One Identity Safeguard for Privileged Sessions 5.9.0

Specifies the filter expression that you can use to filter the audit trails. For example, to narrow your search to a specific server-side IP address, you can enter the server.address: 10.30.255.70 search filter in the Search query field. All search results that contain that specific server IP address are listed.

Displayed:

Specifies if the search filter result is displayed as a field in the search columns or in the overview, details, events, or contents tabs.

There are search filters that are not displayed but you can still use them to filter the audit trails. For example, you can search for active connections using the active search filter, and search results are listed accordingly, but there is no active field displayed in the search table or in the overview, details, events, or contents tabs.

The following search filters are available:

Start time

Name:	Start time
Search filter:	start_time
Displayed:	Yes (start date column)

Description: The timestamp of the start of the connection.

Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2017-04-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.

End time

Name:	End time
Search filter:	end_time
Displayed:	Yes (end date column)

Description: The timestamp of the end of the connection. For ongoing connections, the value is null.

Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2017-04-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.

Duration

Name:	Duration
Search filter:	duration
Displayed:	Yes (duration column)

Description: The duration of the session in seconds. Computed value.

Gateway user

Name:	Gateway user
Search filter:	psm.gateway_username
Displayed:	Yes (gateway user column)

Description: The username used for authenticating against the gateway.

Server user

Name:	Server user
Search filter:	psm.server_username
Displayed:	Yes (server user column)

Description: The username used for authenticating on the remote server.

Client address

Name:	Client address
Search filter:	client.address
Displayed:	Yes (client address column)

Description: The IP address of the client.

Server address

Name:	Server address
Search filter:	server.address
Displayed:	Yes (server address column)

Description: The IP address of the remote server.

Server port

Name:	Server port
Search filter:	server.port
Displayed:	Yes (server port column)

Description: The port of the remote server.

Protocol

Name:	Protocol
Search filter:	protocol
Displayed:	Yes (protocol column)

Description: The protocol of the connection.

Interesting events

Name:	Interesting events
Search filter:	interesting_events
Displayed:	Yes (interesting events column)

Description: A list of commands and window titles from the session that could be interesting from a security point of view.

Verdict

Name:	Verdict
Search filter:	psm.verdict
Displayed:	Yes (verdict column)

Description: The connection verdict.

Possible values are:

accept

The connection attempt was successful.
accept-terminated

The connection violated a content policy, and was terminated by SPS.
auth-fail

Authentication failure.
deny

The connection was denied.
fail

The connection attempt failed.
gw-auth-fail

Gateway authentication failure.
key-error

The connection attempt failed due to a hostkey mismatch.
user-mapping-fail

The connection attempt failed due to a user mapping failure.

Content reference ID

Name:	Content reference ID
Search filter:	psm.content_reference_id
Displayed:	No

Description: The unique ID of the TCP connection.

Active

Name:	Active
Search filter:	active
Displayed:	No

Description: If the returned value is true, the connection is ongoing.

Archived

Name:	Archived
Search filter:	psm.archived
Displayed:	Yes (details tab)

Description: If the audit trail has been archived, this value is true, otherwise it is false. For details about archiving, see the archive object of the psm.audit_trail field.

Audit trail path

Name:	Audit trail path
Search filter:	psm.audit_trail
Displayed:	No

Description: The path to the audit trail file on SPS. If the session does not have an audit trail, this element is not used. To download the audit trail, see Replaying audit trails in your browser.

Authentication method

Name:	Authentication method
Search filter:	psm.auth_method
Displayed:	Yes (overview and details tabs)

Description: The authentication method used in the connection. For example, password.

Channel policy

Name:	Channel policy
Search filter:	psm.channel_policy
Displayed:	Yes (details tab)

Description: References the name of the channel policy. You can find the list of channel policies for each protocol at the <Protocol> Control > Channel Policies page.

Client port

Name:	Client port
Search filter:	client.port
Displayed:	Yes (overview and details tabs)

Description: The port of the client.

Commands available

Name:	Commands available
Search filter:	psm.command_extracted
Displayed:	No

Description: If commands have been extracted from this terminal session, this value is true, otherwise it is false.

