This section lists the search filters that you can use to perform a more specific search of the audit trails.
The following table provides an explanation to the search filter tables listed in this section.
Name: |
Specifies the meaningful and easily readable name of the search filter. |
Search filter: |
Specifies the filter expression that you can use to filter the audit trails. For example, to narrow your search to a specific server-side IP address, you can enter the server.address: 10.30.255.70 search filter in the Search query field. All search results that contain that specific server IP address are listed. |
Displayed: |
Specifies if the search filter result is displayed as a field in the search columns or in the overview, details, events, or contents tabs. There are search filters that are not displayed but you can still use them to filter the audit trails. For example, you can search for active connections using the active search filter, and search results are listed accordingly, but there is no active field displayed in the search table or in the overview, details, events, or contents tabs. |
The following search filters are available:
Name: | Start time |
Search filter: | start_time |
Displayed: | Yes (start date column) |
Description: The timestamp of the start of the connection.
Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2017-04-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.
Name: | End time |
Search filter: | end_time |
Displayed: | Yes (end date column) |
Description: The timestamp of the end of the connection. For ongoing connections, the value is null.
Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2017-04-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.
Name: | Duration |
Search filter: | duration |
Displayed: | Yes (duration column) |
Description: The duration of the session in seconds. Computed value.
Name: | Gateway user |
Search filter: | psm.gateway_username |
Displayed: | Yes (gateway user column) |
Description: The username used for authenticating against the gateway.
Name: | Server user |
Search filter: | psm.server_username |
Displayed: | Yes (server user column) |
Description: The username used for authenticating on the remote server.
Name: | Client address |
Search filter: | client.address |
Displayed: | Yes (client address column) |
Description: The IP address of the client.
Name: | Server address |
Search filter: | server.address |
Displayed: | Yes (server address column) |
Description: The IP address of the remote server.
Name: | Server port |
Search filter: | server.port |
Displayed: | Yes (server port column) |
Description: The port of the remote server.
Name: | Protocol |
Search filter: | protocol |
Displayed: | Yes (protocol column) |
Description: The protocol of the connection.
Name: | Interesting events |
Search filter: | interesting_events |
Displayed: | Yes (interesting events column) |
Description: A list of commands and window titles from the session that could be interesting from a security point of view.
Name: | Verdict |
Search filter: | psm.verdict |
Displayed: | Yes (verdict column) |
Description: The connection verdict.
Possible values are:
accept
The connection attempt was successful.
accept-terminated
The connection violated a content policy, and was terminated by SPS.
auth-fail
Authentication failure.
deny
The connection was denied.
fail
The connection attempt failed.
gw-auth-fail
Gateway authentication failure.
key-error
The connection attempt failed due to a hostkey mismatch.
user-mapping-fail
The connection attempt failed due to a user mapping failure.
Name: | Content reference ID |
Search filter: | psm.content_reference_id |
Displayed: | No |
Description: The unique ID of the TCP connection.
Name: | Active |
Search filter: | active |
Displayed: | No |
Description: If the returned value is true, the connection is ongoing.
Name: | Archived |
Search filter: | psm.archived |
Displayed: | Yes (details tab) |
Description: If the audit trail has been archived, this value is true, otherwise it is false. For details about archiving, see the archive object of the psm.audit_trail field.
Name: | Audit trail path |
Search filter: | psm.audit_trail |
Displayed: | No |
Description: The path to the audit trail file on SPS. If the session does not have an audit trail, this element is not used. To download the audit trail, see Replaying audit trails in your browser.
Name: | Authentication method |
Search filter: | psm.auth_method |
Displayed: | Yes (overview and details tabs) |
Description: The authentication method used in the connection. For example, password.
Name: | Channel policy |
Search filter: | psm.channel_policy |
Displayed: | Yes (details tab) |
Description: References the name of the channel policy. You can find the list of channel policies for each protocol at the <Protocol> Control > Channel Policies page.
Name: | Client port |
Search filter: | client.port |
Displayed: | Yes (overview and details tabs) |
Description: The port of the client.
Name: | Commands available |
Search filter: | psm.command_extracted |
Displayed: | No |
Description: If commands have been extracted from this terminal session, this value is true, otherwise it is false.
