지금 지원 담당자와 채팅
지원 담당자와 채팅

One Identity Safeguard for Privileged Sessions 6.0.1 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS) The Welcome Wizard and the first login Basic settings
Supported web browsers and operating systems The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving and cleanup Forwarding data to third-party systems Joining to One Identity Starling
User management and access control Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing Safeguard for Privileged Sessions (SPS) clusters Managing a high availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) RPC API The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS) Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help LDAP user and group resolution in SPS Appendix: Deprecated features

JSON

JSON (JavaScript Object Notation): the generated JSON structure is flat and the keys in the JSON depend on what kind of event is described. There are some keys that are always present in all messages. There are also keys that are message type specific, but may be missing if the related information is not available.

Keys that are always present and filled:

base_type_name: string, specifies the main category of the message, one of "meta", "content" or "score".

event_type_id: integer, a unique number specifying the message type (primarily for CEF).

event_name: string, the name of the event type.

session_id: string, the unique identifier of the session.

severity: integer, 0-10, the score of the session divided by 10 at the time of the message was created. The value is 0 if the score is not available.

timestamp: string, milliseconds since Unix epoch.

For details on the exact messages and the fields they contain, see JSON messages.

JSON-CIM

In One Identity Safeguard for Privileged Sessions (SPS) version 5.11 and later versions of SPS, the JSON-CIM external message format is also supported. The JSON-CIM format is a JSON format following Splunk's CIM field names. As a result, Splunk applications can interpret the JSON-CIM format.

For details on the exact messages and the fields they contain, see JSON_CIM messages.

CEF messages

ServerConnect on initial contact

Description of the message: Emitted when SPS connects to the serverfor the first time in the session

Example message:

CEF:0|OneIdentity|SPS|5.11.0|107115592|ServerConnect|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser= dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470650290 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 107115592

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

ServerConnect for secondary channels

Description of the message: Emitted when SPS connects to the serverfor opening further channels. The difference from initial connection is that the server user name is known and authenticated this time.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|107115592|ServerConnect|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470650290 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 107115592

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

ServerAuthenticationSuccess

Description of the message: Emitted after the server authentication successfully happened

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1865245228|ServerAuthenticationSuccess|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470652340 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1865245228

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerAuthenticationSuccess

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

ServerAuthenticationFailure

Description of the message: Emitted after the server authentication failed

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1262825953|ServerAuthenticationFailure|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470652340 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1262825953

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerAuthenticationFailure

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: contains the non authenticated server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

GatewayAuthenticationFailure

Description of the message: Emitted after a failed gateway authentication. Note that the gateway username here is not authenticated and will not be retained in further messages to avoid confusion with an authenticated gateway user.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1843867026|GatewayAuthenticationFailure|0|app=SSH cs1=svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-3 cs1Label=Session ID dhost= dpt= dst= duser= dvc=10.30.24.20 shost=client.acme.com spt=46296 src=10.30.0.24 start=1557912667169 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1843867026

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: GatewayAuthenticationFailure

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

message

always

Description: the non authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

SessionClosed of successfully authenticated session

Description of the message: Emitted when the session ends and server authentication and any gateway authentication was successful. There may be further messages related to the session after this message due to post processing of session data!

Example message:

CEF:0|OneIdentity|SPS|5.11.0|449510124|SessionClosed|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470652340 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

SessionClosed after a failed gateway authentication

Description of the message: Emitted when the session ends because gateway authentication failed.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|449510124|SessionClosed|0|app=SSH cs1=svc-iiCfsG48oJG5smpuocBLAN-my_connection-25 cs1Label=Session ID dhost= dpt= dst= duser= dvc=10.30.24.20 shost=client.acme.com spt=54632 src=10.30.0.24 start=1557913042048 suser=

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

SessionClosed after a failed server authentication

Description of the message: Emitted when the session ends because server authentication failed.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|449510124|SessionClosed|0|app=SSH cs1=svc-iiCfsG48oJG5smpuocBLAN-my_connection-27 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser= dvc=10.30.24.20 shost=client.acme.com spt=55084 src=10.30.0.24 start=1557913066163 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

RdpEmbeddedInTsg

Description of the message: Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|998298775|RdpEmbeddedInTsg|0|app=RDP cs1=svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-44-1 cs1Label=Session ID dhost= dpt= dst= duser= dvc=10.30.24.20 shost=client.acme.com spt=51083 src=10.30.0.24 start=1558006199668 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 998298775

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: RdpEmbeddedInTsg

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

always

Description: the authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

SessionScored

Description of the message: Score messages represent scoring events when SPS has calculated an initial or changed score for the session.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1991765353|SessionScored|7|app=SSH cs1=svc-822TNSfws1M6qixvRjQX8b-my_connection-4 cs1Label=Session ID cs2=70 cs2Label=Aggregated session score cs3=keystroke cs3Label=Scorer algorithm name cs4=18 cs4Label=Score given by algorithm dst=10.170.255.206 duser=root dvc=10.30.24.20 src=10.30.0.24 start=1558008998716 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1991765353