The extracted commands are available in the events object field.

Connection policy

Name:	Connection policy
Search filter:	psm.connection_policy
Displayed:	Yes (details tab)

Description: The name of the Connection Policy that handled the session, for example, ssh_gateway_auth. This is the name displayed on the <Protocol> Control > Connections page of the SPS web interface, and in the name field of the Connection Policy object. You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.

Connection policy ID

Name:	Connection policy ID
Search filter:	psm.connection_policy_id
Displayed:	Yes (details tab)

Description: The key of the Connection Policy that handled the session, for example, 54906683158e768e727100. You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.

Indexing status

Name:	Indexing status
Search filter:	psm.index_status
Displayed:	Yes (details tab)

Description: Shows if the channel has been indexed. The following values are possible:

Connection is active (0): The connection of the channel is still open (indexer is waiting for the connection to close).
Not indexed (1): All channels of the connection have been closed which belong to the connection. The channel is ready for indexing, unless the audit trail was placed in the skipped_connections queue.
Indexing in progress (2): The channel is being indexed (indexing in progress). Note that SPS will return search results for the parts of the channel that are already indexed.
Indexed (3): Indexing the channel is complete.
Indexing not required (4): Indexing not required (indexing is not enabled for the connection).
Indexing failed (5): Indexing failed. The indexer service writes the corresponding error message in the error_message column of the indexer_jobs table. Note that SPS will return search results for the parts of the channel that were successfully indexed before the error occurred. For example, if the error occurred at the end of a long audit trail, you can still search for content from the first part of the audit trail.
No trail (6): Auditing is not enabled for the channel.

Indexing CPU time

Name:	Indexing CPU time
Search filter:	psm.indexer.statistics.cpu_time
Displayed:	No

Description: The CPU time that indexing this session took in milliseconds.

Indexing duration

Name:	Indexing duration
Search filter:	psm.indexer.statistics.duration
Displayed:	No

Description: The duration of time that indexing this session took in milliseconds.

Indexing start time

Name:	Indexing start time
Search filter:	psm.indexer.statistics.start_time
Displayed:	No

Description: The time and date when indexing this session started.

Indexer ADP version

Name:	Indexer ADP version
Search filter:	psm.indexer.version.adp
Displayed:	No

Description: The version of the audit data processor used for indexing the session.

Indexer version

Name:	Indexer version
Search filter:	psm.indexer.version.worker
Displayed:	No

Description: The version of the indexer worker used for indexing the session.

Indexing status

Name:	Indexing status
Search filter:	psm.indexer.status
Displayed:	No

Description: Shows if the channel has been indexed succesfully or not.

Indexing error

Name:	Indexing error
Search filter:	psm.indexer.error.message
Displayed:	No

Description: The reason why indexing failed.

Commands indexed

Name:	Commands indexed
Search filter:	psm.indexer.config.command.enabled
Displayed:	No

Description: True if commands were extracted while indexing the session.

Titles indexed

Name:	Titles indexed
Search filter:	psm.indexer.config.title.enabled
Displayed:	No

Description: True if window titles were extracted while indexing the session.

Screen content indexed

Name:	Screen content indexed
Search filter:	psm.indexer.config.screen.enabled
Displayed:	No

Description: True if screen content was extracted while indexing the session.

OCR tradeoff

Name:	OCR tradeoff
Search filter:	psm.indexer.config.screen.omnipage_trade_off
Displayed:	No

Description: The tradeoff used for optical character recognition when extracting screen content while indexing the session.

Keyboard extracted

Name:	Keyboard extracted
Search filter:	psm.indexer.config.keyboard.enabled
Displayed:	No

Description: True if keyboard events were extracted while indexing the session.

Keyboard buffering interval

Name:	Keyboard buffering interval
Search filter:	psm.indexer.config.keyboard.buffer_interval
Displayed:	No

Description: The buffering interval in milliseconds used when extracting keyboard events while indexing the session.

