Identity Awareness maps usernames to IP addresses by collecting Windows Security Events from Active Directory Domain Controllers. These events include Account Logon, Kerberos Ticket Requested, and Kerberos Ticket Renewed. These events indicate that a user has successfully authenticated to the domain and obtained a Kerberos ticket for accessing network resources. Identity Awareness can use these events to associate the username with the source IP address of the authentication request.

However, Kerberos Ticket Timed Out is not a Windows Security Event that Identity Awareness can use to map usernames to IP addresses. This event indicates that a user’s Kerberos ticket has expired and needs to be renewed. This event does not contain the source IP address of the user, only the username and the ticket information. Therefore, Identity Awareness cannot use this event to map a username to an IP address.

References:

1, Training & Certification | Check Point Software, section “Security Expert R81.20 (CCSE) Core Training”

2, Certified Security Expert (CCSE) R81.20 Course Overview, page 1

3, Check Point Certified Security Expert R81, page 5

5, Identity Awareness Administration Guide R81, section “How Identity Awareness Collects Identities”