted link for further processing.
The event processing component (MapApp) processes the queue of messages from the Collector and maintains an up-to-date map of user sessions based on these events, which allows matching IP addresses of LAN hosts with domain accounts. The information is stored in an external PostgreSQL storage. The component provides an API for other components of the Kaspersky NGFW solution that need information about the correspondence of IP addresses to user accounts to enforce policies when processing traffic or analyzing security events.
The component for processing user groups (GroupApp) uses the ldap/ldaps protocols to collect and update information about members of user groups in the domain. The information is stored in an external PostgreSQL storage. The component provides an API for other components of the Kaspersky NGFW solution that need information about groups to enforce security profile groups when processing traffic or analyzing security events.
Page top