dc users

Synopsis

netapi ise dc users [OPTIONS]

Description

Get top users by authentication count. Useful for capacity planning, identifying power users, and detecting anomalous authentication patterns (potential credential stuffing or compromised accounts).

Options

Option Default Description

Option	Default	Description
`--hours`, `-h`	`24`	Hours to look back
`--limit`, `-l`	`20`	Maximum results to return

--hours, -h

24

Hours to look back

--limit, -l

20

Maximum results to return

Usage

# Top 20 users (last 24h)
netapi ise dc users

# Last week
netapi ise dc users --hours 168

# Top 50 users
netapi ise dc users --limit 50

# JSON for processing
netapi ise dc --format json users

Sample Output

             Top Users (last 24h)
┏━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━┓
┃ Username                ┃ Auth Count ┃ Passed ┃ Failed ┃ Unique MACs ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━┩
│ shahab@corp.local       │        847 │    845 │      2 │           3 │
│ admin@corp.local        │        234 │    234 │      0 │           1 │
│ svc_backup              │        156 │    156 │      0 │           1 │
│ guest_wifi              │         89 │     67 │     22 │          45 │
│ john.doe@corp.local     │         45 │     44 │      1 │           2 │
└─────────────────────────┴────────────┴────────┴────────┴─────────────┘

Use Cases

Capacity Planning

# Weekly usage report
netapi ise dc users --hours 168 --limit 100

# Total user auths this week
netapi ise dc --format json users --hours 168 | jq '
  [.[].auth_count] | add
'

Detect Anomalies

#!/bin/bash
# Alert on suspicious patterns

# Users with many unique MACs (credential sharing?)
netapi ise dc --format json users --hours 24 | jq '
  .[] | select(.unique_macs > 10) |
  "WARNING: \(.username) used \(.unique_macs) devices"
' -r

# Users with high failure rate (compromised account?)
netapi ise dc --format json users --hours 24 | jq '
  .[] | select(.auth_count > 10) |
  select((.failed / .auth_count) > 0.3) |
  "ALERT: \(.username) has \(.failed)/\(.auth_count) failures (\((.failed/.auth_count)*100 | floor)%)"
' -r

Service Account Monitoring

# Check service accounts are working
netapi ise dc --format json users --hours 24 | jq '
  .[] | select(.username | startswith("svc_")) |
  "\(.username): \(.passed) passed, \(.failed) failed"
' -r

User Activity Report

# Export to CSV
netapi ise dc --format json users --hours 168 --limit 100 | jq -r '
  ["Username","Auth Count","Passed","Failed","Unique MACs"],
  (.[] | [.username, .auth_count, .passed, .failed, .unique_macs]) | @csv
' > user_activity.csv

Compare Peak vs Off-Peak

echo "=== Business Hours (8am-6pm) ==="
netapi ise dc users --hours 10 --limit 10

echo
echo "=== After Hours ==="
# This requires custom query for time filtering
netapi ise dc query "
SELECT username, COUNT(*) as auth_count
FROM RADIUS_AUTHENTICATION
WHERE TIMESTAMP_TZ > SYSDATE - 1
  AND TO_CHAR(TIMESTAMP_TZ, 'HH24') NOT BETWEEN '08' AND '18'
GROUP BY username
ORDER BY auth_count DESC
FETCH FIRST 10 ROWS ONLY
"

Red Flags

Pattern	Possible Issue
User with 50+ unique MACs	Credential sharing or compromised account
High failure rate (>30%)	Password expired, account locked, or brute force
Service account from unexpected MAC	Potential lateral movement
User auth at unusual hours	Account compromise (verify with user)

Pattern

Possible Issue

User with 50+ unique MACs

Credential sharing or compromised account

High failure rate (>30%)

Password expired, account locked, or brute force

Service account from unexpected MAC

Potential lateral movement

User auth at unusual hours

Account compromise (verify with user)