The extracted commands are available in the events object field.
Name: | Connection policy |
Search filter: | psm.connection_policy |
Displayed: | Yes (details tab) |
Description: The name of the Connection Policy that handled the session, for example, ssh_gateway_auth. This is the name displayed on the <Protocol> Control > Connections page of the SPS web interface, and in the name field of the Connection Policy object. You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.
Name: | Connection policy ID |
Search filter: | psm.connection_policy_id |
Displayed: | Yes (details tab) |
Description: The key of the Connection Policy that handled the session, for example, 54906683158e768e727100. You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.
Name: | Indexing status |
Search filter: | psm.index_status |
Displayed: | Yes (details tab) |
Description: Shows if the channel has been indexed. The following values are possible:
Connection is active (0): The connection of the channel is still open (indexer is waiting for the connection to close).
Not indexed (1): All channels of the connection have been closed which belong to the connection. The channel is ready for indexing, unless the audit trail was placed in the skipped_connections queue.
Indexing in progress (2): The channel is being indexed (indexing in progress). Note that SPS will return search results for the parts of the channel that are already indexed.
Indexed (3): Indexing the channel is complete.
Indexing not required (4): Indexing not required (indexing is not enabled for the connection).
Indexing failed (5): Indexing failed. The indexer service writes the corresponding error message in the error_message column of the indexer_jobs table. Note that SPS will return search results for the parts of the channel that were successfully indexed before the error occurred. For example, if the error occurred at the end of a long audit trail, you can still search for content from the first part of the audit trail.
No trail (6): Auditing is not enabled for the channel.
Name: | Indexing CPU time |
Search filter: | psm.indexer.statistics.cpu_time |
Displayed: | No |
Description: The CPU time that indexing this session took in milliseconds.
Name: | Indexing duration |
Search filter: | psm.indexer.statistics.duration |
Displayed: | No |
Description: The duration of time that indexing this session took in milliseconds.
Name: | Indexing start time |
Search filter: | psm.indexer.statistics.start_time |
Displayed: | No |
Description: The time and date when indexing this session started.
Name: | Indexer ADP version |
Search filter: | psm.indexer.version.adp |
Displayed: | No |
Description: The version of the audit data processor used for indexing the session.
Name: | Indexer version |
Search filter: | psm.indexer.version.worker |
Displayed: | No |
Description: The version of the indexer worker used for indexing the session.
Name: | Indexing status |
Search filter: | psm.indexer.status |
Displayed: | No |
Description: Shows if the channel has been indexed succesfully or not.
Name: | Indexing error |
Search filter: | psm.indexer.error.message |
Displayed: | No |
Description: The reason why indexing failed.
Name: | Commands indexed |
Search filter: | psm.indexer.config.command.enabled |
Displayed: | No |
Description: True if commands were extracted while indexing the session.
Name: | Titles indexed |
Search filter: | psm.indexer.config.title.enabled |
Displayed: | No |
Description: True if window titles were extracted while indexing the session.
Name: | Screen content indexed |
Search filter: | psm.indexer.config.screen.enabled |
Displayed: | No |
Description: True if screen content was extracted while indexing the session.
Name: | OCR tradeoff |
Search filter: | psm.indexer.config.screen.omnipage_trade_off |
Displayed: | No |
Description: The tradeoff used for optical character recognition when extracting screen content while indexing the session.
Name: | Keyboard extracted |
Search filter: | psm.indexer.config.keyboard.enabled |
Displayed: | No |
Description: True if keyboard events were extracted while indexing the session.
Name: | Keyboard buffering interval |
Search filter: | psm.indexer.config.keyboard.buffer_interval |
Displayed: | No |
Description: The buffering interval in milliseconds used when extracting keyboard events while indexing the session.
Name: | Mouse extracted |
Search filter: | psm.indexer.config.mouse.enabled |
Displayed: | No |
Description: True if mouse events were extracted while indexing the session.
Name: | Mouse buffering interval |
Search filter: | psm.indexer.config.mouse.buffer_interval |
Displayed: | No |
Description: The buffering interval in milliseconds used when extracting mouse events while indexing the session.
Name: | OCR languages |
Search filter: | psm.indexer.config.ocr_languages |
Displayed: | No |
Description: The language configuration for optical character recognition used when indexing the session.