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionScored

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

cs2

Aggregated score

message

always

Description: the average score from all enabled analytics algorithms

Example: 50

Field

Name

Scope

Present

cs2Label

Aggregated score label

message

always

Description: fixed to Aggregated session score

Example: Aggregated session score

Field

Name

Scope

Present

cs3

Algorithm name

message

always

Description: the name of the algorithm that changed value

Example: keystroke

Field

Name

Scope

Present

cs3Label

Algorithm name label

message

always

Description: fixed to Scorer algorithm name

Example: Scorer algorithm name

Field

Name

Scope

Present

cs4

Algorithm score

message

always

Description: the new score value of the algorithm that changed value

Example: 60

Field

Name

Scope

Present

cs4Label

Algorithm score label

message

always

Description: fixed to Score given by algorithm

Example: Score given by algorithm

CommandChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|127084214|CommandChannelEvent|0|app=SSH cs1=svc-sZZoAcZZz9CbtCzTKWXgao-my_connection-0 cs1Label=Session ID cs2=exit cs2Label=Command dst=10.170.255.206 duser=root dvc=10.30.24.20 src=10.30.0.24 start=1556287687858 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 127084214

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: CommandChannelEvent

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

cs2

Command

message

always

Description: the full command detected

Example: exit

Field

Name

Scope

Present

cs2Label

Command label

message

always

Description: fixed to Command

Example: Command

WindowTitleChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|911383355|WindowTitleChannelEvent|0|app=RDP cs1=svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-44-4 cs1Label=Session ID cs2=Shortcut Tools Application Tools Administrative Tools cs2Label=Window title dst=10.170.255.206 duser=Administrator dvc=10.30.24.20 src=10.30.0.24 start=1558006237095 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 911383355

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: WindowTitleChannelEvent

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

cs2

Window title

message

always

Description: the window title detected in graphical protocol

Example: firefox

Field

Name

Scope

Present

cs2Label

Window title label

message

always

Description: fixed to Window title

Example: Window title

FileTransfer

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1127618380|FileTransfer|0|act=UPLOAD app=SSH cs1=svc-2L83Phh9J6GKLWTc881awk-my_connection-308 cs1Label=Session ID dst=10.170.255.206 duser=root dvc=10.30.24.20 filePath=/cpuinfo fname=cpuinfo src=10.30.0.24 start=1558023621127 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1127618380

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: FileTransfer

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

act

Operation

message

always

Description: the operation on the file such as UPLOAD/DOWNLOAD. It may contain the suffix 'WARNING', if the operation failed

Example: UPLOAD

Field

Name

Scope

Present

fname

Filename

message

always

Description: the file name

Example: foobar.txt

Field

Name

Scope

Present

filePath

Full file path

message

always

Description: the name of the file including its path on the server

Example: /tmp/foobar.txt

JSON messages

ServerConnect on initial contact

Description of the message: Emitted when SPS connects to the serverfor the first time in the session

Example message:

{"timestamp":"1557913242888","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-43","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"107115592","event_name":"ServerConnect","connection_policy":"my_connection","client_port":"59190","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 107115592

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

ServerConnect for secondary channels

Description of the message: Emitted when SPS connects to the serverfor opening further channels. The difference from initial connection is that the server user name is known and authenticated this time.

Example message:

{"timestamp":"1557913242888","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-43","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"107115592","event_name":"ServerConnect","connection_policy":"my_connection","server_username":"root","client_port":"59190","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 107115592

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

ServerAuthenticationSuccess

Description of the message: Emitted after the server authentication successfully happened

Example message:

{"timestamp":"1557913243423","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-43","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1865245228","event_name":"ServerAuthenticationSuccess","connection_policy":"my_connection","client_port":"59190","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 1865245228

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerAuthenticationSuccess

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

ServerAuthenticationFailure

Description of the message: Emitted after the server authentication failed

Example message:

{"timestamp":"1557913134598","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-33","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1262825953","event_name":"ServerAuthenticationFailure","connection_policy":"my_connection","client_port":"56692","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 1262825953

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerAuthenticationFailure

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: contains the non authenticated server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the non authenticated server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

GatewayAuthenticationFailure

Description of the message: Emitted after a failed gateway authentication. Note that the gateway username here is not authenticated and will not be retained in further messages to avoid confusion with an authenticated gateway user.

