Identify users behind tools and apps

Many BI tools, when connecting to a data repository to execute requests on behalf of their end users, do so using a single service user account. Consequently, from the data repository's perspective, all requests seem to originate from this service user. This can defeat the repository's role-based access controls since those controls apply only to the service user account, and not to the actual user of the BI tool.

In order to provide more visibility, BI tools use a technique called request annotation which involves passing in comments carrying additional information about the end user identity in the native language of the data repository. These comments are ignored by the data repository during request processing. However, they’re useful for activity monitoring and performance debugging, and they help with tracing requests back to the end users that generated them.

Cyral understands the syntax and grammar of annotations added by popular BI tools such as Looker. It uses this knowledge to extract the end user’s identity from the comments accompanying each request, and adds it to the data activity logs.

Below, we show how to set up Looker to connect to a database through the Cyral sidecar.

Add a new connection in Looker

Prerequisites

• Make sure you have permission to add connections to your Looker instance. Typically, this requires you to be part of the Admin role.
• Make sure Cyral is connected to your SIEM platform

Procedure

To add a new connection:

1. Log into your Looker console

2. In Looker, click Admin: Database: Connections

   

3. Click Add Connection

4. Fill in the connection details as shown in the figure below. You can click Test These Settings to verify connectivity to the sidecar.

5. Click Add Connection after verification has been successful.

Run SQL queries in Looker

1. Click on Develop: SQL Runner to open SQL Runner.

   

2. Type a query in the Query editor and click Run. The results are displayed in the Results window.

Viewing Data Activity Logs in a SIEM

For this tutorial, we will use Kibana as an example of a SIEM dashboard. Below is a screenshot of the relevant data activity log attributes that show Cyral monitoring the Looker activity. Notice the identity.endUser attribute which shows that it was Nancy Drew with the email nancy.drew@hhiu.us that ran the Looker queries. Also notice the repo user analyst. This is the service user that Looker used to log into the database.

You can drill down into the individual log events to view more detail:

In this manner, Cyral allows you to identify the end users behind your tools and apps.