Name: | Near real-time indexing |
Search filter: | psm.indexer.config.near_realtime |
Displayed: | No |
Description: True if indexing this session was done near real-time (when the session was still active).
Name: | Network namespace |
Search filter: | psm.network_id |
Displayed: | No |
Description: The ID of the Linux network namespace where the session originated from.
Name: | Origin |
Search filter: | origin |
Displayed: | No |
Description: How SPA received this session. The following values are possible:
PSM for sessions based on an audit trail recorded by SPS.
LOG for sessions built from log data.
Name: | Score aggregated |
Search filter: | score.aggregated |
Displayed: | No |
Description: The risk score that SPA assigned to the session. Values range from 0 to 100, with 100 representing the highest risk.
You can also query the scores.aggregated element, which lists all score.aggregated values that SPA ever assigned to the session.
Name: | Server local address |
Search filter: | psm.server_local.address |
Displayed: | Yes (overview and details tabs) |
Description: The IP of SPS.
Name: | Server local port |
Search filter: | psm.server_local.port |
Displayed: | Yes (overview and details tabs) |
Description: The port of SPS.
Name: | Session id |
Search filter: | psm.session_id |
Displayed: | Yes (overview and details tabs) |
Description: The identifier of the session.
Name: | Target address |
Search filter: | psm.target.address |
Displayed: | Yes (overview and details tabs) |
Description: The IP address the client targeted for connection.
Name: | Target port |
Search filter: | psm.target.port |
Displayed: | Yes (overview and details tabs) |
Description: The port the client targeted for connection.
Name: | Window titles available |
Search filter: | psm.window_title_extracted |
Displayed: | No |
Description: If window titles have been extracted from this graphical session, this value is true, otherwise it is false.
The extracted window titles are available in the events object field.
Name: | Archive date |
Search filter: | psm.archive.date |
Displayed: | No |
Description: The date when the audit trail was archived in UNIX timestamp format (for example, 1451865600).
Name: | Archive server |
Search filter: | psm.archive.server |
Displayed: | No |
Description: The address of the remote server where the audit trail was archived.
Name: | Archive path |
Search filter: | psm.archive.path |
Displayed: | No |
Description: The path on the remote server where the audit trail was archived.
Name: | Archive policy |
Search filter: | psm.archive.policy |
Displayed: | No |
Description: The ID of the archiving policy that was used to archive the audit trail.
Name: | Channel is active |
Search filter: | psm.channels.active |
Displayed: | No |
Description: If the returned value is true, the session has not ended yet and the channel is active.
Name: | Audit stream ID |
Search filter: | psm.channels.audit_stream_id |
Displayed: | No |
Description: The identifier of the channel's audit stream. If the session does not have an audit trail, this element is not used.
Name: | Channel duration |
Search filter: | psm.channels.duration |
Displayed: | No |
Description: The duration of the connection. Computed value.
Name: | Channel end time |
Search filter: | psm.channels.end_time |
Displayed: | No |
Description: The UNIX timestamp of the end of the connection. For ongoing connections, the value is null.
Name: | Channel start time |
Search filter: | psm.channels.start_time |
Displayed: | No |
Description: The UNIX timestamp of the start of the connection.
Name: | Channel type |
Search filter: | psm.channels.type |
Displayed: | No |
Description: The type of the channel. Additional elements might be used with certain ICA, SSH and RDP channel types.
Name: | Channel verdict |
Search filter: | psm.channels.verdict |
Displayed: | No |
Description: The channel's connection verdict.
Possible values are:
accept
The connection attempt was successful.
deny
The connection attempt was denied.
four-eyes-deferred
Four-eyes authorization is unable to progress as it is waiting for a remote username.
four-eyes-error
An internal error occurred during four-eyes authorization.
four-eyes-reject
The connection attempt was rejected by a four-eyes agent on SPS.
four-eyes-timeout
Four-eyes authorization timed out.
Name: | Executed commands |
Search filter: | psm.channels.command |
Displayed: | No |
Description: Used with the session exec SSH channel type.
The executed command.
Name: | SCP path |
Search filter: | psm.channels.scp_path |
Displayed: | No |
Description: Used with the session exec scp SSH channel type.
