User-ID Credential Phishing Prevention With Group Mapping Does Not Block Alternative Username Attributes
1331
Created On 08/12/22 13:31 PM - Last Modified 06/07/24 20:42 PM
Symptom
- User-ID Credential Phishing Prevention with Group Mapping does not block alternate username attributes retrieved from group mapping.
- The following user attributes pulled from Group Mapping settings.
- cred_test@dan.lab and dan\cred_test are blocked by the Domain Credential Filter.
- dan\creds and creds@differentdomain.com are not blocked.
Primary: cred_test@dan.lab Email: creds@differentdomain.com
Alt User Names:
1) creds@differentdomain.com
2) dan\cred_test
3) dan\credsEnvironment
- User-ID Credential Phishing Agent
- User-ID Group Mapping
- All PAN-OS Releases
Cause
User-ID Credential Phishing Prevention in Group Mapping mode does not block usernames based on Group Mapping Alternative attributes.
Resolution
- The blocking is performed on the user prefix section of the Primary Username.
- In this example listed above, only the username "creds_test" is blocked since it is the user prefix of the Primary Username.
Primary: cred_test@dan.lab Email: creds@differentdomain.com
Alt User Names:
1) creds@differentdomain.com
2) dan\cred_test
3) dan\credsAdditional Information
- The usernames blocked do not need to only be a part of the Primary or Alternative attributes.
- For the example user in this case, any username containing cred_test as a prefix is blocked. Even when this user only has cred_test@dan.lab and dan\cred_test as matching attributes, any of the below usernames will also be blocked.
cred_test@randomdomain.com
xyza\cred_test
cred_test@123
- The following will not be blocked since it must be an exact match of the user prefix.
cred_test123
cred_test1@test.com
test\cred_test2