Chatee ahora con Soporte
Chat con el soporte

One Identity Safeguard for Privileged Sessions 7.4 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving Cleaning up audit data Using plugins Forwarding data to third-party systems Starling integration
User management and access control
Login settings Managing One Identity Safeguard for Privileged Sessions (SPS) users locally Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database Authenticating users to a RADIUS server Authenticating users with X.509 certificates Authenticating users with SAML2 Managing user rights and usergroups Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes
Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing One Identity Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)
Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received Using UPN usernames in audited SSH connections
Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

CEF

CEF (Common Event Format): the mapping to CEF will be described in terms of mapping from the JSON format to CEF. In CEF all relevant keys are present, but the value may be empty if it is not known.

Header

Here <...> is substituted with the actual values.

CEF:0|OneIdentity|SPS|<SPS_version>|<event_type_id>|<event_name>|<severity>|

Extensions

CEF extensions that are always present:

app: string, equal to Application protocol

cs1: string, equal to session_id

cs1Label: string, equal to literal "Session ID"

dst: string, equal to Destination address

duser: string, equal to Destination username

dvc: string, equal to Device address

src: equal to Source address

start: equal to timestamp

suser: equal to Source username

For details on the exact messages and the fields they contain, see CEF messages.

JSON

JSON (JavaScript Object Notation): the generated JSON structure is flat and the keys in the JSON depend on what kind of event is described. Some keys are always present in all messages. There are also keys that are message type specific, but may be missing if the related information is not available.

Keys that are always present and filled:

base_type_name: string, specifies the main category of the message, one of "meta", "content" or "score".

client_address: string, the IP address of the client.

client_name: string, the client hostname or IP address if hostname is not known.

client_port: integer, the port number of the client.

connection_policy: string, the name of the Connection Policy related to the session.

event_type_id: integer, a unique number specifying the message type (primarily for CEF).

event_name: string, the name of the event type.

gateway_username: string, the authenticated gateway username if there was a successful gateway authentication.

protocol: string, the application-level protocol.

session_id: string, the unique identifier of the session.

severity: integer, 0-10, the score of the session divided by 10 at the time of the message was created. The value is 0 if the score is not available.

timestamp: string, milliseconds since Unix epoch.

For details on the exact messages and the fields they contain, see JSON messages.

JSON-CIM

In One Identity Safeguard for Privileged Sessions (SPS) version 5.11 and later versions of SPS, the JSON-CIM external message format is also supported. The JSON-CIM format is a JSON format following Splunk's CIM field names. As a result, Splunk applications can interpret the JSON-CIM format.

Keys that are always present and filled:

dvc: string, equal to Device FQDN

event_name: string, the name of the event

product: string, the short name of the product and its version number

session_id: The unique ID of the session

_time: Timestamp when the event occurred

vendor: Contains the OneIdentity string

For details on the exact messages and the fields they contain, see JSON_CIM messages.

CEF messages

SessionClosed due to content policy violation

Description of the message: Emitted when content policy with termination action enabled is violated

Example message:

CEF:0|OneIdentity|SPS|5.11.0|449510124|SessionClosed|0|app=SSH cs1=svc-9S9nqpGqdns6GAJxULWjHp-my_connection-52 cs1Label=Session ID cs2=TERMINATED cs2Label=Verdict dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=45928 src=10.30.0.24 start=1568639938032 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

cs2

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: TERMINATED

Field

Name

Scope

Present

cs2Label

Verdict label

message

always

Description: fixed to Verdict

Example: Verdict

ChannelAlert triggered

Description of the message: Emitted when channel alert triggered by content policy

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1244069864|ChannelAlert|0|app=SSH cs1=svc-fPr7beYhfY11DuFUXa2628-my_connection-17 cs1Label=Session ID cs2=Commands cs2Label=Event type cs3=sudo cs3Label=Matched regexp dst=10.170.255.206 duser=root dvc=10.30.24.20 reason=PatternMatcherRule src=10.30.0.24 start=1567600928995 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1244069864

