Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Searching database fields

Purpose:

This section lists the search filters that you can use to perform a more specific search of the audit trails.

The following table provides an explanation to the search filter tables listed in this section.

Name:

Specifies the meaningful and easily readable name of the search filter.

Search filter:

Specifies the filter expression that you can use to filter the audit trails. For example, to narrow your search to a specific server-side IP address, you can enter the server.address: 10.30.255.70 search filter in the Search query field. All search results that contain that specific server IP address are listed.

Displayed:

Specifies if the search filter result is displayed as a field in the search columns or in the overview, details, events, or contents tabs.

There are search filters that are not displayed but you can still use them to filter the audit trails. For example, you can search for active connections using the active search filter, and search results are listed accordingly, but there is no active field displayed in the search table or in the overview, details, events, or contents tabs.

The following search filters are available:

Start time
Name: Start time
Search filter: start_time
Displayed: Yes (start date column)

Description: The timestamp of the start of the connection.

Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2017-04-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.

End time
Name: End time
Search filter: end_time
Displayed: Yes (end date column)

Description: The timestamp of the end of the connection. For ongoing connections, the value is null.

Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2017-04-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.

Duration
Name: Duration
Search filter: duration
Displayed: Yes (duration column)

Description: The duration of the session in seconds. Computed value.

Gateway user
Name: Gateway user
Search filter: psm.gateway_username
Displayed: Yes (gateway user column)

Description: The username used for authenticating against the gateway.

Server user
Name: Server user
Search filter: psm.server_username
Displayed: Yes (server user column)

Description: The username used for authenticating on the remote server.

Client address
Name: Client address
Search filter: client.address
Displayed: Yes (client address column)

Description: The IP address of the client.

Server address
Name: Server address
Search filter: server.address
Displayed: Yes (server address column)

Description: The IP address of the remote server.

Server port
Name: Server port
Search filter: server.port
Displayed: Yes (server port column)

Description: The port of the remote server.

Protocol
Name: Protocol
Search filter: protocol
Displayed: Yes (protocol column)

Description: The protocol of the connection.

Interesting events
Name: Interesting events
Search filter: interesting_events
Displayed: Yes (interesting events column)

Description: A list of commands and window titles from the session that could be interesting from a security point of view.

Verdict
Name: Verdict
Search filter: psm.verdict
Displayed: Yes (verdict column)

Description: The connection verdict.

Possible values are:

  • accept

    The connection attempt was successful.

  • accept-terminated

    The connection violated a content policy, and was terminated by SPS.

  • auth-fail

    Authentication failure.

  • deny

    The connection was denied.

  • fail

    The connection attempt failed.

  • gw-auth-fail

    Gateway authentication failure.

  • key-error

    The connection attempt failed due to a hostkey mismatch.

  • user-mapping-fail

    The connection attempt failed due to a user mapping failure.

Content reference ID
Name: Content reference ID
Search filter: psm.content_reference_id
Displayed: No

Description: The unique ID of the TCP connection.

Active
Name: Active
Search filter: active
Displayed: No

Description: If the returned value is true, the connection is ongoing.

Archived
Name: Archived
Search filter: psm.archived
Displayed: Yes (details tab)

Description: If the audit trail has been archived, this value is true, otherwise it is false. For details about archiving, see the archive object of the psm.audit_trail field.

Audit trail path
Name: Audit trail path
Search filter: psm.audit_trail
Displayed: No

Description: The path to the audit trail file on SPS. If the session does not have an audit trail, this element is not used. To download the audit trail, see Replaying audit trails in your browser.

Authentication method
Name: Authentication method
Search filter: psm.auth_method
Displayed: Yes (overview and details tabs)

Description: The authentication method used in the connection. For example, password.

Channel policy
Name: Channel policy
Search filter: psm.channel_policy
Displayed: Yes (details tab)

Description: References the name of the channel policy. You can find the list of channel policies for each protocol at the <Protocol> Control > Channel Policies page.

Client port
Name: Client port
Search filter: client.port
Displayed: Yes (overview and details tabs)

Description: The port of the client.

Commands available
Name: Commands available
Search filter: psm.command_extracted
Displayed: No

Description: If commands have been extracted from this terminal session, this value is true, otherwise it is false.

The extracted commands are available in the events object field.