Example message:

{"timestamp":"1557913110027","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-31","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1843867026","event_name":"GatewayAuthenticationFailure","connection_policy":"my_connection","client_port":"56020","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 1843867026

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: GatewayAuthenticationFailure

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

gateway_username

Gateway username

message

always

Description: the non authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

gateway_username

Gateway user domain

session

sometimes

Description: the non authenticated gateway user domain if known

Example: acme.com

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

SessionClosed of successfully authenticated session

Description of the message: Emitted when the session ends and server authentication and any gateway authentication was successful. There may be further messages related to the session after this message due to post processing of session data!

Example message:

{"timestamp":"1557912701233","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-6","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"449510124","event_name":"SessionClosed","connection_policy":"my_connection","client_port":"46958","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta","auth_method":"password"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

auth_method

Authentication method

session

always

Description: the type of authentication used in gateway authentication

Example: password

SessionClosed after a failed gateway authentication

Description of the message: Emitted when the session ends because gateway authentication failed.

Example message:

{"timestamp":"1557912725391","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-9","protocol":"SSH","event_type_id":"449510124","event_name":"SessionClosed","connection_policy":"my_connection","client_port":"47444","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

SessionClosed after a failed server authentication

Description of the message: Emitted when the session ends because server authentication failed.

Example message:

{"timestamp":"1557912748990","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-11","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"449510124","event_name":"SessionClosed","connection_policy":"my_connection","client_port":"47840","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

RdpEmbeddedInTsg

Description of the message: Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario.

Example message:

{"timestamp":"1558007294417","severity":"0","session_id":"svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-50-4","protocol":"RDP","gateway_username":"gwtestauto","event_type_id":"998298775","event_name":"RdpEmbeddedInTsg","connection_policy":"my_connection","client_port":"51270","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 998298775

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: RdpEmbeddedInTsg

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

gateway_username

Gateway username

session

always

Description: the authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

SessionScored

Description of the message: Score messages represent scoring events when SPS has calculated an initial or changed score for the session.

Example message:

{"timestamp":"1558009822701","severity":"7","session_id":"svc-62a6XGcPzaFvLYDhVYDYXj-my_connection-0","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1991765353","event_name":"SessionScored","connection_policy":"my_connection","client_port":"35620","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"score","auth_method":"password","algorithm_score":"18","algorithm_name":"keystroke","aggregated_score":"70"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: score

Example: score

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 1991765353

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionScored

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

auth_method

Authentication method

session

always

Description: the type of authentication used in gateway authentication

Example: password

Field

Name

Scope

Present

aggregated_score

Aggregated score

message

always

Description: the average score from all enabled analytics algorithms

Example: 50

Field

Name

Scope

Present

algorithm_name

Algorithm name

message

always

Description: the name of the algorithm that changed value

Example: keystroke

Field

Name

Scope

Present

algorithm_score

Algorithm score

message

always

Description: the new score value of the algorithm that changed value

Example: 60

CommandChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"timestamp":"1557912701166","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-6","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"127084214","event_name":"CommandChannelEvent","connection_policy":"my_connection","command":"exit","client_port":"46958","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"content","auth_method":"password"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: content

Example: content

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 127084214

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: CommandChannelEvent

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

auth_method

Authentication method

session

always

Description: the type of authentication used in gateway authentication

Example: password

Field

Name

Scope

Present

command

Command

message

always

Description: the full command detected

Example: exit

WindowTitleChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"window_title":"Shortcut Tools Application Tools Administrative Tools","timestamp":"1558007305516","severity":"0","session_id":"svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-50-4","server_username":"Administrator","server_port":"3389","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"RDP","gateway_username":"gwtestauto","event_type_id":"911383355","event_name":"WindowTitleChannelEvent","connection_policy":"my_connection","client_port":"51270","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"content"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: content

Example: content

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 911383355

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: WindowTitleChannelEvent

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

window_title

Window title

message

always

Description: the window title detected in graphical protocol

Example: firefox

FileTransfer

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"timestamp":"1558023671115","severity":"0","session_id":"svc-2L83Phh9J6GKLWTc881awk-my_connection-316","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","filepath":"","filename":"cpuinfo","file_operation":"UPLOAD","event_type_id":"1127618380","event_name":"FileTransfer","connection_policy":"my_connection","client_port":"44292","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"content","auth_method":"password"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: content

Example: content

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 1127618380

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: FileTransfer

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

auth_method

Authentication method

session

always

Description: the type of authentication used in gateway authentication

Example: password

Field

Name

Scope

Present

file_operation

Operation

message

always

Description: the operation on the file such as UPLOAD/DOWNLOAD. It may contain the suffix 'WARNING', if the operation failed

Example: UPLOAD

Field

Name

Scope

Present

filename

Filename

message

always

Description: the file name

Example: foobar.txt

Field

Name

Scope

Present

filepath

File path

message

always

Description: the path to the file on the server

Example: /tmp

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택