The folder used for Secure Copy.
Name: | Subsystem name |
Search filter: | psm.channels.subsystem_name |
Displayed: | No |
Description: Used with the session subsystem sftp SSH channel type.
The name of the used subsystem.
Name: | Channel originator address |
Search filter: | psm.channels.originator.address |
Displayed: | No |
Description: Used with the local forward and remote forward SSH channel types.
The source address of the forwarded traffic.
Name: | Originator port |
Search filter: | psm.channels.originator.port |
Displayed: | No |
Description: Used with the local forward and remote forward SSH channel types.
The source port of the forwarded traffic.
Name: | Port-forward target IP |
Search filter: | psm.channels.connected.address |
Displayed: | No |
Description: Used with the local forward and remote forward SSH channel types.
The target address of the forwarded traffic.
Name: | Port-forward target port |
Search filter: | psm.channels.connected.port |
Displayed: | No |
Description: Used with the local forward and remote forward SSH channel types.
The target port of the forwarded traffic.
Name: | Dynamic channel |
Search filter: | psm.channels.dynamic_channel |
Displayed: | No |
Description: Used with the dynamic virtual RDP channel type.
The name of the dynamic channel.
Name: | Device name |
Search filter: | psm.channels.device_name |
Displayed: | No |
Description: Used with the serial redirect, parallel redirect, printer redirect, disk redirect, and scard redirect RDP channel types.
The name of the device.
Name: | Application |
Search filter: | psm.channels.application |
Displayed: | No |
Description: Used with ICA connections.
The name of the application accessed in a seamless Citrix ICA connection.
Name: | Four-eyes authorizer |
Search filter: | psm.channels.four_eyes_authorizer |
Displayed: | No |
Description: The username of the user who authorized the session.
Available only if four-eyes authorization is required for the channel.
Name: | Four-eyes description |
Search filter: | psm.channels.four_eyes_description |
Displayed: | No |
Description: The description of the session submitted by the authorizer of the session.
Available only if four-eyes authorization is required for the channel.
Name: | Alert type |
Search filter: | psm.alerts.alert_type |
Displayed: | No |
Description: The type of the event that triggered the alert. Possible values:
adp.event.command: A command entered in SSH or Telnet.
adp.event.screen.content: Alert triggered by the screen content.
adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.
adp.event.screen.windowtitle: The title of the window in graphic protocols.
Name: | Channel id |
Search filter: | psm.alerts.channel_id |
Displayed: | No |
Description: A reference to the ID of the channel in the session where the event occurred.
Name: | Matched content |
Search filter: | psm.alerts.matched_content |
Displayed: | No |
Description: The content that occurred in the session and triggered the alert. Note that this value contains the context of the match as well. For example, if a Content Policy triggers an alert if a user types the sudo command, then the psm.alerts.matched_content value contains the entire command line, including the command prompt, for example, myuser@examplehost:~$ man sudo.
Name: | Matched regexp |
Search filter: | psm.alerts.matched_regexp |
Displayed: | No |
Description: The regular expression (match field) of the Content Policy that matched a part of the content and triggered the alert.
For details, see Real-time content monitoring with Content Policies.
Name: | Event ID |
Search filter: | psm.alerts.record_id |
Displayed: | No |
Description: The ID number of the alert within the session.
Name: | Rule name |
Search filter: | psm.alerts.rule_name |
Displayed: | No |
Description: The name of the content policy rule that triggered the alert. Note that this is not the name of the Content Policy.
Name: | Alert time |
Search filter: | psm.alerts.time |
Displayed: | No |
Description: The timestamp when the alert was triggered, for example, 2017-04-25T13:26:39.144356.
Name: | Channel ID |
Search filter: | psm.channels.id |
Displayed: | No |
Description: A reference to the ID of the channel in the session where the event occurred.
Name: | Event content |
Search filter: | psm.events.content |
Displayed: | No |
Description: The event that occurred in the session. Note that this value contains the context of the event as well. For example, for command events in terminal sessions, the value contains the entire command line, including the command prompt. For example, myuser@examplehost:~$ man sudo.