Mouse extracted

Name:	Mouse extracted
Search filter:	psm.indexer.config.mouse.enabled
Displayed:	No

Description: True if mouse events were extracted while indexing the session.

Mouse buffering interval

Name:	Mouse buffering interval
Search filter:	psm.indexer.config.mouse.buffer_interval
Displayed:	No

Description: The buffering interval in milliseconds used when extracting mouse events while indexing the session.

OCR languages

Name:	OCR languages
Search filter:	psm.indexer.config.ocr_languages
Displayed:	No

Description: The language configuration for optical character recognition used when indexing the session.

Near real-time indexing

Name:	Near real-time indexing
Search filter:	psm.indexer.config.near_realtime
Displayed:	No

Description: True if indexing this session was done near real-time (when the session was still active).

Network namespace

Name:	Network namespace
Search filter:	psm.network_id
Displayed:	No

Description: The ID of the Linux network namespace where the session originated from.

Origin

Name:	Origin
Search filter:	origin
Displayed:	No

Description: How SPA received this session. The following values are possible:

PSM for sessions based on an audit trail recorded by SPS.
LOG for sessions built from log data.

Score aggregated

Name:	Score aggregated
Search filter:	score.aggregated
Displayed:	No

Description: The risk score that SPA assigned to the session. Values range from 0 to 100, with 100 representing the highest risk.

You can also query the scores.aggregated element, which lists all score.aggregated values that SPA ever assigned to the session.

Server local address

Name:	Server local address
Search filter:	psm.server_local.address
Displayed:	Yes (overview and details tabs)

Description: The IP of SPS.

Server local port

Name:	Server local port
Search filter:	psm.server_local.port
Displayed:	Yes (overview and details tabs)

Description: The port of SPS.

Session id

Name:	Session id
Search filter:	psm.session_id
Displayed:	Yes (overview and details tabs)

Description: The identifier of the session.

Target address

Name:	Target address
Search filter:	psm.target.address
Displayed:	Yes (overview and details tabs)

Description: The IP address the client targeted for connection.

Target port

Name:	Target port
Search filter:	psm.target.port
Displayed:	Yes (overview and details tabs)

Description: The port the client targeted for connection.

Window titles available

Name:	Window titles available
Search filter:	psm.window_title_extracted
Displayed:	No

Description: If window titles have been extracted from this graphical session, this value is true, otherwise it is false.

The extracted window titles are available in the events object field.

Archive date

Name:	Archive date
Search filter:	psm.archive.date
Displayed:	No

Description: The date when the audit trail was archived in UNIX timestamp format (for example, 1451865600).

Archive server

Name:	Archive server
Search filter:	psm.archive.server
Displayed:	No

Description: The address of the remote server where the audit trail was archived.

Archive path

Name:	Archive path
Search filter:	psm.archive.path
Displayed:	No

Description: The path on the remote server where the audit trail was archived.

Archive policy

Name:	Archive policy
Search filter:	psm.archive.policy
Displayed:	No

Description: The ID of the archiving policy that was used to archive the audit trail.

Channel is active

Name:	Channel is active
Search filter:	psm.channels.active
Displayed:	No

Description: If the returned value is true, the session has not ended yet and the channel is active.

Audit stream ID

Name:	Audit stream ID
Search filter:	psm.channels.audit_stream_id
Displayed:	No

Description: The identifier of the channel's audit stream. If the session does not have an audit trail, this element is not used.

Channel duration

Name:	Channel duration
Search filter:	psm.channels.duration
Displayed:	No

Description: The duration of the connection. Computed value.

Channel end time

Name:	Channel end time
Search filter:	psm.channels.end_time
Displayed:	No

Description: The UNIX timestamp of the end of the connection. For ongoing connections, the value is null.

Channel start time

Name:	Channel start time
Search filter:	psm.channels.start_time
Displayed:	No

Description: The UNIX timestamp of the start of the connection.

Channel type

Name:	Channel type
Search filter:	psm.channels.type
Displayed:	No

Description: The type of the channel. Additional elements might be used with certain ICA, SSH and RDP channel types.

