- 11 May 2022
- 1 Minute to read
- Updated on 11 May 2022
- 1 Minute to read
User attribution is the process to identify a USER ID and the user role. Once Traceable identifies the USER ID and user role, it is easier to associate them with the user action. User attribution is also required to attribute the user requests across multiple user sessions. Correctly configured user attribution helps in identifying the threat actor activities. In the absence of user attribution, you would have to search through many sessions and IP addresses and stitch together the data to understand a user's activity. If not configured, only the IP address would be visible in the UI, not the user ID. In the absence of user attribution, Traceable detects session-based anomalies within a single session.
User attribution is also necessary because IP addresses could be shared, spoofed, or can frequently change. Correctly configured user attribution helps Traceable in visualizing user activity across devices and identify the user even in a shared network environment.
You can configure user attribution values from Traceable UI. Navigate to Administration () > User Attribution.
You can configure user attribution for the following:
- Basic Authentication - Configuration for detecting USER ID from the Basic authentication schema.
- JWT Authentication
- Header - Configuration for detecting USER ID and role from Bearer JWT authentication schema. See the next section for more information on configuring JWT authentication.
- Cookie - Configuration for detecting USER ID and role from JWT request cookie.
- Request Header - Configuration for detecting USER ID and role from the request headers.
JWT authentication configuration
When you select JWT authentication for configuring JWT attribution, you need to configure the location of JWT. You can follow these steps to identify the details to configure in the JWT section.
- Identify where the JWT is located in the HTTP request. The location of JWT can either be in the header or the cookie.
- You should have access to a JWT token that is not obfuscated.
- Decrypt the JWT token using decrypting service, for example, jwt.io.
- Locate the User ID and Role claims. If User ID and Role claims are top-level JSON keys, then copy and paste the key names in the corresponding fields. If they are nested, use the JSON path syntax to locate them.