Name: | Event type |
Search filter: | psm.events.type |
Displayed: | No |
Description: The type of the event. Possible values:
adp.event.command: A command entered in SSH or Telnet.
adp.event.screen.content: Screen content.
adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.
adp.event.screen.windowtitle: The title of the window in graphic protocols.
Name: | Event date |
Search filter: | psm.events.time |
Displayed: | No |
Description: The timestamp when the event occurred, for example, 2017-04-25T13:26:39.144356.
|
NOTE:
This feature is available only if auditing and content indexing was requested for the connection. For more information, see Configuring the internal indexer. |
The content query enables you to search in the contents of audit trails. There are various ways you can refine your content query, you can:
use wildcards
use boolean expressions
search in the commands of terminal connections (for example, command:"sudo su")
search in the window titles of graphical connections (for example, title:settings)
The following sections provide examples for different search queries:
For examples of exact matches, see Searching for exact matches.
For examples of using boolean operators to combine search keywords, see Combining search keywords.
For examples of wildcard searches, see Using wildcard searches.
For examples of searching with special characters, see Searching for special characters.
For examples of fuzzy search that finds words with similar spelling, see Searching for fuzzy matches.
For examples of proximity search to find words that appear within a special distance, see Proximity search.
For examples of adjusting the relevance of a search term, see Adjusting the relevance of search terms.
For details on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.
By default, SPS searches for keywords as whole words and returns only exact matches.
|
NOTE:
If your search keywords include special characters, you must escape them with a backslash (\) character. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ / For more information on special characters, see Searching for special characters. |
Search expression | example |
Matches | example |
Does not match |
examples example.com query-by-example exam |
To search for an exact phrase, enclose the search keywords in double quotes.
Search expression on the web interface | "example command" |
Search expression on the REST API | %22example%20command%22 |
Matches | example command |
Does not match |
example command example: command |
To search for a string that includes a backslash character, for example, a Windows path, use two backslashes (\\).
Search expression on the web interface | C\:\\Windows |
Search expression on the REST API | C%5C%3A%5C%5CWindows |
Matches |
C:\Windows |
You can use boolean operators – AND, OR, NOT, and + (required), – to combine search keywords. More complex search expressions can also be constructed with parentheses. If you enter multiple keywords,
Search expression on the web interface | keyword1 AND keyword2 |
Search expression on the REST API | keyword1%20AND%20keyword2 |
Matches | (returns hits that contain both keywords) |
Search expression on the web interface | keyword1 OR keyword2 |
Search expression on the REST API | keyword1%20OR%20keyword2 |
Matches | (returns hits that contain at least one of the keywords) |
Search expression on the web interface | "keyword1 keyword2" NOT "keyword2 keyword3" |
Search expression on the REST API | %22keyword1%20keyword2%22%20NOT%20%22keyword2%20keyword3%22 |
Matches | (returns hits that contain the first phrase, but not the second) |
Search expression on the web interface | +keyword1 keyword2 |
Search expression on the REST API | %2Bkeyword1%20keyword2 |
Matches | (returns hits that contain keyword1, and may contain keyword2) |
To search for expressions that can be interpreted as boolean operators (for example: AND), use the following format: "AND".
Use parentheses to create more complex search expressions:
Search expression on the web interface | (keyword1 OR keyword2) AND keyword3 |
Search expression on the REST API | %28keyword1%20OR%20keyword2%29%20AND%20keyword3 |
Matches | (returns hits that contain either keyword1 and keyword3, or keyword2 and keyword3) |
You can use the ? and * wildcards in your search expressions.
The ? (question mark) wildcard means exactly one arbitrary character. Note that it does not work for finding non-UTF-8 or multibyte characters. If you want to search for these characters, the expression ?? might work, or you can use the * wildcard instead.
You cannot use a * or ? symbol as the first character of a search.
Search expression on the web interface | example? |
Search expression on the REST API | example%3F |
Matches |
example1 examples example? |
Does not match |
example.com example12 query-by-example |
Search expression on the web interface | example?? |
Search expression on the REST API | example%3F%3F |
Matches |
example12 |
Does not match |
example.com example1 query-by-example |
The * wildcard means 0 or more arbitrary characters. It finds non-UTF-8 and multibyte characters as well.
Search expression on the web interface | example* |
Search expression on the REST API | example%2A |
Matches |
example examples example.com |
Does not match |
query-by-example example* |
Wildcard characters can be combined.
Search expression on the web interface | ex?mple* |
Search expression on the REST API | ex%3Fmple%2A |
Matches |
example1 examples example.com exemple.com example12 |
Does not match |
exmples query-by-example |
To search for the special characters, for example, question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as a character to be searched for. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /
To search for a special character, use a backslash (\).
Search expression on the web interface | example\? |
Search expression on the REST API | example%5C%3F |
Matches |
example? |
Does not match |
examples example1 |
To search for a string that includes a backslash character, for example, a Windows path, use two backslashes (\\).
Search expression on the web interface | C\:\\Windows |
Search expression on the REST API | C%5C%3A%5C%5CWindows |
Matches |
C:\Windows |
To search for a string that includes a slash character, for example, a UNIX path, you must escape every slash with a backslash (\/).
Search expression on the web interface | \/var\/log\/messages |
Search expression on the REST API | %5C%2Fvar%5C%2Flog%5C%2Fmessages |
Matches |
/var/log/messages |
Search expression on the web interface | \(1\+1\)\:2 |
Search expression on the REST API | %5C%281%5C%2B1%5C%29%5C%3A2 |
Matches |
(1+1):2 |
For terminal connections, use the command: prefix to search only in commands (excluding screen content). For graphical connections, use the title: prefix to search only in window titles (excluding screen content). To exclude search results that are commands or window titles, use the following format: keyword AND NOT title:[* TO *].
You can also combine these search filters with other expressions and wildcards, for example, title:properties AND gateway.
Search expression on the web interface | command:"sudo su" |
Search expression on the REST API | command%3A%22sudo+su%22 |
Matches |
sudo su as a terminal command |
Does not match | sudo su in general screen content |
Search expression on the web interface | title:settings |
Search expression on the REST API | title%3Asettings |
Matches |
settings appearing in the title of an active window |
Does not match | settings in general screen content |
To find an expression in the screen content and exclude search results from the commands or window titles, see the following example.
Search expression on the web interface | properties AND NOT title:[* TO *] |
Search expression on the REST API | properties%20AND%20NOT%20title%3A%5B%2A%20TO%20%2A%5D |
Matches |
properties appearing in the screen content, but not as a window title. |
Does not match | properties in window titles. |
You can also combine these search filters with other expressions and wildcards.
Search expression on the web interface | title:properties AND gateway |
Search expression on the REST API | title%3Aproperties%20AND%20gateway |
Matches |
A screen where properties appears in the window title, and gateway in the screen content (or as part of the window title). |
Does not match |
Screens where both properties and gateway appear, but properties is not in the window title. |
Fuzzy search uses the tilde ~ symbol at the end of a single keyword to find hits that contain words with similar spelling to the keyword.
Search expression on the web interface | roam~ |
Search expression on the REST API | roam%7E |
Matches |
roams foam |
Proximity search uses the tilde ~ symbol at the end of a phrase to find keywords from the phrase that are within the specified distance from each other.
Search expression on the web interface | "keyword1 keyword2"~10 |
Search expression on the REST API | %22keyword1%20keyword2%22%7E10 |
Matches | (returns hits that contain keyword1 and keyword2 within 10 words from each other) |
By default, every keyword or phrase of a search expression is treated as equal. Use the caret ^ symbol to make a keyword or expression more important than the others.
Search expression on the web interface | keyword1^4 keyword2 |
Search expression on the REST API | keyword1%5E4%20keyword2 |
Matches | (returns hits that contain keyword1 and keyword2, but keyword1 is 4 times more relevant) |
Search expression on the web interface | "keyword1 keyword2"^5 "keyword3 keyword4" |
Search expression on the REST API | %22keyword1%20keyword2%22%5E5%20%22keyword3%20keyword4%22 |
Matches | (returns hits that contain keyword1 keyword2 and keyword3 keyword4, but keyword1 keyword2 is 5 times more relevant) |
You can quickly sort and visualize the distribution of the sessions based on their various metadata, for example, username, server address, and so on.
Click the icon.
Select the type of metadata you want to create statistics on from the Value distribution based on field, for example, select Username to display sessions based on username.
Figure 227: Search > Search — Displaying statistics
To exclude items from the pie chart, click the icon next to the metadata you want to exclude.
For example, if you want to exclude results by a user called testbot, select the icon next to the item.
Figure 228: Search > Search — Excluding items from the pie chart
The pie chart now does not display results for the excluded item. The percentages always add up to 100%.
You can continue to restrict or refine your search results and view statistics as required.
SPA integrates data from SPS to use as the basis of user behavior analysis. SPA uses machine learning algorithms to scrutinize behavioral characteristics (using data from SPS), and generates user behavior profiles for each individual privileged user. SPA compares actual user activity to user profiles in real time, with profiles being continually adjusted using machine learning. When SPA detects unusual activity, this is indicated on the user interface of SPS in the form of high scores and visualized insight.
Make sure that you have session data from network traffic that:
contains real, unique usernames linked to users other than root/administrator or a shared account
To check this, navigate to Search > Search, and check whether the Username column contains data. This is important, because session data will be linked to users.
If you do not have unique usernames in your session data, review your authentication settings and consult with the One Identity Professional Services team to learn about your options to tie accounts to users.
has commands extracted (using lightweight or full indexing, or in real-time through content policies)
For instructions on how to configure indexing and include commands in the scope of indexing, see "Indexing audit trails" in the Administration Guide.
For details on how to configure real-time command extraction using a content policy, see "Creating a new content policy" in the Administration Guide.
has keystrokes extracted (using lightweight or full indexing, or in real-time through content policies)
The minimum required amount of data for reliable insight is 5 sessions with approximately 200 keystrokes each.
For instructions on how to configure indexing and include typing biometrics in the scope of indexing, see "Indexing audit trails" in the Administration Guide.
For details on how to configure real-time extraction of keystroke-related data using a content policy, see "Creating a new content policy" in the Administration Guide.
has window titles extracted (using lightweight or full indexing, or in real-time through content policies)
For instructions on how to configure indexing and include window titles in the scope of indexing, see "Indexing audit trails" in the Administration Guide.
For details on how to configure real-time window title extraction using a content policy, see "Creating a new content policy" in the Administration Guide.
To start using SPA, complete the following steps.
Start getting scores.
Scoring happens in real-time, meaning that as soon as new data (even data from an ongoing session) is available, SPA immediately scores it.
|
TIP:
When data is not immediately available to you and you are unable to wait until sufficient amount of data comes in from production traffic, you can resort to the following:
|
Scores represent an aggregated amount. Session data is scored by multiple algorithms independent from each other. Scores given by individual algorithms are aggregated to create a single score.
For detailed instructions on how to configure SPA, see Safeguard for Privileged Analytics Configuration Guide.
Search for sessions with high scores.
Go to Search > Search.
Sessions are displayed sorted by date. For ongoing sessions, the Search interface is updated in real-time to always show the most up-to-date information.
In the Search query field, type score.aggregated: [80 TO 100], and click Search.
A score between 80 and 100 indicates unusual user behavior.
Figure 229: Searching for sessions with unusual user behavior using a search query
Results that show sessions with high scores are displayed.
Figure 230: Sessions with high scores — table view
Figure 231: Sessions with high scores — card view
Alternatively, search for scripted sessions.
In the Search query field, type analytics.scripted:true, and click Search.
To view details of a session, click when you are in table view.
Alternatively, click when you are in card view.
Click the analytics tab.
The top of the page displays a summary of key insights about the session, such as:
The aggregated score (indicated by a gauge). The following color codes are used:
Scores between 80-100 indicate unusual behavior, their color code is red.
Scores between 70-79 indicate behavior that might require further analysis and attention, their color code is amber.
Scores between 0-69 indicate normal behavior, their color code is gray.
A one-sentence summary of each algorithm's verdict about the session and user behavior.
The Anomalies found and Normal behavior sections of the page display detailed analyses provided by each of the configured algorithms. This includes short information on how a particular algorithm works and how to read the visualized insight, as well as scores given by the individual algorithms.
Figure 232: Search — Viewing details on the analytics tab: Anomalies found
Figure 233: Search — Viewing details on the analytics tab: Normal behavior
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy