Introduction
This document describes how you can use the services of the One Identity Safeguard for Privileged Sessions Add-on for Splunk (the Splunk Add-on) and the One Identity Safeguard for Privileged Sessions App for Splunk (the Splunk App) to process and visualize your events from One Identity Safeguard for Privileged Sessions (SPS).
One Identity Safeguard for Privileged Sessions:
One Identity Safeguard for Privileged Sessions (SPS) controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SPS is a quickly deployable enterprise device, completely independent from clients and servers — integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.
SPS and Splunk Add-on / Splunk App
If you have an SPS device forwarding events to your Splunk, and you want to process and visualize these events with your own, custom dashboards, the Splunk Add-on can provide you with useful event types that you can use in your custom searches. For more information about visualizing events and customizing dashboards, see The Splunk App and Macros and search expressions.
The Splunk Add-on is an add-on for Splunk that defines useful event types for your sessions originating from SPS. For more information, see Event types.
The Splunk App creates useful dashboards to visualize your sessions audited with SPS.
Also, if you want to use your Microsoft Windows or Linux session logs for gap analysis and you have the Splunk Add-on for Microsoft Windows or the Splunk Add-on for Unix and Linux installed, the Splunk App allows you to spot potential audit gaps.
The Splunk Add-on
The Splunk Add-on is an add-on for Splunk that defines useful event types for your sessions originating from SPS. For more information, see Event types.
If you have an SPS device forwarding events to your Splunk, and you want to process and visualize these events with your own, custom dashboards, the Splunk Add-on can provide you with useful event types that you can use in your custom searches. For more information about visualizing events and customizing dashboards, see The Splunk App and Macros and search expressions.
When using SPS together with the Splunk Add-on, the events originating from SPS are parsed, indexed and labeled with tags. These tags help standardize data coming from various data sources. As a result, custom-searching in Splunk will be more effective.
Prerequisites and restrictions
Installation and configuration
To install the Splunk Add-on and configure SPS to forward events to Splunk
- Use your favorite install method to install the app (either by searching for the One Identity Safeguard for Privileged Sessions Add-on for Splunk app on your Splunk web UI, or by navigating to the SplunkBase website and installing the app manually).
- Configure SPS to forward events to Splunk. For detailed instructions, see "Using the universal SIEM forwarder" in the Administration Guide.
Parsing and indexing with the Splunk Add-on
If you want to search for a specific event type in your SPS index (for example, because you want to have a chart on your own dashboard about the distribution of different event types), look at the "Event type name" column in Event types to filter for the different kinds. As an example, if you would like to count the number of "ServerConnect" events and visualize the results on a graph, you can do so with the following search expression:
search index=* | stats count(eval(eventtype=oneidentity_sps_server_connect)) AS count_server_connect BY eventtype
Event types
The table below lists the definitions of event types for your sessions originating from SPS and the definitions' descriptions.
oneidentity_sps_server_connect |
ServerConnect event coming from SPS SIEM forwarder |
oneidentity_sps_session_closed |
SessionClosed event coming from SPS SIEM forwarder |
oneidentity_sps_server_ authentication_success |
ServerAuthenticationSuccess event coming from SPS SIEM forwarder |
oneidentity_sps_server_ authentication_failure |
ServerAuthenticationFailure event coming from SPS SIEM forwarder |
oneidentity_sps_gateway_ authentication_failure |
GatewayAuthenticationFailure event coming from SPS SIEM forwarder |
oneidentity_sps_session_scored |
SessionScored event coming from SPS SIEM forwarder |
oneidentity_sps_command_channel_ event |
CommandChannelEvent event coming from SPS SIEM forwarder |
oneidentity_sps_window_title_channel_event |
WindowTitleChannelEvent event coming from SPS SIEM forwarder |
oneidentity_sps_rdp_embedded_in_tsg |
RdpEmbeddedInTsg event coming from SPS SIEM forwarder |
oneidentity_sps_file_transfer |
FileTransfer event coming from SPS SIEM forwarder |
The Splunk App
The One Identity Safeguard for Privileged Sessions App for Splunk creates useful dashboards to visualize your sessions audited with SPS. With this app, you can get an overview of your audited sessions and pinpoint interesting ones to be able to investigate them further. Also, if you have other sources of information about your audited hosts (for example, Microsoft Windows logs or Unix/Linux logs) as well as those originating from SPS, you can compare the two sources of information and see if all the necessary sessions are audited without audit gaps.
When used together with the Splunk App, you can customize your search with the help of your defined events and visualize your sessions originating from SPS on customized dashboards.
Prerequisites and restrictions
NOTE: It is a prerequisite to have the Splunk Add-on installed for the Splunk App to work. When you install the Splunk App, it is presumed that SPS is already configured to forward events to Splunk and Splunk already receives these forwarded events. In such a setup, all events from SPS should arrive to a separate index in Splunk (if it's not the case, fix it before installing and setting up the Splunk App).
Installation and setup
To install and setup the Splunk App
-
Use your favorite install method to install the app (either by searching for the One Identity Safeguard for Privileged Sessions App for Splunk app on your Splunk web UI, or by navigating to the SplunkBase website and installing the the app manually).
-
On the setup page of the Splunk App, provide the name of the index into which the SPS events will be arriving.
-
(Optional) If such an index does not exist yet and you want to configure forwarding later, just specify an index name of your choice and the Splunk App will create the index for you. In this case, pay attention to forward the events into this index later, when configuring forwarding from SPS.
-
There is another index you can specify, which will be the origin of data coming from logs. You can use this app to spot "audit gaps" (that is, unaudited sessions), but for that to work, you need logs from the hosts directly.
-
(Optional) If you already have forwarders set up to forward logs from your hosts to Splunk, specify the name of the index for the app into which the logs are forwarded.