Connection policy
Name: Connection policy
Search filter: psm.connection_policy
Displayed: Yes (details tab)

Description: The name of the Connection Policy that handled the session, for example, ssh_gateway_auth. This is the name displayed on the <Protocol> Control > Connections page of the SPS web interface, and in the name field of the Connection Policy object. You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.

Connection policy ID
Name: Connection policy ID
Search filter: psm.connection_policy_id
Displayed: Yes (details tab)

Description: The key of the Connection Policy that handled the session, for example, 54906683158e768e727100. You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.

Indexing status
Name: Indexing status
Search filter: psm.index_status
Displayed: Yes (details tab)

Description: Shows if the channel has been indexed. The following values are possible:

  • Connection is active (0): The connection of the channel is still open (indexer is waiting for the connection to close).

  • Not indexed (1): All channels of the connection have been closed which belong to the connection. The channel is ready for indexing, unless the audit trail was placed in the skipped_connections queue.

  • Indexing in progress (2): The channel is being indexed (indexing in progress). Note that SPS will return search results for the parts of the channel that are already indexed.

  • Indexed (3): Indexing the channel is complete.

  • Indexing not required (4): Indexing not required (indexing is not enabled for the connection).

  • Indexing failed (5): Indexing failed. The indexer service writes the corresponding error message in the error_message column of the indexer_jobs table. Note that SPS will return search results for the parts of the channel that were successfully indexed before the error occurred. For example, if the error occurred at the end of a long audit trail, you can still search for content from the first part of the audit trail.

  • No trail (6): Auditing is not enabled for the channel.

Indexing CPU time
Name: Indexing CPU time
Search filter: psm.indexer.statistics.cpu_time
Displayed: No

Description: The CPU time that indexing this session took in milliseconds.

Indexing duration
Name: Indexing duration
Search filter: psm.indexer.statistics.duration
Displayed: No

Description: The duration of time that indexing this session took in milliseconds.

Indexing start time
Name: Indexing start time
Search filter: psm.indexer.statistics.start_time
Displayed: No

Description: The time and date when indexing this session started.

Indexer ADP version
Name: Indexer ADP version
Search filter: psm.indexer.version.adp
Displayed: No

Description: The version of the audit data processor used for indexing the session.

Indexer version
Name: Indexer version
Search filter: psm.indexer.version.worker
Displayed: No

Description: The version of the indexer worker used for indexing the session.

Indexing status
Name: Indexing status
Search filter: psm.indexer.status
Displayed: No

Description: Shows if the channel has been indexed succesfully or not.

Indexing error
Name: Indexing error
Search filter: psm.indexer.error.message
Displayed: No

Description: The reason why indexing failed.

Commands indexed
Name: Commands indexed
Search filter: psm.indexer.config.command.enabled
Displayed: No

Description: True if commands were extracted while indexing the session.

Titles indexed
Name: Titles indexed
Search filter: psm.indexer.config.title.enabled
Displayed: No

Description: True if window titles were extracted while indexing the session.

Screen content indexed
Name: Screen content indexed
Search filter: psm.indexer.config.screen.enabled
Displayed: No

Description: True if screen content was extracted while indexing the session.

OCR tradeoff
Name: OCR tradeoff
Search filter: psm.indexer.config.screen.omnipage_trade_off
Displayed: No

Description: The tradeoff used for optical character recognition when extracting screen content while indexing the session.

Keyboard extracted
Name: Keyboard extracted
Search filter: psm.indexer.config.keyboard.enabled
Displayed: No

Description: True if keyboard events were extracted while indexing the session.

Keyboard buffering interval
Name: Keyboard buffering interval
Search filter: psm.indexer.config.keyboard.buffer_interval
Displayed: No

Description: The buffering interval in milliseconds used when extracting keyboard events while indexing the session.

Mouse extracted
Name: Mouse extracted
Search filter: psm.indexer.config.mouse.enabled
Displayed: No

Description: True if mouse events were extracted while indexing the session.

Mouse buffering interval
Name: Mouse buffering interval
Search filter: psm.indexer.config.mouse.buffer_interval
Displayed: No

Description: The buffering interval in milliseconds used when extracting mouse events while indexing the session.

OCR languages
Name: OCR languages
Search filter: psm.indexer.config.ocr_languages
Displayed: No

Description: The language configuration for optical character recognition used when indexing the session.