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ChannelAlert

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

cs2

Event type

message

sometimes

Description: the type of the event triggering the alert e.g. Command, Full screen content

Example: Command

Field

Name

Scope

Present

cs2Label

Event type label

message

sometimes

Description: fixed to Event type

Example: Event type

Field

Name

Scope

Present

cs3

Matched regexp

message

sometimes

Description: the regexp matching the content that triggered the alert

Example: sudo

Field

Name

Scope

Present

cs3Label

Matched regexp label

message

sometimes

Description: fixed to Matched regexp

Example: Matched regexp

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

reason

Reason

message

sometimes

Description: the rule triggering alert

Example: PatternMatcherRule

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

ServerConnect on initial contact

Description of the message: Emitted when SPS connects to the serverfor the first time in the session

Example message:

CEF:0|OneIdentity|SPS|5.11.0|107115592|ServerConnect|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser= dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470650290 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 107115592

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

ServerConnect for secondary channels

Description of the message: Emitted when SPS connects to the serverfor opening further channels. The difference from initial connection is that the server user name is known and authenticated this time.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|107115592|ServerConnect|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470650290 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 107115592

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

ServerAuthenticationSuccess

Description of the message: Emitted after the server authentication successfully happened

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1865245228|ServerAuthenticationSuccess|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470652340 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1865245228

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerAuthenticationSuccess

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

ServerAuthenticationFailure

Description of the message: Emitted after the server authentication failed

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1262825953|ServerAuthenticationFailure|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470652340 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1262825953

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerAuthenticationFailure

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: contains the non authenticated server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

GatewayAuthenticationFailure

Description of the message: Emitted after a failed gateway authentication. Note that the gateway username here is not authenticated and will not be retained in further messages to avoid confusion with an authenticated gateway user.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1843867026|GatewayAuthenticationFailure|0|app=SSH cs1=svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-3 cs1Label=Session ID dhost= dpt= dst= duser= dvc=10.30.24.20 shost=client.acme.com spt=46296 src=10.30.0.24 start=1557912667169 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1843867026

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: GatewayAuthenticationFailure

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

message

always

Description: the non authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

SessionClosed of successfully authenticated session

Description of the message: Emitted when the session ends and server authentication and any gateway authentication was successful. There may be further messages related to the session after this message due to post processing of session data!

Example message:

CEF:0|OneIdentity|SPS|5.11.0|449510124|SessionClosed|0|app=SSH cs2=ACCEPT cs2Label=Verdict cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470652340 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

cs2

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: ACCEPT

Field

Name

Scope

Present

cs2Label

Verdict label

message

always

Description: fixed to Verdict

Example: Verdict

SessionClosed after a failed gateway authentication

Description of the message: Emitted when the session ends because gateway authentication failed.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|449510124|SessionClosed|0|app=SSH cs1=svc-iiCfsG48oJG5smpuocBLAN-my_connection-25 cs1Label=Session ID dhost= dpt= dst= duser= dvc=10.30.24.20 shost=client.acme.com spt=54632 src=10.30.0.24 start=1557913042048 suser= cs2=AUTH_FAIL cs2Label=Verdict

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

cs2

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

Field

Name

Scope

Present

cs2Label

Verdict label

message

always

Description: fixed to Verdict

Example: Verdict

SessionClosed after a failed server authentication

Description of the message: Emitted when the session ends because server authentication failed.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|449510124|SessionClosed|0|app=SSH cs1=svc-iiCfsG48oJG5smpuocBLAN-my_connection-27 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser= dvc=10.30.24.20 shost=client.acme.com spt=55084 src=10.30.0.24 start=1557913066163 suser=gwtestauto cs2=AUTH_FAIL cs2Label=Verdict