Channel verdict

Name:	Channel verdict
Search filter:	psm.channels.verdict
Displayed:	No

Description: The channel's connection verdict.

Possible values are:

accept

The connection attempt was successful.
deny

The connection attempt was denied.
four-eyes-deferred

Four-eyes authorization is unable to progress as it is waiting for a remote username.
four-eyes-error

An internal error occurred during four-eyes authorization.
four-eyes-reject

The connection attempt was rejected by a four-eyes agent on SPS.
four-eyes-timeout

Four-eyes authorization timed out.

Executed commands

Name:	Executed commands
Search filter:	psm.channels.command
Displayed:	No

Description: Used with the session exec SSH channel type.

The executed command.

SCP path

Name:	SCP path
Search filter:	psm.channels.scp_path
Displayed:	No

Description: Used with the session exec scp SSH channel type.

The folder used for Secure Copy.

Subsystem name

Name:	Subsystem name
Search filter:	psm.channels.subsystem_name
Displayed:	No

Description: Used with the session subsystem sftp SSH channel type.

The name of the used subsystem.

Channel originator address

Name:	Channel originator address
Search filter:	psm.channels.originator.address
Displayed:	No

Description: Used with the local forward and remote forward SSH channel types.

The source address of the forwarded traffic.

Originator port

Name:	Originator port
Search filter:	psm.channels.originator.port
Displayed:	No

Description: Used with the local forward and remote forward SSH channel types.

The source port of the forwarded traffic.

Port-forward target IP

Name:	Port-forward target IP
Search filter:	psm.channels.connected.address
Displayed:	No

Description: Used with the local forward and remote forward SSH channel types.

The target address of the forwarded traffic.

Port-forward target port

Name:	Port-forward target port
Search filter:	psm.channels.connected.port
Displayed:	No

Description: Used with the local forward and remote forward SSH channel types.

The target port of the forwarded traffic.

Dynamic channel

Name:	Dynamic channel
Search filter:	psm.channels.dynamic_channel
Displayed:	No

Description: Used with the dynamic virtual RDP channel type.

The name of the dynamic channel.

Device name

Name:	Device name
Search filter:	psm.channels.device_name
Displayed:	No

Description: Used with the serial redirect, parallel redirect, printer redirect, disk redirect, and scard redirect RDP channel types.

The name of the device.

Application

Name:	Application
Search filter:	psm.channels.application
Displayed:	No

Description: Used with ICA connections.

The name of the application accessed in a seamless Citrix ICA connection.

Four-eyes authorizer

Name:	Four-eyes authorizer
Search filter:	psm.channels.four_eyes_authorizer
Displayed:	No

Description: The username of the user who authorized the session.

Available only if four-eyes authorization is required for the channel.

Four-eyes description

Name:	Four-eyes description
Search filter:	psm.channels.four_eyes_description
Displayed:	No

Description: The description of the session submitted by the authorizer of the session.

Available only if four-eyes authorization is required for the channel.

Alert type

Name:	Alert type
Search filter:	psm.alerts.alert_type
Displayed:	No

Description: The type of the event that triggered the alert. Possible values:

adp.event.command: A command entered in SSH or Telnet.
adp.event.screen.content: Alert triggered by the screen content.
adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.
adp.event.screen.windowtitle: The title of the window in graphic protocols.

Channel id

Name:	Channel id
Search filter:	psm.alerts.channel_id
Displayed:	No

Description: A reference to the ID of the channel in the session where the event occurred.

Matched content

Name:	Matched content
Search filter:	psm.alerts.matched_content
Displayed:	No

Description: The content that occurred in the session and triggered the alert. Note that this value contains the context of the match as well. For example, if a Content Policy triggers an alert if a user types the sudo command, then the psm.alerts.matched_content value contains the entire command line, including the command prompt, for example, myuser@examplehost:~$ man sudo.

Matched regexp

Name:	Matched regexp
Search filter:	psm.alerts.matched_regexp
Displayed:	No

Description: The regular expression (match field) of the Content Policy that matched a part of the content and triggered the alert.

For details, see Real-time content monitoring with Content Policies.

Event ID

Name:	Event ID
Search filter:	psm.alerts.record_id
Displayed:	No

Description: The ID number of the alert within the session.

Rule name

Name:	Rule name
Search filter:	psm.alerts.rule_name
Displayed:	No

Description: The name of the content policy rule that triggered the alert. Note that this is not the name of the Content Policy.

Alert time

Name:	Alert time
Search filter:	psm.alerts.time
Displayed:	No

Description: The timestamp when the alert was triggered, for example, 2017-04-25T13:26:39.144356.

Channel ID

Name:	Channel ID
Search filter:	psm.channels.id
Displayed:	No

Description: A reference to the ID of the channel in the session where the event occurred.

Event content

Name:	Event content
Search filter:	psm.events.content
Displayed:	No

Description: The event that occurred in the session. Note that this value contains the context of the event as well. For example, for command events in terminal sessions, the value contains the entire command line, including the command prompt. For example, myuser@examplehost:~$ man sudo.

Event type

Name:	Event type
Search filter:	psm.events.type
Displayed:	No

Description: The type of the event. Possible values:

adp.event.command: A command entered in SSH or Telnet.
adp.event.screen.content: Screen content.
adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.
adp.event.screen.windowtitle: The title of the window in graphic protocols.

Event date

Name:	Event date
Search filter:	psm.events.time
Displayed:	No

Description: The timestamp when the event occurred, for example, 2017-04-25T13:26:39.144356.

Using the content query

Using the Search interface > Searching audit trails: the SPS connection database > Using the content query

NOTE:

This feature is available only if auditing and content indexing was requested for the connection.

For more information, see Configuring the internal indexer.

The content query enables you to search in the contents of audit trails. There are various ways you can refine your content query, you can:

use wildcards
use boolean expressions
search in the commands of terminal connections (for example, command:"sudo su")
search in the window titles of graphical connections (for example, title:settings)

The following sections provide examples for different search queries:

For examples of exact matches, see Searching for exact matches.
For examples of using boolean operators to combine search keywords, see Combining search keywords.
For examples of wildcard searches, see Using wildcard searches.
For examples of searching with special characters, see Searching for special characters.
For examples of fuzzy search that finds words with similar spelling, see Searching for fuzzy matches.
For examples of proximity search to find words that appear within a special distance, see Proximity search.
For examples of adjusting the relevance of a search term, see Adjusting the relevance of search terms.

For details on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.

Searching for exact matches

By default, SPS searches for keywords as whole words and returns only exact matches.

NOTE:

If your search keywords include special characters, you must escape them with a backslash (\) character. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /

For more information on special characters, see Searching for special characters.

Example: Searching for exact matches

Search expression

example

Matches

example

Does not match

examples

example.com

query-by-example

exam

To search for an exact phrase, enclose the search keywords in double quotes.

Search expression on the web interface	"example command"
Search expression on the REST API	%22example%20command%22
Matches	example command
Does not match	example command example: command

To search for a string that includes a backslash character, for example, a Windows path, use two backslashes (\\).

Search expression on the web interface	C\:\\Windows
Search expression on the REST API	C%5C%3A%5C%5CWindows
Matches	C:\Windows

Combining search keywords

You can use boolean operators – AND, OR, NOT, and + (required), – to combine search keywords. More complex search expressions can also be constructed with parentheses. If you enter multiple keywords,

Example: Combining keywords in search

Search expression on the web interface	keyword1 AND keyword2
Search expression on the REST API	keyword1%20AND%20keyword2
Matches	(returns hits that contain both keywords)

Search expression on the web interface	keyword1 OR keyword2
Search expression on the REST API	keyword1%20OR%20keyword2
Matches	(returns hits that contain at least one of the keywords)

Search expression on the web interface	"keyword1 keyword2" NOT "keyword2 keyword3"
Search expression on the REST API	%22keyword1%20keyword2%22%20NOT%20%22keyword2%20keyword3%22
Matches	(returns hits that contain the first phrase, but not the second)

Search expression on the web interface	+keyword1 keyword2
Search expression on the REST API	%2Bkeyword1%20keyword2
Matches	(returns hits that contain keyword1, and may contain keyword2)

To search for expressions that can be interpreted as boolean operators (for example: AND), use the following format: "AND".