Near real-time indexing
Name: Near real-time indexing
Search filter: psm.indexer.config.near_realtime
Displayed: No

Description: True if indexing this session was done near real-time (when the session was still active).

Network namespace
Name: Network namespace
Search filter: psm.network_id
Displayed: No

Description: The ID of the Linux network namespace where the session originated from.

Origin
Name: Origin
Search filter: origin
Displayed: No

Description: How SPA received this session. The following values are possible:

  • PSM for sessions based on an audit trail recorded by SPS.

  • LOG for sessions built from log data.

Score aggregated
Name: Score aggregated
Search filter: score.aggregated
Displayed: No

Description: The risk score that SPA assigned to the session. Values range from 0 to 100, with 100 representing the highest risk.

You can also query the scores.aggregated element, which lists all score.aggregated values that SPA ever assigned to the session.

Server local address
Name: Server local address
Search filter: psm.server_local.address
Displayed: Yes (overview and details tabs)

Description: The IP of SPS.

Server local port
Name: Server local port
Search filter: psm.server_local.port
Displayed: Yes (overview and details tabs)

Description: The port of SPS.

Session id
Name: Session id
Search filter: psm.session_id
Displayed: Yes (overview and details tabs)

Description: The identifier of the session.

Target address
Name: Target address
Search filter: psm.target.address
Displayed: Yes (overview and details tabs)

Description: The IP address the client targeted for connection.

Target port
Name: Target port
Search filter: psm.target.port
Displayed: Yes (overview and details tabs)

Description: The port the client targeted for connection.

Window titles available
Name: Window titles available
Search filter: psm.window_title_extracted
Displayed: No

Description: If window titles have been extracted from this graphical session, this value is true, otherwise it is false.

The extracted window titles are available in the events object field.

Archive date
Name: Archive date
Search filter: psm.archive.date
Displayed: No

Description: The date when the audit trail was archived in UNIX timestamp format (for example, 1451865600).

Archive server
Name: Archive server
Search filter: psm.archive.server
Displayed: No

Description: The address of the remote server where the audit trail was archived.

Archive path
Name: Archive path
Search filter: psm.archive.path
Displayed: No

Description: The path on the remote server where the audit trail was archived.

Archive policy
Name: Archive policy
Search filter: psm.archive.policy
Displayed: No

Description: The ID of the archiving policy that was used to archive the audit trail.

Channel is active
Name: Channel is active
Search filter: psm.channels.active
Displayed: No

Description: If the returned value is true, the session has not ended yet and the channel is active.

Audit stream ID
Name: Audit stream ID
Search filter: psm.channels.audit_stream_id
Displayed: No

Description: The identifier of the channel's audit stream. If the session does not have an audit trail, this element is not used.

Channel duration
Name: Channel duration
Search filter: psm.channels.duration
Displayed: No

Description: The duration of the connection. Computed value.

Channel end time
Name: Channel end time
Search filter: psm.channels.end_time
Displayed: No

Description: The UNIX timestamp of the end of the connection. For ongoing connections, the value is null.

Channel start time
Name: Channel start time
Search filter: psm.channels.start_time
Displayed: No

Description: The UNIX timestamp of the start of the connection.

Channel type
Name: Channel type
Search filter: psm.channels.type
Displayed: No

Description: The type of the channel. Additional elements might be used with certain ICA, SSH and RDP channel types.

Channel verdict
Name: Channel verdict
Search filter: psm.channels.verdict
Displayed: No

Description: The channel's connection verdict.

Possible values are:

  • accept

    The connection attempt was successful.

  • deny

    The connection attempt was denied.

  • four-eyes-deferred

    Four-eyes authorization is unable to progress as it is waiting for a remote username.

  • four-eyes-error

    An internal error occurred during four-eyes authorization.

  • four-eyes-reject

    The connection attempt was rejected by a four-eyes agent on SPS.

  • four-eyes-timeout

    Four-eyes authorization timed out.

Executed commands
Name: Executed commands
Search filter: psm.channels.command
Displayed: No

Description: Used with the session exec SSH channel type.

The executed command.

SCP path
Name: SCP path
Search filter: psm.channels.scp_path
Displayed: No

Description: Used with the session exec scp SSH channel type.

The folder used for Secure Copy.

Subsystem name
Name: Subsystem name
Search filter: psm.channels.subsystem_name
Displayed: No

Description: Used with the session subsystem sftp SSH channel type.

The name of the used subsystem.

Channel originator address
Name: Channel originator address
Search filter: psm.channels.originator.address
Displayed: No

Description: Used with the local forward and remote forward SSH channel types.

The source address of the forwarded traffic.

Originator port
Name: Originator port
Search filter: psm.channels.originator.port
Displayed: No

Description: Used with the local forward and remote forward SSH channel types.

The source port of the forwarded traffic.

Port-forward target IP
Name: Port-forward target IP
Search filter: psm.channels.connected.address
Displayed: No

Description: Used with the local forward and remote forward SSH channel types.

The target address of the forwarded traffic.

Port-forward target port
Name: Port-forward target port
Search filter: psm.channels.connected.port
Displayed: No

Description: Used with the local forward and remote forward SSH channel types.

The target port of the forwarded traffic.

Dynamic channel
Name: Dynamic channel
Search filter: psm.channels.dynamic_channel
Displayed: No

Description: Used with the dynamic virtual RDP channel type.

The name of the dynamic channel.

Device name
Name: Device name
Search filter: psm.channels.device_name
Displayed: No

Description: Used with the serial redirect, parallel redirect, printer redirect, disk redirect, and scard redirect RDP channel types.

The name of the device.

Application
Name: Application
Search filter: psm.channels.application
Displayed: No

Description: Used with ICA connections.

The name of the application accessed in a seamless Citrix ICA connection.

Four-eyes authorizer
Name: Four-eyes authorizer
Search filter: psm.channels.four_eyes_authorizer
Displayed: No

Description: The username of the user who authorized the session.

Available only if four-eyes authorization is required for the channel.

Four-eyes description
Name: Four-eyes description
Search filter: psm.channels.four_eyes_description
Displayed: No

Description: The description of the session submitted by the authorizer of the session.

Available only if four-eyes authorization is required for the channel.

Alert type
Name: Alert type
Search filter: psm.alerts.alert_type
Displayed: No

Description: The type of the event that triggered the alert. Possible values:

  • adp.event.command: A command entered in SSH or Telnet.

  • adp.event.screen.content: Alert triggered by the screen content.

  • adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.

  • adp.event.screen.windowtitle: The title of the window in graphic protocols.

Channel id
Name: Channel id
Search filter: psm.alerts.channel_id
Displayed: No

Description: A reference to the ID of the channel in the session where the event occurred.

Matched content
Name: Matched content
Search filter: psm.alerts.matched_content
Displayed: No

Description: The content that occurred in the session and triggered the alert. Note that this value contains the context of the match as well. For example, if a Content Policy triggers an alert if a user types the sudo command, then the psm.alerts.matched_content value contains the entire command line, including the command prompt, for example, myuser@examplehost:~$ man sudo.

Matched regexp
Name: Matched regexp
Search filter: psm.alerts.matched_regexp
Displayed: No

Description: The regular expression (match field) of the Content Policy that matched a part of the content and triggered the alert.

For details, see Real-time content monitoring with Content Policies.

Event ID
Name: Event ID
Search filter: psm.alerts.record_id
Displayed: No

Description: The ID number of the alert within the session.

Rule name
Name: Rule name
Search filter: psm.alerts.rule_name
Displayed: No

Description: The name of the content policy rule that triggered the alert. Note that this is not the name of the Content Policy.

Alert time
Name: Alert time
Search filter: psm.alerts.time
Displayed: No

Description: The timestamp when the alert was triggered, for example, 2017-04-25T13:26:39.144356.

Channel ID
Name: Channel ID
Search filter: psm.channels.id
Displayed: No

Description: A reference to the ID of the channel in the session where the event occurred.

Event content
Name: Event content
Search filter: psm.events.content
Displayed: No

Description: The event that occurred in the session. Note that this value contains the context of the event as well. For example, for command events in terminal sessions, the value contains the entire command line, including the command prompt. For example, myuser@examplehost:~$ man sudo.

Event type
Name: Event type
Search filter: psm.events.type
Displayed: No

Description: The type of the event. Possible values:

  • adp.event.command: A command entered in SSH or Telnet.

  • adp.event.screen.content: Screen content.

  • adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.

  • adp.event.screen.windowtitle: The title of the window in graphic protocols.

Event date
Name: Event date
Search filter: psm.events.time
Displayed: No

Description: The timestamp when the event occurred, for example, 2017-04-25T13:26:39.144356.

Using the content query

NOTE:

This feature is available only if auditing and content indexing was requested for the connection.

For more information, see Configuring the internal indexer.

The content query enables you to search in the contents of audit trails. There are various ways you can refine your content query, you can:

  • use wildcards

  • use boolean expressions

  • search in the commands of terminal connections (for example, command:"sudo su")

  • search in the window titles of graphical connections (for example, title:settings)

The following sections provide examples for different search queries:

For details on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.

Searching for exact matches

By default, SPS searches for keywords as whole words and returns only exact matches.

NOTE:

If your search keywords include special characters, you must escape them with a backslash (\) character. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /

For more information on special characters, see Searching for special characters.

Example: Searching for exact matches
Search expression example
Matches example
Does not match

examples

example.com

query-by-example

exam

To search for an exact phrase, enclose the search keywords in double quotes.

Search expression on the web interface "example command"
Search expression on the REST API %22example%20command%22
Matches example command
Does not match

example

command

example: command

To search for a string that includes a backslash character, for example, a Windows path, use two backslashes (\\).

Search expression on the web interface C\:\\Windows
Search expression on the REST API C%5C%3A%5C%5CWindows
Matches

C:\Windows

Combining search keywords

You can use boolean operators – AND, OR, NOT, and + (required), – to combine search keywords. More complex search expressions can also be constructed with parentheses. If you enter multiple keywords,

Example: Combining keywords in search
Search expression on the web interface keyword1 AND keyword2
Search expression on the REST API keyword1%20AND%20keyword2
Matches (returns hits that contain both keywords)
Search expression on the web interface keyword1 OR keyword2
Search expression on the REST API keyword1%20OR%20keyword2
Matches (returns hits that contain at least one of the keywords)
Search expression on the web interface "keyword1 keyword2" NOT "keyword2 keyword3"
Search expression on the REST API %22keyword1%20keyword2%22%20NOT%20%22keyword2%20keyword3%22
Matches (returns hits that contain the first phrase, but not the second)
Search expression on the web interface +keyword1 keyword2
Search expression on the REST API %2Bkeyword1%20keyword2
Matches (returns hits that contain keyword1, and may contain keyword2)

To search for expressions that can be interpreted as boolean operators (for example: AND), use the following format: "AND".

Example: Using parentheses in search

Use parentheses to create more complex search expressions:

Search expression on the web interface (keyword1 OR keyword2) AND keyword3
Search expression on the REST API %28keyword1%20OR%20keyword2%29%20AND%20keyword3
Matches (returns hits that contain either keyword1 and keyword3, or keyword2 and keyword3)
Using wildcard searches

You can use the ? and * wildcards in your search expressions.

Example: Using wildcard ? in search

The ? (question mark) wildcard means exactly one arbitrary character. Note that it does not work for finding non-UTF-8 or multibyte characters. If you want to search for these characters, the expression ?? might work, or you can use the * wildcard instead.

You cannot use a * or ? symbol as the first character of a search.

Search expression on the web interface example?
Search expression on the REST API example%3F
Matches

example1

examples

example?

Does not match

example.com

example12

query-by-example

Search expression on the web interface example??
Search expression on the REST API example%3F%3F
Matches

example12

Does not match

example.com

example1

query-by-example

Example: Using wildcard * in search

The * wildcard means 0 or more arbitrary characters. It finds non-UTF-8 and multibyte characters as well.

Search expression on the web interface example*
Search expression on the REST API example%2A
Matches

example

examples

example.com

Does not match

query-by-example

example*

Example: Using combined wildcards in search

Wildcard characters can be combined.

Search expression on the web interface ex?mple*
Search expression on the REST API ex%3Fmple%2A
Matches

example1

examples

example.com

exemple.com

example12

Does not match

exmples

query-by-example

Searching for special characters

To search for the special characters, for example, question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as a character to be searched for. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /

Example: Searching for special characters

To search for a special character, use a backslash (\).

Search expression on the web interface example\?
Search expression on the REST API example%5C%3F
Matches

example?

Does not match

examples

example1

To search for a string that includes a backslash character, for example, a Windows path, use two backslashes (\\).

Search expression on the web interface C\:\\Windows
Search expression on the REST API C%5C%3A%5C%5CWindows
Matches

C:\Windows

To search for a string that includes a slash character, for example, a UNIX path, you must escape every slash with a backslash (\/).

Search expression on the web interface \/var\/log\/messages
Search expression on the REST API %5C%2Fvar%5C%2Flog%5C%2Fmessages
Matches

/var/log/messages

Search expression on the web interface \(1\+1\)\:2
Search expression on the REST API %5C%281%5C%2B1%5C%29%5C%3A2
Matches

(1+1):2

Searching in commands and window titles

For terminal connections, use the command: prefix to search only in commands (excluding screen content). For graphical connections, use the title: prefix to search only in window titles (excluding screen content). To exclude search results that are commands or window titles, use the following format: keyword AND NOT title:[* TO *].

You can also combine these search filters with other expressions and wildcards, for example, title:properties AND gateway.

Example: Searching in commands and window titles
Search expression on the web interface command:"sudo su"
Search expression on the REST API command%3A%22sudo+su%22
Matches

sudo su as a terminal command

Does not match sudo su in general screen content
Search expression on the web interface title:settings
Search expression on the REST API title%3Asettings
Matches

settings appearing in the title of an active window

Does not match settings in general screen content

To find an expression in the screen content and exclude search results from the commands or window titles, see the following example.

Search expression on the web interface properties AND NOT title:[* TO *]
Search expression on the REST API properties%20AND%20NOT%20title%3A%5B%2A%20TO%20%2A%5D
Matches

properties appearing in the screen content, but not as a window title.

Does not match properties in window titles.

You can also combine these search filters with other expressions and wildcards.

Search expression on the web interface title:properties AND gateway
Search expression on the REST API title%3Aproperties%20AND%20gateway
Matches

A screen where properties appears in the window title, and gateway in the screen content (or as part of the window title).

Does not match

Screens where both properties and gateway appear, but properties is not in the window title.

Searching for fuzzy matches

Fuzzy search uses the tilde ~ symbol at the end of a single keyword to find hits that contain words with similar spelling to the keyword.

Example: Searching for fuzzy matches
Search expression on the web interface roam~
Search expression on the REST API roam%7E
Matches

roams

foam

Proximity search

Proximity search uses the tilde ~ symbol at the end of a phrase to find keywords from the phrase that are within the specified distance from each other.

Example: Proximity search
Search expression on the web interface "keyword1 keyword2"~10
Search expression on the REST API %22keyword1%20keyword2%22%7E10
Matches (returns hits that contain keyword1 and keyword2 within 10 words from each other)
Adjusting the relevance of search terms

By default, every keyword or phrase of a search expression is treated as equal. Use the caret ^ symbol to make a keyword or expression more important than the others.

Example: Adjusting the relevance of search terms
Search expression on the web interface keyword1^4 keyword2
Search expression on the REST API keyword1%5E4%20keyword2
Matches (returns hits that contain keyword1 and keyword2, but keyword1 is 4 times more relevant)
Search expression on the web interface "keyword1 keyword2"^5 "keyword3 keyword4"
Search expression on the REST API %22keyword1%20keyword2%22%5E5%20%22keyword3%20keyword4%22
Matches (returns hits that contain keyword1 keyword2 and keyword3 keyword4, but keyword1 keyword2 is 5 times more relevant)

Displaying statistics on search results

Purpose:

You can quickly sort and visualize the distribution of the sessions based on their various metadata, for example, username, server address, and so on.

Steps:
  1. Click the icon.

  2. Select the type of metadata you want to create statistics on from the Value distribution based on field, for example, select Username to display sessions based on username.

    Figure 227: Search > Search — Displaying statistics

  3. To exclude items from the pie chart, click the icon next to the metadata you want to exclude.

    For example, if you want to exclude results by a user called testbot, select the icon next to the item.

    Figure 228: Search > Search — Excluding items from the pie chart

    The pie chart now does not display results for the excluded item. The percentages always add up to 100%.

    You can continue to restrict or refine your search results and view statistics as required.

Analyzing data using One Identity Safeguard for Privileged Analytics

SPA integrates data from SPS to use as the basis of user behavior analysis. SPA uses machine learning algorithms to scrutinize behavioral characteristics (using data from SPS), and generates user behavior profiles for each individual privileged user. SPA compares actual user activity to user profiles in real time, with profiles being continually adjusted using machine learning. When SPA detects unusual activity, this is indicated on the user interface of SPS in the form of high scores and visualized insight.

Prerequisites:

Make sure that you have session data from network traffic that:

  • contains real, unique usernames linked to users other than root/administrator or a shared account

    To check this, navigate to Search > Search, and check whether the Username column contains data. This is important, because session data will be linked to users.

    If you do not have unique usernames in your session data, review your authentication settings and consult with the One Identity Professional Services team to learn about your options to tie accounts to users.

  • has commands extracted (using lightweight or full indexing, or in real-time through content policies)

    For instructions on how to configure indexing and include commands in the scope of indexing, see "Indexing audit trails" in the Administration Guide.

    For details on how to configure real-time command extraction using a content policy, see "Creating a new content policy" in the Administration Guide.

  • has keystrokes extracted (using lightweight or full indexing, or in real-time through content policies)

    The minimum required amount of data for reliable insight is 5 sessions with approximately 200 keystrokes each.

    For instructions on how to configure indexing and include typing biometrics in the scope of indexing, see "Indexing audit trails" in the Administration Guide.

    For details on how to configure real-time extraction of keystroke-related data using a content policy, see "Creating a new content policy" in the Administration Guide.

  • has window titles extracted (using lightweight or full indexing, or in real-time through content policies)

    For instructions on how to configure indexing and include window titles in the scope of indexing, see "Indexing audit trails" in the Administration Guide.

    For details on how to configure real-time window title extraction using a content policy, see "Creating a new content policy" in the Administration Guide.

Purpose:

To start using SPA, complete the following steps.

Steps:
  1. Start getting scores.

    Scoring happens in real-time, meaning that as soon as new data (even data from an ongoing session) is available, SPA immediately scores it.

    TIP:

    When data is not immediately available to you and you are unable to wait until sufficient amount of data comes in from production traffic, you can resort to the following:

    • Manually reindex historical sessions. For details, see "Reindex historical sessions" in the Safeguard for Privileged Analytics Configuration Guide.

    • Specifically for window title data, run the pam-process-historical-window-titles command to invoke window title processing for sessions that have been both closed and indexed.

      This can be useful, for example, when you have upgraded from a SPS version earlier than 5 F6 or you simply have never used the window title algorithm, and therefore SPS has not done any window title processing before.

    Scores represent an aggregated amount. Session data is scored by multiple algorithms independent from each other. Scores given by individual algorithms are aggregated to create a single score.

    For detailed instructions on how to configure SPA, see Safeguard for Privileged Analytics Configuration Guide.

  2. Search for sessions with high scores.

    1. Go to Search > Search.

      Sessions are displayed sorted by date. For ongoing sessions, the Search interface is updated in real-time to always show the most up-to-date information.

    2. In the Search query field, type score.aggregated: [80 TO 100], and click Search.

      A score between 80 and 100 indicates unusual user behavior.

      Figure 229: Searching for sessions with unusual user behavior using a search query

      Results that show sessions with high scores are displayed.

      Figure 230: Sessions with high scores — table view

      Figure 231: Sessions with high scores — card view

  3. Alternatively, search for scripted sessions.

    In the Search query field, type analytics.scripted:true, and click Search.

  4. To view details of a session, click when you are in table view.

    Alternatively, click when you are in card view.

  5. Click the analytics tab.

    The top of the page displays a summary of key insights about the session, such as:

    • The aggregated score (indicated by a gauge). The following color codes are used:

      • Scores between 80-100 indicate unusual behavior, their color code is red.

      • Scores between 70-79 indicate behavior that might require further analysis and attention, their color code is amber.

      • Scores between 0-69 indicate normal behavior, their color code is gray.

    • A one-sentence summary of each algorithm's verdict about the session and user behavior.

    The Anomalies found and Normal behavior sections of the page display detailed analyses provided by each of the configured algorithms. This includes short information on how a particular algorithm works and how to read the visualized insight, as well as scores given by the individual algorithms.

    Figure 232: Search — Viewing details on the analytics tab: Anomalies found

    Figure 233: Search — Viewing details on the analytics tab: Normal behavior

Related Documents