One Identity Safeguard for Privileged Sessions 6.1.0 - Using Splunk with One Identity Safeguard for Privileged Sessions

Introduction

This document describes how you can use the services of the One Identity Safeguard for Privileged Sessions Add-on for Splunk (the Splunk Add-on) and the One Identity Safeguard for Privileged Sessions App for Splunk (the Splunk App) to process and visualize your events from One Identity Safeguard for Privileged Sessions (SPS).

One Identity Safeguard for Privileged Sessions:

One Identity Safeguard for Privileged Sessions (SPS) controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SPS is a quickly deployable enterprise device, completely independent from clients and servers — integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.

SPS and Splunk Add-on / Splunk App

If you have an SPS device forwarding events to your Splunk, and you want to process and visualize these events with your own, custom dashboards, the Splunk Add-on can provide you with useful event types that you can use in your custom searches. For more information about visualizing events and customizing dashboards, see The Splunk App and Macros and search expressions.

The Splunk Add-on is an add-on for Splunk that defines useful event types for your sessions originating from SPS. For more information, see Event types.

The Splunk App creates useful dashboards to visualize your sessions audited with SPS.

Also, if you want to use your Microsoft Windows or Linux session logs for gap analysis and you have the Splunk Add-on for Microsoft Windows or the Splunk Add-on for Unix and Linux installed, the Splunk App allows you to spot potential audit gaps.

The Splunk Add-on

The Splunk Add-on is an add-on for Splunk that defines useful event types for your sessions originating from SPS. For more information, see Event types.

If you have an SPS device forwarding events to your Splunk, and you want to process and visualize these events with your own, custom dashboards, the Splunk Add-on can provide you with useful event types that you can use in your custom searches. For more information about visualizing events and customizing dashboards, see The Splunk App and Macros and search expressions.

When using SPS together with the Splunk Add-on, the events originating from SPS are parsed, indexed and labeled with tags. These tags help standardize data coming from various data sources. As a result, custom-searching in Splunk will be more effective.

Prerequisites and restrictions
Installation and configuration

To install the Splunk Add-on and configure SPS to forward events to Splunk

  1. Use your favorite install method to install the app (either by searching for the One Identity Safeguard for Privileged Sessions Add-on for Splunk app on your Splunk web UI, or by navigating to the SplunkBase website and installing the app manually).
  2. Configure SPS to forward events to Splunk. For detailed instructions, see "Using the universal SIEM forwarder" in the Administration Guide.
Parsing and indexing with the Splunk Add-on

If you want to search for a specific event type in your SPS index (for example, because you want to have a chart on your own dashboard about the distribution of different event types), look at the "Event type name" column in the [List of definitions] to filter for the different kinds. As an example, if you would like to count the number of "ServerConnect" events and visualize the results on a graph, you can do so with the following search expression:

search index=* | stats count(eval(eventtype=oneidentity_sps_server_connect)) AS count_server_connect BY eventtype

Event types

The table below lists the definitions of event types for your sessions originating from SPS and the definitions' descriptions.

Event type name

Description

oneidentity_sps_server_connect

ServerConnect event coming from SPS SIEM forwarder

oneidentity_sps_session_closed

SessionClosed event coming from SPS SIEM forwarder

oneidentity_sps_server_
authentication_success

ServerAuthenticationSuccess event coming from SPS SIEM forwarder

oneidentity_sps_server_
authentication_failure

ServerAuthenticationFailure event coming from SPS SIEM forwarder

oneidentity_sps_gateway_
authentication_failure

GatewayAuthenticationFailure event coming from SPS SIEM forwarder

oneidentity_sps_session_scored

SessionScored event coming from SPS SIEM forwarder

oneidentity_sps_command_channel_
event

CommandChannelEvent event coming from SPS SIEM forwarder

oneidentity_sps_window_title_channel_event

WindowTitleChannelEvent event coming from SPS SIEM forwarder

oneidentity_sps_rdp_embedded_in_tsg

RdpEmbeddedInTsg event coming from SPS SIEM forwarder

oneidentity_sps_file_transfer

FileTransfer event coming from SPS SIEM forwarder

The Splunk App

The One Identity Safeguard for Privileged Sessions App for Splunk creates useful dashboards to visualize your sessions audited with SPS. With this app, you can get an overview of your audited sessions and pinpoint interesting ones to be able to investigate them further. Also, if you have other sources of information about your audited hosts (for example, Microsoft Windows logs or Unix/Linux logs) as well as those originating from SPS, you can compare the two sources of information and see if all the necessary sessions are audited without audit gaps.

When used together with the Splunk App, you can customize your search with the help of your defined events and visualize your sessions originating from SPS on customized dashboards.

Prerequisites and restrictions

NOTE:

It is a prerequisite to have the Splunk Add-on installed for the Splunk App to work. When you install the Splunk App, it is presumed that SPS is already configured to forward events to Splunk and Splunk already receives these forwarded events. In such a setup, all events from SPS should arrive to a separate index in Splunk (if it's not the case, fix it before installing and setting up the Splunk App).

Installation and setup

To install and setup the Splunk App

  1. Use your favorite install method to install the app (either by searching for the One Identity Safeguard for Privileged Sessions App for Splunk app on your Splunk web UI, or by navigating to the SplunkBase website and installing the the app manually).
  2. On the setup page of the Splunk App, provide the name of the index into which the SPS events will be arriving.
  3. (Optional) If such an index does not exist yet and you want to configure forwarding later, just specify an index name of your choice and the Splunk App will create the index for you. In this case, pay attention to forward the events into this index later, when configuring forwarding from SPS.
  4. There is another index you can specify, which will be the origin of data coming from logs. You can use this app to spot "audit gaps" (that is, unaudited sessions), but for that to work, you need logs from the hosts directly.
  5. (Optional) If you already have forwarders set up to forward logs from your hosts to Splunk, specify the name of the index for the app into which the logs are forwarded.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents