The following describes how to assign users to access sessions only for connections for which they are granted permission.
Users need the Search privilege to access the Search interface.
Assigning the Search privilege to a user on the Users & Access Control > Appliance Access page, automatically enables the Search in all connections privilege, and grants the user access to every session, even if the user is not a member of the groups listed in the Access Control option of the particular connection policy.
You have created a user for which you want to assign the search privilege. For more information, see Creating local users in One Identity Safeguard for Privileged Sessions (SPS).
You have created a usergroup. For more information, see Managing local user groups.
To assign users to access sessions only for connections for which they are granted permission
Navigate to Users & Access Control > Appliance Access.
Figure 233: Users & Access Control > Appliance Access — Configuring search privileges
Assign the Search privilege to your usergroup as described in Assigning privileges to user groups for the One Identity Safeguard for Privileged Sessions (SPS) web interface.
Deselect the Search in all connections privilege so that users can access sessions only for connections for which they are granted permission.
To grant permission to a specific connection, navigate to the Connections page of the traffic (for example to SSH Control > Connections), and select the connection policy to modify.
Figure 234: <Protocol name> Control > Connections > Access Control — Configuring search privileges
Navigate to Access Control and click 
Enter the name of the usergroup whose members are permitted to access the Search interface into the Authorizer Group field. This group must exist on the Users & Access Control > Local User Groups page.
|
|
Caution:
Usernames, the names of user lists, and the names of usergroups are case sensitive. |
Set the permissions of the usergroup.
If the usergroup can authorize (that is, enable) and audit (that is, monitor in real-time and download the audit trails) the sessions, select Permission > Follow&Authorize.
If the usergroup can only audit the sessions but cannot authorize, select Permission > Follow.
If the Client user is > Member of field is set, the auditor can only monitor the sessions of the specified usergroup. However, if Client user is > Member of field is set, the Auditor cannot access the Search page. To avoid this problem, add another Access Control rule for the Authorizer Group without setting the Client user isfield.
The admin user of One Identity Safeguard for Privileged Sessions (SPS) can audit and authorize every connection.
Users with the relevant privileges can now access the sessions for which they are granted permission. If users do not have the required permission to access sessions, a warning message is displayed and no session is visible as shown below:
Figure 235: Search — Permission denied
Specify a time range to restrict, or filter your search criteria by setting boundaries on your searches. You can restrict the search to one of the preset time ranges, or use a custom time range for a more specific search.
When you specify a time range, the search result includes:
Connections started and finished anywhere between the start time and end time you specified.
Connections started anywhere between the start time and end time you specified.
Connections ended anywhere between the start time and end time you specified.
Active connections if they were started anywhere between the start time and the end time you specified.
For example, at 17:00 PM you specify a start date of 10:00 AM and end date of 15:00 PM for your search. The search result includes:
Connections started at 8:00 AM and ended at 14:00 PM.
Connections started at 11:00 AM and ended at 14:00 PM.
Connections started at 11:00 AM and ended at 16:00 PM.
Active connections started at 11:00 AM.
Active connections started at 10:00 AM.
To specify time ranges
To select the start date of your search, click Pick a date.
Alternatively, use the 
Figure 236: Search — Pick a date
From the calendar, select the start date as required.
The date refers to the timezone configured on SPS.
For exact time ranges, specify to search by the hour and minute.
Figure 237: Search — Specify hour and minute
To select the end date of your search, click Pick a date and select a date as required.
If you specify only the start date, the end date is set to the current time.
Optional: To clear the start and end date, click
Optional: You can use the timeline for a quick time range selection and visual representation of sessions in the selected interval.
Click the 
Figure 238: Search — Using the timeline
The bars display the number of results in the selected interval.
The active sessions columns indicate all the sessions, which were active in the selected interval. The sessions started columns indicate all the sessions started during the selected interval. For example, if the selected interval is today between 8:00 AM and 9:00 AM, then a session started at 7:00 AM but lasting after 8:00 AM is displayed in the active sessions column. A session started at 8:30 AM is displayed in the sessions started column. Since the session was active during the selected time interval, the session started at 8:30 AM is also displayed in the active sessions column.
To disable the active sessions and view only the started sessions in the timeline, click 
Hovering the mouse above a bar displays the number of entries and the start and end date of the period that the bar represents.
Trend analysis allows you to use the timeline to find changes over time. For example, to find the time range where terminated connections had a significant peak compared to other days, from the Show trend for drop-down menu, select Verdict. Note that you can only view trend analysis for Active, Analytics Score, Client name, Protocol, Server hostname, Server port, Server username, Username and Verdict. All the other selections are grayed out.
The colors of the bars in the timeline allow you to quickly find the time range with a higher number of terminated sessions.
Optional: To clear the trend analysis view, from the Show trend for drop-down menu, select X.
Figure 239: Search — Using the timeline - trend analysis
To select a range, drag the mouse pointer across the timeline or use Shift+Click and select multiple bars.
The following describes how you can use search queries to perform a more specific search.
To search using search queries
Enter a search query in the Search query field, or click on an entry in the table.
To search, enter a valid search field followed by a value in the search field: VALUE format. For example, if you enter protocol: SSH, the search returns all the SSH sessions.
Search is case insensitive. To make the search case sensitive, enclose the search keywords in double quotes.
The search queries can include only alphanumerical characters. You can use complex expressions and boolean operators, for example, AND, OR, <,>, and so on.
For the list of search fields that you can use, see
For more information on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.
There are search fields that are not displayed but you can still use them to query the sessions. For example, you can search for active connections using the active search field, and search results are listed accordingly, but there is no active field displayed in the search table or in the Overview, Details, Events, Alerts, or Contents tabs.
Figure 240: Search — Search queries
Alternatively, click 
Figure 241: Search — Search filters - Basic view
After specifying the relevant query, click Search or press Enter.
To save the queries for future use, simply save the URL or bookmark it in your browser.
Session metadata is displayed in columns that you can query for any parameter, or a combination of parameters. You can view the metadata in the search columns and also displayed as fields in the Overview, Details, Events, Alerts, or Contents tabs.
This section lists the search fields that you can use to perform a more specific search. For information about how to use the search fields listed below, see Using search queries.
The following table provides an explanation to the search field tables listed in this section.
| Name: |
Specifies the meaningful and easily readable name of the search field. |
| Search field: |
Specifies the filter expression that you can use to filter the audit trails. For example, to narrow your search to a specific server-side IP address, you can enter the server.address: 10.30.255.70 search query in the Search query field. All search results that contain that specific server IP address are listed. |
| Displayed: |
Specifies if the search query result is displayed as a field in the search columns or in the Overview, Details, Events, Alerts, or Contents tabs. There are search fields that are not displayed but you can still use them to filter the audit trails. For example, you can search for active connections using the active search field, and search results are listed accordingly, but there is no active field displayed in the search table or in the Overview, Details, Events, Alerts, or Contents tabs. |
The following search fields are available:
|
Name: |
Alert type |
|---|---|
|
Search field: |
alert_type |
|
Type: |
enum |
|
Displayed: |
True |
The type of the alert.
Possible values:
adp.event.command: A command entered in SSH or Telnet.
adp.event.screen.content: Alert triggered by the screen content.
adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.
adp.event.screen.windowtitle: The title of the window in graphic protocols.
|
Name: |
Channel ID |
|
Search field: |
channel_id |
|
Type: |
string |
|
Displayed: |
True |
The id of the channel the alert belongs to.
|
Name: |
Matched regexp on action |
|
Search field: |
matched_action |
|
Type: |
string |
|
Displayed: |
True |
The regular expression that matched the command line without prompt
|
Name: |
Matched content |
|
Search field: |
matched_content |
|
Type: |
string |
|
Displayed: |
True |
The content the alert matched.
Note that this value contains the context of the match as well. For example, if a Content Policy triggers an alert if a user types the sudo command, then the psm.alerts.matched_content value contains the entire command line, including the command prompt, for example, myuser@examplehost:~$ man sudo.
|
Name: |
Matched regexp |
|
Search field: |
matched_regexp |
|
Type: |
string |
|
Displayed: |
True |
The regular expression that matched the content.
For details, see Real-time content monitoring with Content Policies.
|
Name: |
Alert ID |
|
Search field: |
record_id |
|
Type: |
long |
|
Displayed: |
True |
The identifier of the alert within the audit trail (.zat file).
|
Name: |
Channel is active |
|
Search field: |
active |
|
Type: |
boolean |
|
Displayed: |
True |
True if the session has not ended yet.
|
Name: |
Application |
|
Search field: |
application |
|
Type: |
string |
|
Displayed: |
True |
The name of the application accessed in a seamless Citrix ICA connection.
|
Name: |
Audit stream ID |
|
Search field: |
audit_stream_id |
|
Type: |
string |
|
Displayed: |
True |
The identifier of the channel's audit stream. If the session does not have an audit trail, this element is not used.
|
Name: |
Channel ID |
|
Search field: |
channel_id |
|
Type: |
long |
|
Displayed: |
True |
The unique ID of the channel.
|
Name: |
Client X.509 Subject |
|
Search field: |
client_x509_subject |
|
Type: |
string |
|
Displayed: |
True |
The client's certificate in TELNET or VNC sessions. Available only if the 'Client-side transport security settings > Peer certificate validation' option is enabled in One Identity Safeguard for Privileged Sessions.
|
Name: |
Executed commands |
|
Search field: |
command |
|
Type: |
string |
|
Displayed: |
True |
Lists the commands executed in an SSH session.
|
Name: |
Port-forward target IP |
|
Search field: |
connected.ip |
|
Type: |
ip |
|
Displayed: |
True |
The traffic was forwarded to this IP address in Remote Forward and Local Forward channels.
|
Name: |
Port-forward target name |
|
Search field: |
connected.name |
|
Type: |
text |
|
Displayed: |
True |
The traffic was forwarded to this host in Remote Forward and Local Forward channels. If the hostname is not available, this field contains the IP address of the host
|
Name: |
Port-forward target port |
|
Search field: |
connected.port |
|
Type: |
port |
|
Displayed: |
True |
The traffic was forwarded to this port in Remote Forward and Local Forward channels.
|
Name: |
Device name |
|
Search field: |
device_name |
|
Type: |
string |
|
Displayed: |
True |
The name or ID of the shared device (redirect) used in the RDP connection.
Description: Used with the serial redirect, parallel redirect, printer redirect, disk redirect, and scard redirect RDP channel types.
The name of the device.
|
Name: |
Channel duration |
|
Search field: |
duration |
|
Type: |
long |
|
Displayed: |
True |
The length of the channel (how long the channel lasted).
|
Name: |
Dynamic channel |
|
Search field: |
dynamic_channel |
|
Type: |
string |
|
Displayed: |
True |
The name or ID of the dynamic channel opened in the RDP session.
|
Name: |
Channel end time |
|
Search field: |
end_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the channel was closed.
|
Name: |
Environment |
|
Search field: |
environment |
|
Type: |
string |
|
Displayed: |
True |
Date when the channel was closed.
|
Name: |
Four-eyes authorizer |
|
Search field: |
four_eyes_authorizer |
|
Type: |
string |
|
Displayed: |
True |
The username of the user who authorized the session. Available only if four-eyes authorization is required for the channel.
|
Name: |
Four-eyes description |
|
Search field: |
four_eyes_description |
|
Type: |
string |
|
Displayed: |
True |
The description submitted by the authorizer of the session.
|
Name: |
Channel originator IP address |
|
Search field: |
originator.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection.
|
Name: |
Channel originator name |
|
Search field: |
originator.name |
|
Type: |
text |
|
Displayed: |
True |
The hostname of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection. If the hostname is not available, this field contains the IP address of the host.
|
Name: |
Originator port |
|
Search field: |
originator.port |
|
Type: |
port |
|
Displayed: |
True |
The number of the forwarded port in Remote Forward and Local Forward SSH channels.
|
Name: |
Rule number |
|
Search field: |
rule_num |
|
Type: |
string |
|
Displayed: |
True |
The number of the line in the Channel policy applied to the channel.
|
Name: |
SCP path |
|
Search field: |
scp_path |
|
Type: |
string |
|
Displayed: |
True |
Name and path of the file copied via SCP. Available only for SCP sessions (Session exec SCP SSH channels) if the Log file transfers to database option isenabled in the Channel Policy of the connection.
|
Name: |
Channel start time |
|
Search field: |
start_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the channel was started.
|
Name: |
Subsystem name |
|
Search field: |
subsystem_name |
|
Type: |
string |
|
Displayed: |
True |
Name of the SSH subsystem used in the channel.
|
Name: |
Channel type |
|
Search field: |
type |
|
Type: |
enum |
|
Displayed: |
True |
Type of the channel.
Possible values:
#drawing: Drawing
CTXCAM: Audio
CTXCDM: Drive
CTXCLIP: Clipboard
CTXCOM1: Printer (COM1)
CTXCOM2: Printer (COM2)
CTXCPM: Printer Spooler
CTXFLSH: HDX Mediastream
CTXLPT1: Printer (LPT1)
CTXLPT2: Printer (LPT2)
CTXSCRD: Smartcard
CTXTW: Drawing (Thinwire)
CTXTWI: Seamless
CTXUSB: USB
SPDBRS: Speedbrowse
auth-agent: Agent
cliprdr: Clipboard
custom: Custom
direct-tcpip: Local forward
drawing: Drawing
drdynvc: Dynamic virtual channel
forwarded-tcpip: Remote forward
http: HTTP
rdpdr: Redirects
rdpdr-disk: Disk redirect
rdpdr-parallel: Parallel redirect
rdpdr-printer: Printer redirect
rdpdr-scard: SCard redirect
rdpdr-serial: Serial redirect
rdpsnd: Sound
seamrdp: Seamless
session-exec: Session exec
session-exec-scp: Session exec SCP
session-shell: Session shell
session-subsystem: Session subsystem
session-subsystem-sftp: Session SFTP
telnet: Telnet
vnc: VNC
websocket: WebSocket
x11: X11 forward
|
Name: |
Channel verdict |
|
Search field: |
verdict |
|
Type: |
enum |
|
Displayed: |
True |
Indicates what One Identity Safeguard for Privileged Sessions decided about the channel.
