Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Using the Splunk forwarder

Purpose:

SPS can forward session data to Splunk near real-time. Using the Balabit Privileged Access Management application you can integrate this data with your other sources, and access all your data related to privileged user activities from a single interface. To configure SPS to forward session data to Splunk, complete the following steps.

Prerequisites and restrictions:
  • SPS version 5 F5 or later

  • Splunk version 6.5 or later

  • SPS does not send historical data to Splunk, only data from the sessions started after you complete this procedure.

Steps:
  1. Install the Balabit Privileged Access Management application to your Splunk installation. This will automatically enable and configure the HTTP Event Collector (HEC) in your Splunk installation, and create an HTTP Event Collector authentication token ("HEC token") that SPS will use.

    To help identify the source of the received data, the following settings are configured automatically in the Balabit Privileged Access Management application:

  2. On your Splunk interface, navigate to Settings > Data inputs > HTTP Event Collector. Copy the Token Value from the Balabit_HEC field. This is the HTTP Event Collector authentication token and you will need it when configuring SPS.

  3. Log in to SPS and navigate to Basic Settings > Management > Splunk forwarder.

    Figure 61: Basic Settings > Management > Splunk forwarder — Sending session data to Splunk

  4. Enter the IPv4 address or hostname of your Splunk installation into the Splunk hostname or IP address field.

  5. Enter the port number where your Splunk HTTP Event Collector is accepting connections into the HEC port field. By default, Splunk uses port 8088.

  6. Copy the HTTP Event Collector authentication token you have generated for SPS into the HEC authentication token field.

    • If your Splunk HTTP Event Collector accepts unencrypted HTTP connections, select SSL > Disabled.

      Since the data forwarded to Splunk contains sensitive information, One Identity recommends to use HTTPS encryption between SPS and Splunk.

    • To use HTTPS encryption between SPS and Splunk, select SSL > Without certificate validation.

    • To use HTTPS encryption between SPS and Splunk and also verify the identity of the Splunk server, select SSL > With certificate validation, then click and upload the certificate of the Splunk server, or the certificate of the CA that issued the certificate of the Splunk server.

  7. Splunk will display the data received from SPS as it was received from the host set in the PAM hostname or IP address field. By default, this is the hostname and domain name of the SPS appliance as set on the Basic Settings > Network > Naming page. Adjust this field as needed for your environment.

  8. Click Commit. From now on, SPS will forward session data to Splunk. If the Splunk server becomes unaccessible, SPS will try to resend the data when the period set in Flush interval expires.

  9. Start a session that SPS will audit to test your configuration, and verify that the data of the session appears in Splunk.

    Figure 62: The Balabit Privileged Access Management application

Universal Siem Forwarder

Purpose:

The universal SIEM forwarder can automatically send file-based data to Splunk, ArcSight, or other third-party systems in JavaScript Object Notation (JSON) or Common Event Format (CEF) format. For information about the details of the messages that the universal SIEM forwarder sends to the external SIEM network elements, see Message formats towards SIEMs.

One of the main advantages of the universal SIEM forwarder is that it has a lower impact on network and performance.

Prerequisites and restrictions:
  • SPS version 5 F9 or later

  • Splunk version 6.5 or later

  • The CEF format is supported on all currently supported versions of ArcSight ESM.

  • SPS does not send historical data, only data from the sessions started after you complete this procedure.

Steps:
  1. Log in to SPS and navigate to Basic Settings > Management > Universal SIEM forwarder.

    Figure 63: Basic Settings > Management > Universal SIEM forwarder — Sending session data to SIEM

  2. Specify a prefix to make the data more readable.

    A prefix is a unique name identifying the object. For example, use sps_ as a prefix for Splunk, and in the forwarded JSON file, {"protocol": "ssh"} changes to {"sps_protocol": "ssh"}, which allows you to identify the forwarded data more easily.

  3. Enter the IPv4 address or hostname of your third-party system, for example, Splunk into the Address field.

  4. Enter the port number where your third-party system is accepting connections into the Port field. For example, if you use Splunk, use port 1999.

    • If your third-party system accepts unencrypted connections, select TLS > Disabled.

      Since the data forwarded to Splunk contains sensitive information, One Identity recommends to use TLS encryption between SPS and Splunk.

    • To use TLS encryption between SPS and your third-party system, select TLS > Without certificate validation.

    • To use TLS encryption between SPS and your third-party system and also verify the identity of your third-party system server, select TLS > With certificate validation, then click and upload the certificate of your third-party system server, or the certificate of the CA that issued the certificate of the server.

