Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.5.0 - REST API Reference Guide

Introduction Using the SPS REST API Basic settings User management and access control Managing SPS General connection settings HTTP connections Citrix ICA connections MSSQL connections RDP connections SSH connections Telnet connections VNC connections Search, download, and index sessions Reporting Health and maintenance Advanced authentication and authorization Completing the Welcome Wizard using REST Enable and configure analytics using REST

Indexer policies

Indexer policies allow you to configure the Optical Character Recognition (OCR) engine of SPS, and specify which languages it should use. Only graphical protocols (RDP, Citrix ICA, VNC) are affected.

NOTE:

In the case of graphical protocols, the default Optical Character Recognition (OCR) configuration is automatic language detection. This means that the OCR engine will attempt to detect the languages of the indexed audit trails automatically. However, if you know in advance what language(s) will be used, create a new Indexer Policy.

If you specify the languages manually, note the following:

  • Specifying only one language provides the best results in terms of performance and precision.

  • The English language is always detected along with the non-English languages that you have configured. However, if you want the OCR to only recognize the English language, you have to select it from the list of languages.

  • There are certain limitations in the OCR engine when recognizing languages with very different character sets. For this reason, consider the following:

    • When selecting Asian languages (Simplified Chinese, Traditional Chinese, Korean), avoid adding languages that use the Latin alphabet.

    • When selecting the Arabic language, avoid selecting any other languages.

    • The Thai language is currently not supported. If you are interested in using SPS to index Thai texts, contact our Sales Team.

URL
GET https://<IP-address-of-SPS>/api/configuration/policies/indexing
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API.

Note that this session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).
Sample request

The following command lists the available indexer policies.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/policies/indexing

The following command displays a specific indexer policy.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/policies/indexing/<id-of-the-policy>
Response

The following is a sample response received when querying the /api/configuration/policies/indexing/ endpoint.

For details of the meta object, see Message format.

{
    "items": [
        {
            "key": "-50000",
            "meta": {
                "href": "/api/configuration/policies/indexing/-50000"
            }
        },
        {
            "key": "13442970955825a89b55e46",
            "meta": {
                "href": "/api/configuration/policies/indexing/13442970955825a89b55e46"
            }
        }
    ],

    "meta": {
        "first": "/api/configuration/policies/audit_policies",
        "href": "/api/configuration/policies/indexing",
        "last": "/api/configuration/policies/usermapping_policies",
        "next": "/api/configuration/policies/ldap_servers",
        "parent": "/api/configuration/policies",
        "previous": "/api/configuration/policies/credentialstores",
        "remaining_seconds": 599,
        "transaction": "/api/transaction"
    }
}

A sample response when querying a specific indexer policy:

{
    "body": {
        "index": {
            "command": true,
            "keyboard": false,
            "mouse": false,
            "screen_content": false,
            "window_title": true
        },
        "name": "english-german-russian",
        "ocr": {
            "accuracy": "accurate"
            "custom_languages": {
                "enabled": true,
                "languages": [
                    "eng",
                    "deu",
                    "rus"
                ]
            }
        }
    },
    "key": "-50000",
    "meta": {
        "first": "/api/configuration/policies/indexing/-50000",
        "href": "/api/configuration/policies/indexing/-50000",
        "last": "/api/configuration/policies/indexing/-50000",
        "next": null,
        "parent": "/api/configuration/policies/indexing",
        "previous": null,
        "remaining_seconds": 599,
        "transaction": "/api/transaction"
    }
}
Element Type Description
key string Top level element, contains the ID of the policy.
body Top level element (string) Contains the configuration options of the indexer policy.
index Top level element

Contains the indexed events of the indexer policy. Possible values:

  • command: A command entered in SSH or Telnet.

  • keyboard: Keyboard-related events, for example, pressing Enter.

  • mouse: Mouse-related events, for example, mouse clicks.

  • screen_content: Screen content elements, for example, commands, window titles, IP addresses, user names, and so on.

  • window_title: The title of the window in graphic protocols.

name string The name of the indexer policy.
ocr JSON object Configuration of the OCR engine.
accuracy string

Accuracy level for Optical Character Recognition. Possible values:

  • fast: The fastest option with potentially less accurate results. Select this option if speed is more important to you than getting the most accurate results possible.

