Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.2.0 - Using Splunk with One Identity Safeguard for Privileged Sessions

Visualizing events and performing gap analysis with the Splunk App

Prerequisites and restrictions
Installation

For information about the setup process, see this section.

Visualizing events using the One Identity Safeguard for Privileged Sessions dashboard

The One Identity Safeguard for Privileged Sessions dashboard visualizes data from SPS (including your events parsed and indexed by the Splunk Add-on and the metadata that the Splunk Add-on attaches to those events).

To access the One Identity Safeguard for Privileged Sessions dashboard

  1. Login to the Splunk Enterprise online administration page.
  2. Select One Identity Safeguard for Privileged Sessions under Apps.

    Figure 1: The One Identity Safeguard for Privileged Sessions dashboard

The top filters bar allows you to configure your filters, the middle section shows an overview of logged sessions, and the lower section shows a more detailed list of audited sessions.

Under Time filter you can set a time interval in which you want to browse your data, and configure relevant settings. Under Refresh Rate you can specify a refresh rate (if you want to). To hide the Time filter and Refresh Rate items, click Hide Filters/Show Filters.

Below the filters bar, you see the details of logged sessions (such as SPS Session Count, the number of Critical Severity Sessions, and the number of High Severity Sessions) in the given time range.

The listed elements below SPS Session details show the audited sessions.

The One Identity Gap Report dashboard

The One Identity Gap Report dashboard allows you to use other sources of information about your audited hosts (for example, Microsoft Windows logs or Unix/Linux logs) as well as those originating from SPS to compare the two sources of information and see if all the necessary sessions are audited without audit gaps

To access the One Identity Gap Report dashboard

  1. Login to the Splunk Enterprise online administration page.
  2. Select One Identity Safeguard for Privileged Sessions under Apps.
  3. Click One Identity Gap Report on the top tab bar to switch from the the One Identity Safeguard for Privileged Sessions dashboard.

Figure 2: The One Identity Gap Report dashboard

The top filters bar allows you to configure your filters and whether you want to visualize your RDP or your SSH sessions, the middle section shows an overview of logged sessions, and the lower section shows a more detailed list of unaudited sessions.

You can set a time interval in which you want to browse your data, and configure relevant settings under the Time filter. Under Refresh Rate you can specify a refresh rate (if you want to). The Run Panels option allows you to switch between RDP and SSH sessions. To hide the Time filterand Refresh Rate items, click the Hide Filters/Show Filters.

Below the filters bar, you see the number of audited sessions (under SPS RDP Login Count), and the number of logged sessions (under Windows Interactive Logins) in the given time range.

Under Gaps in RDP Login Events, a bar chart shows the proportion between audited and logged sessions, by day.

Under RDP Audit Gap Details, you can see the specific data (such as Time (for the audit gap date), the number of Audited Events, the number of Logged Events and the number of unaudited sessions, under Audit Gap), grouped by day.

Macros and search expressions

If you have the Splunk App installed on your Splunk, but want to build your own custom dashboard, you can use the event types and macros defined by the app. The events originating from SPS are CIM-compliant (specifically, they use the Network Sessions, the Network Traffic and the Intrusion Detection data models), so the field names will be familiar. For more information about Splunk's Search Tutorial, click here.

Macros

The table below lists macros defined by the Splunk App and their descriptions.

Macro name

Description

OI_SPS_events

Individual events coming from SPS

OI_SPS_sessions

Sessions audited by SPS (events correlated into full sessions)

OI_SPS_monitored_hosts

Hosts monitored by SPS

OI_SPS_scored_sessions

Sessions audited by SPS which have a score given by SPS analytics

OI_SSH_logins

All SSH sessions coming from SPS

OI_WIN_interactive_logins

All windows interactive logins audited by SPS

Useful search expressions for SPS-specific events

The macros listed in the Macros section can be used to narrow your search in Splunk for SPS-specific events. You can see a few useful search expressions below.

  • example_user was on server 1.2.3.4

    `OI_SPS_events` tag=authentication dest_ip=1.2.3.4 user=example_user

  • List users logged onto server 1.2.3.4

    `OI_SPS_events` tag=authentication dest_ip=1.2.3.4 | table user | uniq

  • Get ID of all sessions with rm command

    `OI_SPS_events` eventtype=oneidentity_sps_command_channel_event command=rm | table session_id | uniq

  • Get ID of sessions with a score higher than 70

    `OI_SPS_events` aggregated_score>70 | table session_id | uniq

Related Documents