  5. Select the file format as follows:
    • JSON if using Splunk.
    • CEF if using ArcSight.
  6. Click Commit. From now on, SPS forwards session data to your third-party system.

SiemMessage

Currently the external message format can be JavaScript Object Notation (JSON), which is defined by One Identity or Common Event Format (CEF), which is defined based on the ArcSight CEF specification rev. 16, 22 July 2010.

JSON

JSON (JavaScript Object Notation): the generated JSON structure is flat and the keys in the JSON depend on what kind of event is described. There are some keys that are always present in all messages. There are also keys that are message type specific, but may be missing if the related information is not available.

Keys that are always present and filled:

base_type_name: string, specifies the main category of the message, one of "meta", "content" or "score".

event_type_id: integer, a unique number specifying the message type (primarily for CEF).

event_name: string, the name of the event type.

session_id: string, the unique identifier of the session.

severity: integer, 0-10, the score of the session divided by 10 at the time of the message was created. The value is 0 if the score is not available.

timestamp: string, milliseconds since Unix epoch.

CEF

CEF (Common Event Format): the mapping to CEF will be described in terms of mapping from the JSON format to CEF. In CEF all relevant keys are present, but the value may be empty if it is not known.

Header

Here <...> is substituted with the actual values.

CEF:0|OneIdentity|PSM|5.8.0|<event_type_id>|<event_name>|<severity>|

Extensions

CEF extensions that are always present:

cs1: string, equal to session_id

cs1Label: string, equal to literal "Session ID"

start: equal to timestamp

ContentMessage

There are three major categories of messages: content, meta, and score.

Content message represents events when SPS detects interesting textual content in the session, such as a command execution or new window title.

Command Channel Event

Emitted when a command is detected in the session text.

JSON
{
  "base_type_name":"content",
  "event_type_id":127084214,
  "event_name":"CommandChannelEvent",
  "session_id":"svc-asdfasdf-test-11",
  "severity":0,
  "timestamp":"103000",
  "command":"[ root@blabla ~ ]$ ls -l"
}
CEF field mapping from JSON

base_type_name: not mapped.

event_type_id: header, Signature ID.

event_name: header, Name.

session_id: extension, cs1. The associated cs1Label is set to "Session ID". Note that this will change if and when CEF format includes session id in its extension dictionary.

severity: header, Severity.

timestamp: extension, start.

command: extension, cs2. The associated cs2Label is set to "Command".

Window Title Channel Event

Emitted when a window title is detected in a graphical session.

JSON
{
  "base_type_name":"content",
  "event_type_id":911383355,
  "event_name":"WindowTitleChannelEvent",
  "session_id":"svc-asdfasdf-test-11",
  "severity":0,
  "timestamp":"103000",
  "window_title":"Mozilla Firefox"
}
CEF field mapping from JSON

base_type_name: not mapped.

event_type_id: header, Signature ID.

event_name: header, Name.

session_id: extension, cs1. The associated cs1Label is set to "Session ID". Note that this will change if and when CEF format includes session id in its extension dictionary.

severity: header, Severity.

timestamp: extension, start.

window_title: extension, cs2. The associated cs2Label is set to "Window title".

Log Command Executed

Emitted when a command is parsed from logs.

JSON
{
  "base_type_name":"content",
  "event_type_id":1093308246,
  "event_name":"LogCommandExecuted",
  "session_id":"svc-asdfasdf-test-11",
  "severity":0,
  "timestamp":"420000",
  "command":"/usr/bin/bash"
}
CEF field mapping from JSON

base_type_name: not mapped.

event_type_id: header, Signature ID.

event_name: header, Name.

session_id: extension, cs1. The associated cs1Label is set to "Session ID". Note that this will change if and when CEF format includes session id in its extension dictionary.

severity: header, Severity.

timestamp: extension, start.

command: extension, cs2. The associated cs2Label is set to "Command".

File Transfer

Emitted when SCP file transfer is detected in the SSH protocol.

JSON
{
  "base_type_name":"content",
  "event_type_id":1127618380,
  "event_name":"FileTransfer",
  "session_id":"svc-asdfasdf-test-11",
  "severity":0,
  "timestamp":"432000",
  "filename":"myfile.txt",
  "filepath":"path/to/file",
  "file_operation":"upload"
}
CEF field mapping from JSON

base_type_name: not mapped.

event_type_id: header, Signature ID.

event_name: header, Name.

session_id: extension, cs1. The associated cs1Label is set to "Session ID". Note that this will change if and when CEF format includes session id in its extension dictionary.

severity: header, Severity.

timestamp: extension, start.

filename: extension, fname.

filepath: extension, indirectly as filepath/filename into filePath.

file_operation: not mapped.

Related Documents