This document describes how you can use the services of the One Identity Safeguard for Privileged Sessions Add-on for Splunk (the Splunk Add-on) and the One Identity Safeguard for Privileged Sessions App for Splunk (the Splunk App) to process and visualize your events from One Identity Safeguard for Privileged Sessions (SPS).
One Identity Safeguard for Privileged Sessions (SPS) controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SPS is a quickly deployable enterprise device, completely independent from clients and servers — integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.
If you have an SPS device forwarding events to your Splunk, and you want to process and visualize these events with your own, custom dashboards, the Splunk Add-on can provide you with useful event types that you can use in your custom searches. For more information about visualizing events and customizing dashboards, see The Splunk App and Macros and search expressions.
The Splunk Add-on is an add-on for Splunk that defines useful event types for your sessions originating from SPS. For more information, see Event types.
The Splunk App creates useful dashboards to visualize your sessions audited with SPS.
Also, if you want to use your Microsoft Windows or Linux session logs for gap analysis and you have the Splunk Add-on for Microsoft Windows or the Splunk Add-on for Unix and Linux installed, the Splunk App allows you to spot potential audit gaps.
The Splunk Add-on is an add-on for Splunk that defines useful event types for your sessions originating from SPS. For more information, see Event types.
If you have an SPS device forwarding events to your Splunk, and you want to process and visualize these events with your own, custom dashboards, the Splunk Add-on can provide you with useful event types that you can use in your custom searches. For more information about visualizing events and customizing dashboards, see The Splunk App and Macros and search expressions.
When using SPS together with the Splunk Add-on, the events originating from SPS are parsed, indexed and labeled with tags. These tags help standardize data coming from various data sources. As a result, custom-searching in Splunk will be more effective.
The Splunk Add-on is supported from SPS version 6.0.
To install the Splunk Add-on and configure SPS to forward events to Splunk
If you want to search for a specific event type in your SPS index (for example, because you want to have a chart on your own dashboard about the distribution of different event types), look at the "Event type name" column in the [List of definitions] to filter for the different kinds. As an example, if you would like to count the number of "ServerConnect" events and visualize the results on a graph, you can do so with the following search expression:
search index=* | stats count(eval(eventtype=oneidentity_sps_server_connect)) AS count_server_connect BY eventtype
The table below lists the definitions of event types for your sessions originating from SPS and the definitions' descriptions.
Description | |
---|---|
oneidentity_sps_server_connect |
ServerConnect event coming from SPS SIEM forwarder |
oneidentity_sps_session_closed |
SessionClosed event coming from SPS SIEM forwarder |
oneidentity_sps_server_ |
ServerAuthenticationSuccess event coming from SPS SIEM forwarder |
oneidentity_sps_server_ |
ServerAuthenticationFailure event coming from SPS SIEM forwarder |
oneidentity_sps_gateway_ |
GatewayAuthenticationFailure event coming from SPS SIEM forwarder |
oneidentity_sps_session_scored |
SessionScored event coming from SPS SIEM forwarder |
oneidentity_sps_command_channel_ |
CommandChannelEvent event coming from SPS SIEM forwarder |
oneidentity_sps_window_title_channel_event |
WindowTitleChannelEvent event coming from SPS SIEM forwarder |
oneidentity_sps_rdp_embedded_in_tsg |
RdpEmbeddedInTsg event coming from SPS SIEM forwarder |
oneidentity_sps_file_transfer |
FileTransfer event coming from SPS SIEM forwarder |
The One Identity Safeguard for Privileged Sessions App for Splunk creates useful dashboards to visualize your sessions audited with SPS. With this app, you can get an overview of your audited sessions and pinpoint interesting ones to be able to investigate them further. Also, if you have other sources of information about your audited hosts (for example, Microsoft Windows logs or Unix/Linux logs) as well as those originating from SPS, you can compare the two sources of information and see if all the necessary sessions are audited without audit gaps.
When used together with the Splunk App, you can customize your search with the help of your defined events and visualize your sessions originating from SPS on customized dashboards.
|
NOTE:
It is a prerequisite to have the Splunk Add-on installed for the Splunk App to work. When you install the Splunk App, it is presumed that SPS is already configured to forward events to Splunk and Splunk already receives these forwarded events. In such a setup, all events from SPS should arrive to a separate index in Splunk (if it's not the case, fix it before installing and setting up the Splunk App). |
The Splunk App is supported from SPS version 6.0.
To install and setup the Splunk App
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center