One Identity Safeguard for Privileged Sessions 6.2.0 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS) The Welcome Wizard and the first login Basic settings
Supported web browsers and operating systems The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving and cleanup Forwarding data to third-party systems Joining to One Identity Starling
User management and access control Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) RPC API The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS) Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help LDAP user and group resolution in SPS

JSON_CIM messages

ServerConnect on initial contact

Description of the message: Emitted when SPS connects to the serverfor the first time in the session

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"gwtestauto","src_port":"58140","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-39","product":"SPS-5.11.0","event_name":"ServerConnect","dvc":"sps1.acme.com","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","action":"added","_time":"1557913195000"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

action

Action

message

always

Description: the taken by the device according to CIM model

Example: added

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

ServerConnect for secondary channels

Description of the message: Emitted when SPS connects to the serverfor opening further channels. The difference from initial connection is that the server user name is known and authenticated this time.

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"gwtestauto","src_port":"58140","src_ip":"10.30.0.24","src":"client.acme.com","user":"root","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-39","product":"SPS-5.11.0","event_name":"ServerConnect","dvc":"sps1.acme.com","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","action":"added","_time":"1557913195000"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

action

Action

message

always

Description: the taken by the device according to CIM model

Example: added

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

ServerAuthenticationSuccess

Description of the message: Emitted after the server authentication successfully happened

Example message:

{"vendor":"OneIdentity","user":"root","transport":"tcp","src_user":"gwtestauto","src_port":"57982","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-38","product":"SPS-5.11.0","event_name":"ServerAuthenticationSuccess","dvc":"sps1.acme.com","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","action":"success","_time":"1557913189329"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerAuthenticationSuccess

Field

Name

Scope

Present

action

Action

message

always

Description: marks a successful authentication

Example: success

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

ServerAuthenticationFailure

Description of the message: Emitted after the server authentication failed

Example message:

{"vendor":"OneIdentity","user":"root","transport":"tcp","src_user":"gwtestauto","src_port":"58140","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-39","product":"SPS-5.11.0","event_name":"ServerAuthenticationFailure","dvc":"sps1.acme.com","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","action":"failure","_time":"1557913197211"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerAuthenticationFailure

Field

Name

Scope

Present

action

Action

message

always

Description: marks a failed authentication

Example: failure

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

session

always

Description: contains the non authenticated server username

Example: root

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

GatewayAuthenticationFailure

Description of the message: Emitted after a failed gateway authentication. Note that the gateway username here is not authenticated and will not be retained in further messages to avoid confusion with an authenticated gateway user.

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"gwtestauto","src_port":"49070","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-15","product":"SPS-5.11.0","event_name":"GatewayAuthenticationFailure","dvc":"sps1.acme.com","dest_port":"","dest_ip":"","dest":"","app":"ssh","action":"failure","_time":"1557912792360"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: GatewayAuthenticationFailure

Field

Name

Scope

Present

action

Action

message

always

Description: marks a failed authentication

Example: failure

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

user

Name of the user

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

message

always

Description: the non authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

SessionClosed of successfully authenticated session

Description of the message: Emitted when the session ends and server authentication and any gateway authentication was successful. There may be further messages related to the session after this message due to post processing of session data!

Example message:

{"vendor":"OneIdentity","user":"root","transport":"tcp","src_user":"gwtestauto","src_port":"48302","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-12","product":"SPS-5.11.0","event_name":"SessionClosed","dvc":"sps1.acme.com","verdict":"ACCEPT","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","_time":"1557912765545"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

Field

Name

Scope

Present

verdict

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: ACCEPT

SessionClosed after a failed gateway authentication

Description of the message: Emitted when the session ends because gateway authentication failed.

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"","src_port":"49070","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-15","product":"SPS-5.11.0","event_name":"SessionClosed","dvc":"sps1.acme.com","dest_port":"","dest_ip":"","dest":"","app":"ssh","_time":"1557912792398","verdict":"AUTH_FAIL"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

user

Name of the user

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

Field

Name

Scope

Present

verdict

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

SessionClosed after a failed server authentication

Description of the message: Emitted when the session ends because server authentication failed.

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"gwtestauto","src_port":"49426","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-17","product":"SPS-5.11.0","event_name":"SessionClosed","dvc":"sps1.acme.com","dest_port":"22","verdict":"AUTH_FAIL","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","_time":"1557912813792"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

Field

Name

Scope

Present

verdict

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

RdpEmbeddedInTsg

Description of the message: Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario.

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"gwtestauto","src_port":"51204","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-47-4","product":"SPS-5.11.0","event_name":"RdpEmbeddedInTsg","dvc":"sps1.acme.com","dest_port":"","dest_ip":"","dest":"","app":"rdp","action":"allowed","_time":"1558006936608"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: RdpEmbeddedInTsg

Field

Name

Scope

Present

action

Action

message

always

Description: the action taken by the device according to CIM model

Example: allowed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

user

Name of the user

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

always

Description: the authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

SessionScored

Description of the message: Score messages represent scoring events when SPS has calculated an initial or changed score for the session.

Example message:

{"vendor":"OneIdentity","signature":"keystroke","session_id":"svc-416YVFZMy7rT8RA7T7yeAs-my_connection-0","product":"SPS-5.11.0","event_name":"SessionScored","dvc":"sps1.acme.com","algorithm_score":"18","algorithm_name":"keystroke","aggregated_score":"70","action":"allowed","_time":"1558010880806"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionScored

Field

Name

Scope

Present

action

Action

message

always

Description: the action taken by the device according to CIM model

Example: allowed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

aggregated_score

Aggregated score

message

always

Description: the average score from all enabled analytics algorithms

Example: 50

Field

Name

Scope

Present

algorithm_name

Algorithm name

message

always

Description: the name of the algorithm that changed value

Example: keystroke

Field

Name

Scope

Present

signature

Signature

message

always

Description: the algorithm name as CIM intrusion detection signature

Example: hostlogin

Field

Name

Scope

Present

algorithm_score

Algorithm score

message

always

Description: the new score value of the algorithm that changed value

Example: 60

CommandChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"vendor":"OneIdentity","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-12","product":"SPS-5.11.0","event_name":"CommandChannelEvent","dvc":"sps1.acme.com","command":"exit","action":"allowed","_time":"1557912765461"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: CommandChannelEvent

Field

Name

Scope

Present

action

Action

message

always

Description: the action taken by the device according to CIM model

Example: allowed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

command

Command

message

always

Description: the full command detected

Example: exit

WindowTitleChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"window_title":"Shortcut Tools Application Tools Administrative Tools","vendor":"OneIdentity","session_id":"svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-47-4","product":"SPS-5.11.0","event_name":"WindowTitleChannelEvent","dvc":"sps1.acme.com","action":"allowed","_time":"1558007001482"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: WindowTitleChannelEvent

Field

Name

Scope

Present

action

Action

message

always

Description: the action taken by the device according to CIM model

Example: allowed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

window_title

Window title

message

always

Description: the window title detected in graphical protocol

Example: firefox

FileTransfer

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"vendor":"OneIdentity","session_id":"svc-2L83Phh9J6GKLWTc881awk-my_connection-324","product":"SPS-5.11.0","file_path":"/cpuinfo","file_operation":"UPLOAD","file_name":"cpuinfo","event_name":"FileTransfer","dvc":"sps1.acme.com","action":"allowed","_time":"1558023721326"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: FileTransfer

Field

Name

Scope

Present

action

Action

message

always

Description: the action taken by the device according to CIM model

Example: allowed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

file_operation

Operation

message

always

Description: the operation on the file such as UPLOAD/DOWNLOAD. It may contain the suffix 'WARNING', if the operation failed

Example: UPLOAD

Field

Name

Scope

Present

file_name

Filename

message

always

Description: the file name

Example: foobar.txt

Field

Name

Scope

Present

file_path

Full file path

message

always

Description: the name of the file including its path on the server

Example: /tmp/foobar.txt

Joining to One Identity Starling

One Identity Starling helps to combine products from the One Identity line to create a secure and customizable cloud service. For details on One Identity Starling, see Starling - Technical Documentation.

If you are using a Starling 2FA plugin, (that is, you have uploaded it to Basic Settings > Plugins and then configured it at Policies > AA Plugin Configurations) and the SPS node is joined to One Identity Starling, you do not have to specify api_key and api_url in the Starling 2FA plugin configuration. This configuration method is more secure.

Topics:

Joining SPS to One Identity Starling with Credential String

The following describes how to join SPS to One Identity Starling and take advantage of companion features from Starling products such as 2FA and Identity Analytics.

Prerequisites
  • An existing Starling organization (tenant)
  • A One Identity Hybrid Subscription

To join SPS to One Identity Starling

  1. If SPS is behind a web proxy, navigate to Basic Settings > Network > HTTPS Proxy and configure the proxy settings. For details, see Network settings.

    NOTE:

    Currently only built-in Certificate Authorities are supported. If web proxy replaces the certificates of the Starling website on-the-fly, the join process might fail.

  2. Navigate to Basic Settings > Management > Join to Starling.
  3. Optional: If you have received your TIMS License from the Licensing Department (TIMS.License@quest.com), enter your TIMS License into Product TIMS License.
  4. Click Start join process. The One Identity Starling site will open in a new tab.
  5. Enter your One Identity Starling credentials.
  6. Click Next.

    NOTE:

    By clicking Next, you have joined your SPS machine to Starling. Now you have to store this information in SPS to finish the join process.

  7. Copy your Credential String from the page. For example,

    8dc0d6d4-b062-4357-abe2-8634523a91d9:4c0321bf-a099-4f95-86a6-20c6a4eb9298
  8. Navigate back to the SPS tab.
  9. Paste your Credential String into the Credential String field.

    NOTE:

    If for some reason you cannot paste the Credential String, you can re-retrieve it by refreshing this page and repeating the join process. You will receive the same Credential String if you did not change your host name.

  10. Click Finalize join process.
  11. The following will be displayed automatically:
    • Product Name
    • Product Instance
    • Product TIMS License if you have entered it before starting the join process

Unjoining SPS from One Identity Starling

If you intend to decommission an SPS machine, or replace it with another one, you have to unjoin that machine and join the new machine. The following describes how to unjoin SPS from One Identity Starling.

Prerequisites
  • An existing Starling organization (tenant)
  • A One Identity Hybrid Subscription
  • A SPS that is already joined to One Identity Starling.

To unjoin SPS from One Identity Starling

  1. Navigate to Basic Settings > Management > Join to Starling.
  2. Click Unjoin from Starling.
  3. To join the new machine, see Joining SPS to One Identity Starling with Credential String.
Related Documents