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

cs2

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

Field

Name

Scope

Present

cs2Label

Verdict label

message

always

Description: fixed to Verdict

Example: Verdict

RdpEmbeddedInTsg

Description of the message: Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|998298775|RdpEmbeddedInTsg|0|app=RDP cs1=svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-44-1 cs1Label=Session ID dhost= dpt= dst= duser= dvc=10.30.24.20 shost=client.acme.com spt=51083 src=10.30.0.24 start=1558006199668 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 998298775

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: RdpEmbeddedInTsg

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

always

Description: the authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

SessionScored

Description of the message: Score messages represent scoring events when SPS has calculated an initial or changed score for the session.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1991765353|SessionScored|7|app=SSH cs1=svc-822TNSfws1M6qixvRjQX8b-my_connection-4 cs1Label=Session ID cs2=70 cs2Label=Aggregated session score cs3=keystroke cs3Label=Scorer algorithm name cs4=18 cs4Label=Score given by algorithm dst=10.170.255.206 duser=root dvc=10.30.24.20 src=10.30.0.24 start=1558008998716 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1991765353

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionScored

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

cs2

Aggregated score

message

always

Description: the average score from all enabled analytics algorithms

Example: 50

Field

Name

Scope

Present

cs2Label

Aggregated score label

message

always

Description: fixed to Aggregated session score

Example: Aggregated session score

Field

Name

Scope

Present

cs3

Algorithm name

message

always

Description: the name of the algorithm that changed value

Example: keystroke

Field

Name

Scope

Present

cs3Label

Algorithm name label

message

always

Description: fixed to Scorer algorithm name

Example: Scorer algorithm name

Field

Name

Scope

Present

cs4

Algorithm score

message

always

Description: the new score value of the algorithm that changed value

Example: 60

Field

Name

Scope

Present

cs4Label

Algorithm score label

message

always

Description: fixed to Score given by algorithm

Example: Score given by algorithm

CommandChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|127084214|CommandChannelEvent|0|app=SSH cs1=svc-sZZoAcZZz9CbtCzTKWXgao-my_connection-0 cs1Label=Session ID cs2=exit cs2Label=Command dst=10.170.255.206 duser=root dvc=10.30.24.20 src=10.30.0.24 start=1556287687858 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 127084214

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: CommandChannelEvent

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

cs2

Command

message

always

Description: the full command detected

Example: exit

Field

Name

Scope

Present

cs2Label

Command label

message

always

Description: fixed to Command

Example: Command

WindowTitleChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|911383355|WindowTitleChannelEvent|0|app=RDP cs1=svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-44-4 cs1Label=Session ID cs2=Shortcut Tools Application Tools Administrative Tools cs2Label=Window title dst=10.170.255.206 duser=Administrator dvc=10.30.24.20 src=10.30.0.24 start=1558006237095 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 911383355

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: WindowTitleChannelEvent

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

cs2

Window title

message

always

Description: the window title detected in graphical protocol

Example: firefox

Field

Name

Scope

Present

cs2Label

Window title label

message

always

Description: fixed to Window title

Example: Window title

FileTransfer

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1127618380|FileTransfer|0|act=UPLOAD app=SSH cs1=svc-2L83Phh9J6GKLWTc881awk-my_connection-308 cs1Label=Session ID dst=10.170.255.206 duser=root dvc=10.30.24.20 filePath=/cpuinfo fname=cpuinfo src=10.30.0.24 start=1558023621127 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1127618380

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: FileTransfer

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

act

Operation

message

always

Description: the operation on the file such as UPLOAD/DOWNLOAD. It may contain the suffix 'WARNING', if the operation failed

Example: UPLOAD

Field

Name

Scope

Present

fname

Filename

message

always

Description: the file name

Example: foobar.txt

Field

Name

Scope

Present

filePath

Full file path

message

always

Description: the name of the file including its path on the server (in case of RDP protocol, this field is empty, in this case the full path of the file is in the filename field)

Example: /tmp/foobar.txt

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación