One Identity Safeguard for Privileged Sessions (SPS) integrates data from SPS to use as the basis of user behavior analysis. SPA uses machine learning algorithms to scrutinize behavioral characteristics (using data from SPS), and generates user behavior profiles for each individual privileged user. SPA compares actual user activity to user profiles in real time, with profiles being continually adjusted using machine learning. When SPA detects unusual activity, this is indicated on the user interface of SPS in the form of high scores and visualized insight.

Prerequisites

Make sure that you have session data from network traffic that:

  • contains real, unique usernames linked to users other than root/administrator or a shared account

    To check this, navigate to Sessions , and check whether the Username column contains data. This is important, because session data will be linked to users.

    If you do not have unique usernames in your session data, review your authentication settings and consult with the One Identity Professional Services team to learn about your options to tie accounts to users.

  • has commands extracted (using lightweight or full indexing, or in real-time through content policies)

    For instructions on how to configure indexing and include commands in the scope of indexing, see Indexing audit trails in the Administration Guide.

    For details on how to configure real-time command extraction using a content policy, see Creating a new content policy in the Administration Guide.

  • has keystrokes extracted (using lightweight or full indexing, or in real-time through content policies)

    The minimum required amount of data for reliable insight is 5 sessions with approximately 200 keystrokes each.

    For instructions on how to configure indexing and include typing biometrics in the scope of indexing, see Indexing audit trails in the Administration Guide.

    For details on how to configure real-time extraction of keystroke-related data using a content policy, see Creating a new content policy in the Administration Guide.

  • has pointing device (mouse) biometrics extracted (using lightweight or full indexing, or in real-time through content policies)

    For instructions on how to configure indexing and include pointing device biometrics in the scope of indexing, see Indexing audit trails in the Administration Guide.

    For details on how to configure real-time extraction of pointing device-related data using a content policy, see Creating a new content policy in the Administration Guide.

  • has window titles extracted (using lightweight or full indexing, or in real-time through content policies)

    For instructions on how to configure indexing and include window titles in the scope of indexing, see Indexing audit trails in the Administration Guide.

    For details on how to configure real-time window title extraction using a content policy, see Creating a new content policy in the Administration Guide.

The following describes how to analyze data using One Identity Safeguard for Privileged Analytics.

Limitations

SPS used in combination with SPA currently has the following limitations:

  • SPA requires at least 12GB RAM to operate. If you are interested in upgrading your appliance, contact our Support Team.

  • SPA requires a lot of computation, which can put pressure on SPS:

    • The keystroke algorithm is much more resource-hungry than the other algorithms, therefore our recommendation is to start analyzing data using the algorithms that require less resources.

    • Before you start using SPA, make sure that at least half the capacity of SPS is available.

  • SPA only analyzes audit trails and SPS metadata, it does not analyze log data.

To start using SPA

  1. Start getting scores.

    Scoring for sessions

    Scoring happens in real-time, meaning that as soon as new data (even data from an ongoing session) is available, SPA immediately scores it.

    TIP: When data is not immediately available to you and you are unable to wait until sufficient amount of data comes in from production traffic, you can resort to manually reindexing historical sessions. For details, see Reindex historical sessions in the Safeguard for Privileged Analytics Configuration Guide.

    Scores represent an aggregated amount. Session data is scored by multiple algorithms independent from each other. Scores given by individual algorithms are aggregated to create a single score.

    For detailed instructions on how to configure SPA, see Safeguard for Privileged Analytics Configuration Guide.

    Scoring for users

    The goal of the algorithm is to create a score for the user to represent recent activities. The algorithm does this by averaging recent event scores and weighing the top 3 highest scores and taking in consideration the elapsed time. The user score is calculated hourly and weighs more recent activities with a bias.

  2. Search for sessions with high scores.

    1. Go to Sessions .

      Sessions are displayed sorted by date. For ongoing sessions, the Search interface is updated in real-time to always show the most up-to-date information.

    2. In the Search query field, type analytics.score.aggregated: [80 TO 100], and click Search.

      A score between 80 and 100 indicates unusual user behavior.

      Figure 86: Searching for sessions with unusual user behavior using a search query

      Results that show sessions with high scores are displayed.

      Figure 87: Sessions with high scores — table view

      Figure 88: Sessions with high scores — card view

  3. Alternatively, search for scripted sessions.

    In the Search query field, type analytics.scripted:true, and click Search.

  4. View the details of a session.

    To view details of a session, click .

  5. View session analytics.

    Click the Analytics tab.

    The top of the page displays a summary of key insights about the session, such as:

    • The aggregated score (indicated by a gauge). The following color codes are used:

      • Scores between 80-100 indicate unusual behavior, their color code is red.

      • Scores between 70-79 indicate behavior that might require further analysis and attention, their color code is amber.

      • Scores between 0-69 indicate normal behavior, their color code is gray.

    • A one-sentence summary of each algorithm's verdict about the session and user behavior.

    The Anomalies found and Normal behavior sections of the page display detailed analyses provided by each of the configured algorithms. This includes short information on how a particular algorithm works and how to read the visualized insight, as well as scores given by the individual algorithms.

    Figure 89: Sessions — Viewing details on the Analytics tab: Anomalies found

    Figure 90: Sessions — Viewing details on the Analytics tab: Normal behavior