Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

MetaMessage

The meta messages represent events that change the session state and/or carry new information about a session.

JSON

Below is a sample message with all possible fields. The fields up to and including "timestamp" are assured.

NOTE:

The fields after "timestamp" may or may not be present, depending on SPS settings, scenario and general availability.

{
  "base_type_name": "meta",
  "event_type_id": 1865245228,
  "event_name": "ServerAuthenticationSuccess",
  "session_id": "svc-asdfasdf-testpol-11",
  "severity": 0,
  "timestamp": "119000",
  "gateway_username": "gwuser",
  "server_username": "admin",
  "server_name": "dbserver.acme",
  "server_address": "10.10.0.5",
  "server_port": 1234,
  "client_name": "proxy.acme",
  "client_address": "10.0.0.23",
  "client_port": 4321,
  "protocol": "RDP",
  "connection_policy": "testpol",
  "auth_method": "password"
 }
Possible meta message types

GatewayAuthenticationFailure (event_type_id = 1843867026) Emitted if gateway authentication is configured and the user failed to authenticate through the gateway.

ServerAuthenticationSuccess (event_type_id = 1865245228) Comes after the server authentication successfully happened.

ServerAuthenticationFailure (event_type_id = 1262825953) Emitted if the server authentication failed.

ServerConnect (event_type_id = 107115592) Comes after the server authentication successfully happened.

LogSessionStarted (event_type_id = 734058469) Emitted when a session start is parsed from log messages.

RdpEmbeddedInTsg (event_type_id = 998298775) Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario. This message will only contain the gateway_username optional field.

ServerNameResolved (event_type_id = 1639978560) Emitted when the server_name field was successfully resolved to an ip address. This message will only contain the server_address optional field.

The following events do not contain optional fields, these only mark the detected end of a session. Note that there may be further messages in case the session contents are indexed out of band, or analytics score the session after the fact.

SessionClosed (event_type_id = 449510124) Emitted when the session ends. See note above.

LogSessionClosed (event_type_id = 4722608) Emitted when a session end is parsed from log messages. See note above.

CEF

Sample message, sent as a single line, but broken up here for readability

CEF:0|OneIdentity|PSM|5.8.0|1865245228|ServerAuthenticationSuccess|0|app=SSH
cs1=svc-nMd7UHCEENHJoyrEyMWJ8K-perf_test-4 cs1Label=Session ID dhost= dpt=22 dst=10.170.0.93 duser=ptest0870
shost= spt=39420 src=10.170.0.92 start=1535531531571 suser=
CEF field mapping from JSON

base_type_name: not mapped.

event_type_id: header, Signature ID.

event_name: header, Name.

session_id: extension, cs1. The associated cs1Label is set to "Session ID". Note that this will change if and when CEF format includes session id in its extension dictionary.

severity: header, Severity.

timestamp: extension, start.

gateway_username: extension, suser.

server_username: extension, duser.

server_name: extension, dhost.

server_address: extension, dst.

server_port: extension, dpt.

client_name: extension, shost.

client_address: extension, src.

client_port: extension, spt.

protocol: extension, app.

connection_policy: not mapped.

auth_method: not mapped.

ScoreMessage

Score messages represent scoring events when SPS has calculated an initial or changed score for the session.

JSON

The message contains the aggregate score and one scoring algorithm name and score. If there are multiple scoring algorithms enabled in SPS, they get separate messages.

{
  "base_type_name":"score",
  "event_type_id":1991765353,
  "event_name":"SessionScored",
  "session_id":"svc-asdfasdf-test-11",
  "severity":0,
  "timestamp":"31337000",
  "aggregated_score":4,
  "algorithm_name":"dummyScorer",
  "algorithm_score":4
}
CEF field mapping from JSON

base_type_name: not mapped.

event_type_id: header, Signature ID.

event_name: header, Name.

session_id: extension, cs1. The associated cs1Label is set to "Session ID". Note that this will change if and when CEF format includes session id in its extension dictionary.

severity: header, Severity.

timestamp: extension, start.

aggregated_score: extension, cs2. The associated cs2Label is set to "Aggregated session score".

algorithm_name: extension, cs3. The associated cs3Label is set to "Scorer algorithm name".

algorithm_score: extension, cs4. The associated cs4Label is set to "core given by algorithm".

User management and access control

The AAA menu (Authentication, Authorization, and Accounting) allows you to control the authentication, authorization, and accounting settings of the users accessing SPS. The following will be discussed in the next sections:

Managing SPS users locally

By default, SPS users are managed locally on SPS. In order to add local users in SPS, all steps of the following procedure need to be completed:

  1. Create users.

    For detailed instructions on how to create local users, see Creating local users in SPS.

  2. Assign users to groups.

    For details about how to add a usergroup, see Managing local usergroups.

  3. Assign privileges to groups.

    For information on how to control the privileges of usergroups, see User management and access control.

Related Documents