Example: Using parentheses in search

Use parentheses to create more complex search expressions:

Search expression on the web interface	(keyword1 OR keyword2) AND keyword3
Search expression on the REST API	%28keyword1%20OR%20keyword2%29%20AND%20keyword3
Matches	(returns hits that contain either keyword1 and keyword3, or keyword2 and keyword3)

Using wildcard searches

You can use the ? and * wildcards in your search expressions.

Example: Using wildcard ? in search

The ? (question mark) wildcard means exactly one arbitrary character. Note that it does not work for finding non-UTF-8 or multibyte characters. If you want to search for these characters, the expression ?? might work, or you can use the * wildcard instead.

You cannot use a * or ? symbol as the first character of a search.

Search expression on the web interface	example?
Search expression on the REST API	example%3F
Matches	example1 examples example?
Does not match	example.com example12 query-by-example

Search expression on the web interface	example??
Search expression on the REST API	example%3F%3F
Matches	example12
Does not match	example.com example1 query-by-example

Example: Using wildcard * in search

The * wildcard means 0 or more arbitrary characters. It finds non-UTF-8 and multibyte characters as well.

Search expression on the web interface	example*
Search expression on the REST API	example%2A
Matches	example examples example.com
Does not match	query-by-example example*

Example: Using combined wildcards in search

Wildcard characters can be combined.

Search expression on the web interface	ex?mple*
Search expression on the REST API	ex%3Fmple%2A
Matches	example1 examples example.com exemple.com example12
Does not match	exmples query-by-example

Searching for special characters

To search for the special characters, for example, question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as a character to be searched for. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /

Example: Searching for special characters

To search for a special character, use a backslash (\).

Search expression on the web interface	example\?
Search expression on the REST API	example%5C%3F
Matches	example?
Does not match	examples example1

To search for a string that includes a backslash character, for example, a Windows path, use two backslashes (\\).

Search expression on the web interface	C\:\\Windows
Search expression on the REST API	C%5C%3A%5C%5CWindows
Matches	C:\Windows

To search for a string that includes a slash character, for example, a UNIX path, you must escape every slash with a backslash (\/).

Search expression on the web interface	\/var\/log\/messages
Search expression on the REST API	%5C%2Fvar%5C%2Flog%5C%2Fmessages
Matches	/var/log/messages

Search expression on the web interface	$1\+1$\:2
Search expression on the REST API	%5C%281%5C%2B1%5C%29%5C%3A2
Matches	(1+1):2

Searching in commands and window titles

For terminal connections, use the command: prefix to search only in commands (excluding screen content). For graphical connections, use the title: prefix to search only in window titles (excluding screen content). To exclude search results that are commands or window titles, use the following format: keyword AND NOT title:[* TO *].

You can also combine these search filters with other expressions and wildcards, for example, title:properties AND gateway.

Example: Searching in commands and window titles

Search expression on the web interface	command:"sudo su"
Search expression on the REST API	command%3A%22sudo+su%22
Matches	sudo su as a terminal command
Does not match	sudo su in general screen content

Search expression on the web interface	title:settings
Search expression on the REST API	title%3Asettings
Matches	settings appearing in the title of an active window
Does not match	settings in general screen content

To find an expression in the screen content and exclude search results from the commands or window titles, see the following example.

Search expression on the web interface	properties AND NOT title:[* TO *]
Search expression on the REST API	properties%20AND%20NOT%20title%3A%5B%2A%20TO%20%2A%5D
Matches	properties appearing in the screen content, but not as a window title.
Does not match	properties in window titles.

You can also combine these search filters with other expressions and wildcards.

Search expression on the web interface	title:properties AND gateway
Search expression on the REST API	title%3Aproperties%20AND%20gateway
Matches	A screen where properties appears in the window title, and gateway in the screen content (or as part of the window title).
Does not match	Screens where both properties and gateway appear, but properties is not in the window title.