  • balanced: Fairly accurate option with less than optimum speed. Select this option if you want results to be fairly accurate but you have more than a few sessions to process and processing time is less of a concern.

  • accurate: The most accurate option with less optimal speed. Select this option if you must have the most accurate results possible and speed is less important or you only have a few sessions to process.

custom_languages Top level element Configures what languages to detect.
Custom languages elements Type Description
custom_languages Top level element Configures what languages to detect.
enabled boolean If false, the OCR engine detects the language of the text automatically. This is the default behavior. To specify which languages to use, set the custom_languages element to true, and list the abbreviation of the languages in the languages element (for example, "eng", "ger").
languages list

The list of languages the OCR engine should use to process graphical protocols. To specify which languages to use, set the custom_languages element to true, and list the abbreviation of the languages in the languages element (for example, "eng", "ger").

  • Specifying only one language provides the best results in terms of performance and precision.

  • The English language is always detected along with the non-English languages that you have configured. However, if you want the OCR to only recognize the English language, you have to select it from the list of languages.

  • There are certain limitations in the OCR engine when recognizing languages with very different character sets. For this reason, consider the following:

    • When selecting Asian languages (Simplified Chinese, Traditional Chinese, Korean), avoid adding languages that use the Latin alphabet.

    • When selecting the Arabic language, avoid selecting any other languages.

    • The Thai language is currently not supported. If you are interested in using SPS to index Thai texts, contact our Sales Team.

The following languages are supported: English: eng, German: deu, French: fra, Dutch: nld, Norwegian: nor, Swedish: swe, Finnish: fin, Danish: dan, Icelandic: isl, Portuguese: por, Spanish: spa, Catalan: cat, Galician: glg, Italian: ita, Maltese: mlt, Greek: ell, Polish: pol, Czech: ces, Slovak: slk, Hungarian: hun, Slovenian: slv, Croatian: hrv, Romanian: ron, Albanian: sqi, Turkish: tur, Estonian: est, Latvian: lav, Lithuanian: lit, Esperanto: epo, Serbian(Latin): qsl, Serbian: srp, Macedonian: mkd, Moldavian: mol, Bulgarian: bul, Byelorussian: bel, Ukrainian: ukr, Russian: rus, Chechen: che, Kabardian: kbd, Afrikaans: afr, Aymara: aym, Basque: eus, Bemba: bem, Blackfoot: bla, Breton: bre, Brazilian: qbp, Bugotu: bgt, Chamorro: cha, Tswana(Chuana): tsn, Corsican: cos, Crow: cro, Eskimo: qes, Faroese: fao, Fijian: fij, Frisian: fry, Friulian: fur, Gaelic(Irish): gle, Gaelic(Scottish): gla, Ganda(Luganda): lug, Guarani: grn, Hani: hni, Hawaiian: haw, Ido: ido, Indonesian: ind, Interlingua: ina, Kasub: csb, Kawa: wbm, Kikuyu: kik, Kongo: kon, Kpelle: kpe, Kurdish: kur, Latin: lat, Luba: lua, Luxembourgish: ltz, Malagasy: mlg, Malay: msa, Malinke: mlq, Maori: mri, Mayan: MYN, Miao: hmn, Minangkabau: min, Mohawk: moh, Nahuatl: NAH, Nyanja: nya, Occidental: ile, Ojibway: oji, Papiamento: pap, PidginEnglish: tpi, Provencal: oci, Quechua: que, Rhaetic: roh, Romany: rom, Rwanda: kin, Rundi: run, Samoan: smo, Sardinian: srd, Shona: sna, Sioux: dak, Sami: SMI, Sami(Lule): smj, Sami(Northern): sme, Sami(Southern): sma, Somali: som, Sotho: sot, Sundanese: sun, Swahili: swa, Swazi: ssw, Tagalog: tgl, Tahitian: tah, Tinpo: qti, Tongan: ton, Tun: tug, Visayan: qis, Welsh: cym, Sorbian(Wend): WEN, Wolof: wol, Xhosa: xho, Zapotec: zap, Zulu: zul.
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
201 Created The new resource was successfully created.
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
404 NotFound The requested object does not exist.
409 Conflict No open Transaction is available. Open a transaction before using this request. For details, see Open a transaction.
Add an indexing policy

To add an indexing policy, you have to:

  1. Open a transaction.

    For details, see Open a transaction.

  2. Create the JSON object for the new indexing policy.

    You can find a detailed description of the available parameters listed in Element .

    POST the JSON object to the https://<IP-address-of-SPS>/api/configuration/policies/indexing endpoint. If the POST request is successful, the response includes the key of the new ticketing policy. For example:

    {
  "key": "aa423b72-0d0f-4275-be30-494e9a99ffad",
  "meta": {
    "href": "/api/configuration/policies/indexing/aa423b72-0d0f-4275-be30-494e9a99ffad",
    "parent": "/api/configuration/policies/indexing",
    "transaction": "/api/transaction"
  }
}
  3. Commit your changes.

    For details, see Commit a transaction.

Reporting

Topics:

Reporting

List of endpoints for configuring reporting, and accessing the generated reports.

URL
GET https://<IP-address-of-SPS>/api/configuration/reporting
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API.

Note that this session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).
Sample request

The following command lists the available endpoints.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/reporting
Response

The following is a sample response received when listing the available endpoints.

For details of the meta object, see Message format.

{
  "meta": {
    "first": "/api/configuration/aaa",
    "href": "/api/configuration/reporting",
    "last": "/api/configuration/x509",
    "next": "/api/configuration/ssh",
    "parent": "/api/configuration",
    "previous": "/api/configuration/rdp",
    "transaction": "/api/transaction"
  },
  "items": [
    {
      "key": "content_subchapters",
      "meta": {
        "href": "/api/configuration/reporting/content_subchapters"
      }
    },
    {
      "key": "custom_subchapters",
      "meta": {
        "href": "/api/configuration/reporting/custom_subchapters"
      }
    },
    {
      "key": "predefined_reports",
      "meta": {
        "href": "/api/configuration/reporting/predefined_reports"
      }
    },
    {
      "key": "reports",
      "meta": {
        "href": "/api/configuration/reporting/reports"
      }
    },
    {
      "key": "statistics_subchapters",
      "meta": {
        "href": "/api/configuration/reporting/statistics_subchapters"
      }
    }
  ]
}
Endpoint Description
content_subchapters List of the reporting subchapters created from audit trail content (statistics of search keywords, and screenshots).
custom_subchapters List of the reporting subchapters created from custom queries to the SPS connection database.
predefined_reports List of the pre-defined reports available on SPS.
reports List of the configured reports.
statistics_subchapters List of the reporting subchapters created from connection statistics.
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
201 Created The new resource was successfully created.
400 InvalidQuery The requested filter or its value is invalid.
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
404 NotFound The requested object does not exist.

Reports

List of the configured reports.

URL
GET https://<IP-address-of-SPS>/api/configuration/reporting/reports
Cookies
Cookie name Description Required Values
session_id Contains the authentication token of the user Required

The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the SPS REST API.

Note that this session ID refers to the connection between the REST client and the SPS REST API. It is not related to the sessions that SPS records (and which also have a session ID, but in a different format).
Sample request

The following command lists the configured reports.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/reporting/reports

The following command retrieves the properties of a specific report.

curl --cookie cookies https://<IP-address-of-SPS>/api/configuration/reporting/reports/<key_value>
Response

The following is a sample response received when listing reports.

For details of the meta object, see Message format.

{
  "meta": {
    "first": "/api/configuration/reporting/content_subchapters",
    "href": "/api/configuration/reporting/reports",
    "last": "/api/configuration/reporting/statistics_subchapters",
    "next": "/api/configuration/reporting/statistics_subchapters",
    "parent": "/api/configuration/reporting",
    "previous": "/api/configuration/reporting/predefined_reports",
    "transaction": "/api/transaction"
  },
  "items": [
    {
      "key": "7798770004e472c8576912",
      "meta": {
        "href": "/api/configuration/reporting/reports/7798770004e472c8576912"
      }
    },
    {
      "key": "8292675195707f19d932af",
      "meta": {
        "href": "/api/configuration/reporting/reports/8292675195707f19d932af"
      }
    }
  ]
}

When retrieving the endpoint of a specific report, the response is the following.

{
  "body": {
    "access": [
      "report"
    ],
    "chapters": [
      {
        "name": "System health",
        "subchapters": [
          {
            "name": "system_health_network_connections",
            "selection": "builtin"
          },
          {
            "name": "system_health_load_average",
            "selection": "builtin"
          }
        ]
      },
      {
        "name": "All connections",
        "subchapters": [
          {
            "name": "connection_each_scb_top10_channel_types_each",
            "selection": "builtin"
          },
          {
            "name": "connection_each_scb_top10_portforward_targets_each",
            "selection": "builtin"
          }
        ]
      },
      {
        "name": "Search statistics",
        "subchapters": [
          {
            "reference": "21111736175707f1df8bea1",
            "selection": "custom"
          }
        ]
      },
      {
        "name": "Misc",
        "subchapters": [
          {
            "reference": "13869311625707e0a3e0892",
            "selection": "custom"
          }
        ]
      },
      {
        "name": "Advanced statistics",
        "subchapters": [
          {
            "reference": "5983143445707eb740fee3",
            "selection": "custom"
          }
        ]
      }
    ],
    "email_recipients": {
      "recipients": [
        "admin@company.com"
      ],
      "selection": "other"
    },
    "frequency": {
      "day": false,
      "month": true,
      "week": false
    },
    "logo_id": "logoC890jH",
    "name": "all-options",
    "send_report_in_email": true
  },
  "key": "8292675195707f19d932af",
  "meta": {
    "first": "/api/configuration/reporting/reports/7798770004e472c8576912",
    "href": "/api/configuration/reporting/reports/8292675195707f19d932af",
    "last": "/api/configuration/reporting/reports/8292675195707f19d932af",
    "next": null,
    "parent": "/api/configuration/reporting/reports",
    "previous": "/api/configuration/reporting/reports/12046247915707e5d6a5c59",
    "transaction": "/api/transaction"
  }
}
Element Type Description
key string Top level element, contains the ID of the report
body Top level element (string) The elements of the report.
access list

Required. List of access control groups whose members can access the subchapter.

To deny access to the report, use "admin" as the only value for the element.

chapters Top level item A chapter of the report.
email_recipients Top level item Contains the list of e-mails where the generated report is sent.
recipients list

Custom list of e-mails where the generated report is sent.

To use a custom list, the selection element must be set to other.

selection string

This element can have two values:

  • default uses the e-mail address configured in the reporting_address element of the https://<IP-address-of-SPS>/api/configuration/management/email endpoint (or the Basic Settings > Management > Mail settings > Send reports to field on the web UI).

  • other uses the e-mails listed in the recipients element.

frequency Top level item Contains the list of options for defining the frequency of generating the report.
day boolean

Set it to true to generate the report each day.

month boolean

Set it to true to generate the report each month.

week boolean

Set it to true to generate the report each week.

logo_id string

The ID of the custom logo. The null value means the report is generated using the default logo.

You can upload a custom logo on the web UI of SPS, using the Reporting > Configuration > <report> > Choose new logo button.

name string The name of the report.
send_report_in_email boolean Set it to false if you do not want to include the generated report in the e-mail.
Chapters elements Type Description
name string Name of the chapter.
subchapters list List of subchapters included in the chapter.
name string

Name of the built-in subchapter included in the chapter. For the list of the built-in subchapters, see Built-in subchapters.

To include a built-in subchapter, use the value of its name element, not the key.

reference string

The key of the custom, content, or statistics subchapter.

  • For the keys of the reporting subchapters created from custom queries to the SPS connection database, see the custom_subchapters endpoint.

  • For the keys of the reporting subchapters created from audit trail content (statistics of search keywords, and screenshots), see the reporting/content_subchapters endpoint.

  • For the keys of the reporting subchapters created from connection statistics, see the reporting/statistics_subchapters endpoint.

To include a custom, content, or statistics subchapter, use the value of its key element, not the name.

selection string

This element can have two values:

  • Set builtin for the default reporting subchapters.

  • Set custom for all other subchapters (custom, content or statistics).
Examples:

Set the e-mail recipients to the default (as configured in the reporting_address element of the /api/configuration/management/email endpoint):

"email_recipients": {
  "selection": "default"
}

Create a custom set of e-mail recipients:

"email_recipients": {
  "recipients": [
    "<email-1>",
    "<email-2>"
  ],
  "selection": "other"
}

Add a reporting chapter with built-in subchapters:

"chapters": [
  {
    "name": "<custom-name>",
    "subchapters": [
      {
        "name": "system_health_filesystem_usage",
        "selection": "builtin"
      },
      {
        "name": "system_health_network_connections",
        "selection": "builtin"
      },
      {
        "name": "system_health_load_average",
        "selection": "builtin"
      }
    ]
  }

Add a reporting chapter with custom, content, or statistics subchapters:

"chapters": [
  {
    "name": "<custom-name>",
    "subchapters": [
      {
        "reference": "<key-of-subchapter>",
        "selection": "custom"
      },
      {
        "reference": "<key-of-subchapter>",
        "selection": "custom"
      }
    ]
  }
Status and error codes

The following table lists the typical status and error codes for this request. For a complete list of error codes, see Application level error codes.

Code Description Notes
201 Created The new resource was successfully created.
400 InvalidQuery The requested filter or its value is invalid.
400 IncompleteConfigurationSubtreeError Possible cause: PUT operation on the reports endpoint, instead of POST.
400

IncompleteConfigurationSubtreeError

"missing_paths": [ "email_recipients/recipients" ]

 You have selected other for the selection element under email_recipients, but did not provide a list using recipients.
400

IncompleteConfigurationSubtreeError

Syntax error: \"No such property; property='recipients'

Do not provide recipients if you set the selection element under email_recipients to default.
400

IncompleteConfigurationSubtreeError

"missing_paths": [ "chapters/7/subchapters/0/name" ]

 Verify that the selection element of the subchapter is correctly set to builtin or custom.
401 Unauthenticated The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
403 Unauthorized The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved.
404 NotFound The requested object does not exist.
Add a report

To add a report, you have to:

  1. Open a transaction.

    For details, see Open a transaction.

  2. Create the JSON object for the new report.

    POST the JSON object to the https://<IP-address-of-SPS>/api/configuration/reporting/reports endpoint. You can find a detailed description of the available parameters listed in Element .

    If the POST request is successful, the response includes the key of the new report.

    {
  "key": "26ddf648-9a21-4a7f-af56-9cea575785a9",
  "meta": {
    "href": "/api/configuration/reporting/reports/26ddf648-9a21-4a7f-af56-9cea575785a9",
    "parent": "/api/configuration/reporting/reports",
    "transaction": "/api/transaction"
  }
}
  3. Commit your changes.

    For details, see Commit a transaction.

Modify a report

To modify a report, you have to:

  1. Open a transaction.

    For details, see Open a transaction.

  2. Modify the JSON object of the report.

    PUT the modified JSON object to the https://<IP-address-of-SPS>/api/configuration/reporting/reports/<key-of-the-report> endpoint. You can find a detailed description of the available parameters listed in Element .

  3. Commit your changes.

    For details, see Commit a transaction.

Generate a report for a custom time period

To generate a report for a custom time period, you have to:

  1. Define the custom time period for the report.

    GET https://<IP-address-of-SPS>/api/configuration/reporting/reports. Search for the name of the report that you want to run on a custom time period. Copy the value of key.

  2. POST the parameters to the https://<IP-address-of-SPS>/api/reports endpoint. The following parameter is required:

    • configuration_id

    The following parameters are optional.

    • start: start timestamp in the format of either YYYY-MM-DD or YYYY-MM-DDTHH:MM.

    • end: end timestamp in the format of either YYYY-MM-DD or YYYY-MM-DDTHH:MM.

    • force: By default: False. If you set it to True, you can regenerate a report that has already been generated before.

    If you do not enter the optional parameters, the start timestamp defaults to 1970.01.01 and the end timestamp defaults to the timestamp of when the report was generated.

    NOTE:

    Timestamps are according to UTC.

    This means that for example, if you are located in an UTC+1 region, a report that has the end parameter configured as 2020-01-18 will actually have an end date/time of 2020-01-18 01:00.

    Example: Generate a report for a custom time period
    https://198.51.100.0/api/reports?configuration_id=8292675195707f19d932af&start=2020-02-01&end=2020-02-18

  3. You will receive a response similar to the following:

    {
  "message": "Report generation started.",
  "meta": {
    "href": "/api/reports",
    "parent": "/api"
  }
}
Related Documents