For information about the setup process, see The Splunk App.
The One Identity Safeguard for Privileged Sessions dashboard visualizes data from SPS (including your events parsed and indexed by the Splunk Add-on and the metadata that the Splunk Add-on attaches to those events).
To access the One Identity Safeguard for Privileged Sessions dashboard
Figure 1: The One Identity Safeguard for Privileged Sessions dashboard
The top filters bar allows you to configure your filters, the middle section shows an overview of logged sessions, and the lower section shows a more detailed list of audited sessions.
Under Time filter you can set a time interval in which you want to browse your data, and configure relevant settings. Under Refresh Rate you can specify a refresh rate (if you want to). To hide the Time filter and Refresh Rate items, click Hide Filters/Show Filters.
Below the filters bar, you see the details of logged sessions (such as SPS Session Count, the number of Critical Severity Sessions, and the number of High Severity Sessions) in the given time range.
The listed elements below SPS Session details show the audited sessions.
The One Identity Gap Report dashboard allows you to use other sources of information about your audited hosts (for example, Microsoft Windows logs or Unix/Linux logs) as well as those originating from SPS to compare the two sources of information and see if all the necessary sessions are audited without audit gaps
To access the One Identity Gap Report dashboard
Figure 2: The One Identity Gap Report dashboard
The top filters bar allows you to configure your filters and whether you want to visualize your RDP or your SSH sessions, the middle section shows an overview of logged sessions, and the lower section shows a more detailed list of unaudited sessions.
You can set a time interval in which you want to browse your data, and configure relevant settings under the Time filter. Under Refresh Rate you can specify a refresh rate (if you want to). The Run Panels option allows you to switch between RDP and SSH sessions. To hide the Time filterand Refresh Rate items, click the Hide Filters/Show Filters.
Below the filters bar, you see the number of audited sessions (under SPS RDP Login Count), and the number of logged sessions (under Windows Interactive Logins) in the given time range.
Under Gaps in RDP Login Events, a bar chart shows the proportion between audited and logged sessions, by day.
Under RDP Audit Gap Details, you can see the specific data (such as Time (for the audit gap date), the number of Audited Events, the number of Logged Events and the number of unaudited sessions, under Audit Gap), grouped by day.
If you have the Splunk App installed on your Splunk, but want to build your own custom dashboard, you can use the event types and macros defined by the app. The events originating from SPS are CIM-compliant (specifically, they use the Network Sessions, the Network Traffic and the Intrusion Detection data models), so the field names will be familiar. For more information about Splunk's Search Tutorial, click here.
The table below lists macros defined by the Splunk App and their descriptions.
Macro name |
Description |
---|---|
OI_SPS_events |
Individual events coming from SPS |
OI_SPS_sessions |
Sessions audited by SPS (events correlated into full sessions) |
OI_SPS_monitored_hosts |
Hosts monitored by SPS |
OI_SPS_scored_sessions |
Sessions audited by SPS which have a score given by SPS analytics |
OI_SSH_logins |
All SSH sessions coming from SPS |
OI_WIN_interactive_logins |
All windows interactive logins audited by SPS |
The macros listed in the Macros section can be used to narrow your search in Splunk for SPS-specific events. You can see a few useful search expressions below.
example_user was on server 1.2.3.4
`OI_SPS_events` tag=authentication dest_ip=1.2.3.4 user=example_user
List users logged onto server 1.2.3.4
`OI_SPS_events` tag=authentication dest_ip=1.2.3.4 | table user | uniq
Get ID of all sessions with rm command
`OI_SPS_events` eventtype=oneidentity_sps_command_channel_event command=rm | table session_id | uniq
Get ID of sessions with a score higher than 70
`OI_SPS_events` aggregated_score>70 | table session_id | uniq
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center