Searching for fuzzy matches

Fuzzy search uses the tilde ~ symbol at the end of a single keyword to find hits that contain words with similar spelling to the keyword.

Example: Searching for fuzzy matches

Search expression on the web interface

roam~

Search expression on the REST API

roam%7E

Matches

roams

foam

Proximity search

Proximity search uses the tilde ~ symbol at the end of a phrase to find keywords from the phrase that are within the specified distance from each other.

Example: Proximity search

Search expression on the web interface	"keyword1 keyword2"~10
Search expression on the REST API	%22keyword1%20keyword2%22%7E10
Matches	(returns hits that contain keyword1 and keyword2 within 10 words from each other)

Adjusting the relevance of search terms

By default, every keyword or phrase of a search expression is treated as equal. Use the caret ^ symbol to make a keyword or expression more important than the others.

Example: Adjusting the relevance of search terms

Search expression on the web interface	keyword1^4 keyword2
Search expression on the REST API	keyword1%5E4%20keyword2
Matches	(returns hits that contain keyword1 and keyword2, but keyword1 is 4 times more relevant)

Search expression on the web interface	"keyword1 keyword2"^5 "keyword3 keyword4"
Search expression on the REST API	%22keyword1%20keyword2%22%5E5%20%22keyword3%20keyword4%22
Matches	(returns hits that contain keyword1 keyword2 and keyword3 keyword4, but keyword1 keyword2 is 5 times more relevant)

Displaying statistics on search results

Using the Search interface > Searching audit trails: the SPS connection database > Displaying statistics on search results

Purpose:

You can quickly sort and visualize the distribution of the sessions based on their various metadata, for example, username, server address, and so on.

Steps:

Click the icon.
Select the type of metadata you want to create statistics on from the Value distribution based on field, for example, select Username to display sessions based on username.

Figure 227: Search > Search — Displaying statistics
To exclude items from the pie chart, click the icon next to the metadata you want to exclude.

For example, if you want to exclude results by a user called testbot, select the icon next to the item.

Figure 228: Search > Search — Excluding items from the pie chart

The pie chart now does not display results for the excluded item. The percentages always add up to 100%.

You can continue to restrict or refine your search results and view statistics as required.

Analyzing data using One Identity Safeguard for Privileged Analytics

Using the Search interface > Searching audit trails: the SPS connection database > Analyzing data using One Identity Safeguard for Privileged Analytics

SPA integrates data from SPS to use as the basis of user behavior analysis. SPA uses machine learning algorithms to scrutinize behavioral characteristics (using data from SPS), and generates user behavior profiles for each individual privileged user. SPA compares actual user activity to user profiles in real time, with profiles being continually adjusted using machine learning. When SPA detects unusual activity, this is indicated on the user interface of SPS in the form of high scores and visualized insight.

Prerequisites:

Make sure that you have session data from network traffic that:

contains real, unique usernames linked to users other than root/administrator or a shared account

To check this, navigate to Search > Search, and check whether the Username column contains data. This is important, because session data will be linked to users.

If you do not have unique usernames in your session data, review your authentication settings and consult with the One Identity Professional Services team to learn about your options to tie accounts to users.
has commands extracted (using lightweight or full indexing, or in real-time through content policies)

For instructions on how to configure indexing and include commands in the scope of indexing, see "Indexing audit trails" in the Administration Guide.

For details on how to configure real-time command extraction using a content policy, see "Creating a new content policy" in the Administration Guide.
has keystrokes extracted (using lightweight or full indexing, or in real-time through content policies)

The minimum required amount of data for reliable insight is 5 sessions with approximately 200 keystrokes each.

For instructions on how to configure indexing and include typing biometrics in the scope of indexing, see "Indexing audit trails" in the Administration Guide.

For details on how to configure real-time extraction of keystroke-related data using a content policy, see "Creating a new content policy" in the Administration Guide.
has window titles extracted (using lightweight or full indexing, or in real-time through content policies)

For instructions on how to configure indexing and include window titles in the scope of indexing, see "Indexing audit trails" in the Administration Guide.

For details on how to configure real-time window title extraction using a content policy, see "Creating a new content policy" in the Administration Guide.

Purpose:

To start using SPA, complete the following steps.

Steps:

Start getting scores.

Scoring happens in real-time, meaning that as soon as new data (even data from an ongoing session) is available, SPA immediately scores it.

TIP:

When data is not immediately available to you and you are unable to wait until sufficient amount of data comes in from production traffic, you can resort to the following:

Manually reindex historical sessions. For details, see "Reindex historical sessions" in the Safeguard for Privileged Analytics Configuration Guide.
Specifically for window title data, run the pam-process-historical-window-titles command to invoke window title processing for sessions that have been both closed and indexed.

This can be useful, for example, when you have upgraded from a SPS version earlier than 5 F6 or you simply have never used the window title algorithm, and therefore SPS has not done any window title processing before.

Scores represent an aggregated amount. Session data is scored by multiple algorithms independent from each other. Scores given by individual algorithms are aggregated to create a single score.

For detailed instructions on how to configure SPA, see Safeguard for Privileged Analytics Configuration Guide.

Search for sessions with high scores.
1. Go to Search > Search.
  
  Sessions are displayed sorted by date. For ongoing sessions, the Search interface is updated in real-time to always show the most up-to-date information.
2. In the Search query field, type score.aggregated: [80 TO 100], and click Search.
  
  A score between 80 and 100 indicates unusual user behavior.
  
  Figure 229: Searching for sessions with unusual user behavior using a search query
  
  Results that show sessions with high scores are displayed.
  
  Figure 230: Sessions with high scores — table view
  
  Figure 231: Sessions with high scores — card view
Alternatively, search for scripted sessions.

In the Search query field, type analytics.scripted:true, and click Search.
To view details of a session, click when you are in table view.

Alternatively, click when you are in card view.
Click the analytics tab.

The top of the page displays a summary of key insights about the session, such as:
- The aggregated score (indicated by a gauge). The following color codes are used:
  - Scores between 80-100 indicate unusual behavior, their color code is red.
  - Scores between 70-79 indicate behavior that might require further analysis and attention, their color code is amber.
  - Scores between 0-69 indicate normal behavior, their color code is gray.
- A one-sentence summary of each algorithm's verdict about the session and user behavior.
The Anomalies found and Normal behavior sections of the page display detailed analyses provided by each of the configured algorithms. This includes short information on how a particular algorithm works and how to read the visualized insight, as well as scores given by the individual algorithms.

Figure 232: Search — Viewing details on the analytics tab: Anomalies found

Figure 233: Search — Viewing details on the analytics tab: Normal behavior

Search expression on the web interface	\(1\+1\)\:2
Search expression on the REST API	%5C%281%5C%2B1%5C%29%5C%3A2
Matches	(1+1):2

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Searching database fields

Purpose:

Start time

End time

Duration

Gateway user

Server user

Client address

Server address

Server port

Protocol

Interesting events

Verdict

Content reference ID

Active

Archived

Audit trail path

Authentication method

Channel policy

Client port

Commands available

Connection policy

Connection policy ID

Indexing status

Indexing CPU time

Indexing duration

Indexing start time

Indexer ADP version

Indexer version

Indexing status

Indexing error

Commands indexed

Titles indexed

Screen content indexed

OCR tradeoff

Keyboard extracted

Keyboard buffering interval

Mouse extracted

Mouse buffering interval

OCR languages

Near real-time indexing

Network namespace

Origin

Score aggregated

Server local address

Server local port

Session id

Target address

Target port

Window titles available

Archive date

Archive server

Archive path

Archive policy

Channel is active

Audit stream ID

Channel duration

Channel end time

Channel start time

Channel type

Channel verdict

Executed commands

SCP path

Subsystem name

Channel originator address

Originator port

Port-forward target IP

Port-forward target port

Dynamic channel

Device name

Application

Four-eyes authorizer

Four-eyes description

Alert type

Channel id

Matched content