Possible values:
ACCEPT: Accepted
DENY: Denied
FOUR_EYES_DEFERRED: Waiting for remote username
FOUR_EYES_ERROR: Internal error during four-eyes authorization
FOUR_EYES_REJECT: Four-eyes authorization rejected
FOUR_EYES_TIMEOUT: Four-eyes authorization timed out
|
Name: |
Window title |
|
Search field: |
title |
|
Type: |
string |
|
Displayed: |
True |
The content of the title bar in the active window. The window title typically contains the name of the application, or the name of the dialogue box. Only available in graphical sessions (for example, RDP), if indexing is enabled.
|
Name: |
Event Action |
|
Search field: |
action |
|
Type: |
string |
|
Displayed: |
True |
The command line without prompt in commands
|
Name: |
Channel ID |
|
Search field: |
channel_id |
|
Type: |
string |
|
Displayed: |
True |
The id of the channel the event belongs to.
|
Name: |
Event content |
|
Search field: |
content |
|
Type: |
string |
|
Displayed: |
True |
The command executed, or the window title detected in the channel (for example, ls, exit, or Firefox).
|
Name: |
Protocol details |
|
Search field: |
details |
|
Type: |
string |
|
Displayed: |
True |
The details of the protocol used for the operation.
|
Name: |
Operation |
|
Search field: |
operation |
|
Type: |
string |
|
Displayed: |
True |
The type of the operation that occurred, for example, Create file (in the case of FTP) or GET (in the case of HTTP).
|
Name: |
Path |
|
Search field: |
path |
|
Type: |
string |
|
Displayed: |
True |
The path (if any) used by the operation that occurred.
|
Name: |
Event ID |
|
Search field: |
record_id |
|
Type: |
long |
|
Displayed: |
True |
The identifier of the event within the audit trail (.zat file).
|
Name: |
Response code |
|
Search field: |
response_code |
|
Type: |
long |
|
Displayed: |
True |
The status code of the protocol response (if any) returned.
|
Name: |
Commands indexed |
|
Search field: |
config.command.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if commands were extracted while indexing the session.
|
Name: |
Keyboard buffering interval |
|
Search field: |
config.keyboard.buffer_interval |
|
Type: |
double |
|
Displayed: |
True |
The buffering interval in milliseconds used when extracting keyboard events while indexing the session.
|
Name: |
Keyboard extracted |
|
Search field: |
config.keyboard.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if keyboard events were extracted while indexing the session.
|
Name: |
Mouse buffering interval |
|
Search field: |
config.mouse.buffer_interval |
|
Type: |
double |
|
Displayed: |
True |
The buffering interval in milliseconds used when extracting mouse events while indexing the session.
|
Name: |
Mouse extracted |
|
Search field: |
config.mouse.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if mouse events were extracted while indexing the session.
|
Name: |
Near real-time indexing |
|
Search field: |
config.near_realtime |
|
Type: |
boolean |
|
Displayed: |
True |
True if indexing this session was done near real-time (when the session was still active).
|
Name: |
OCR languages |
|
Search field: |
config.ocr_languages |
|
Type: |
string |
|
Displayed: |
True |
The language configuration for optical character recognition used when indexing the session.
|
Name: |
Screen content indexed |
|
Search field: |
config.screen.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if screen content was extracted while indexing the session.
|
Name: |
OCR tradeoff |
|
Search field: |
config.screen.omnipage_trade_off |
|
Type: |
string |
|
Displayed: |
True |
The tradeoff used for optical character recognition when extracting screen content while indexing the session.
|
Name: |
Titles indexed |
|
Search field: |
config.title.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if window titles were extracted while indexing the session.
|
Name: |
Indexing error |
|
Search field: |
error.message |
|
Type: |
string |
|
Displayed: |
True |
The reason why indexing failed
|
Name: |
Indexing cpu time |
|
Search field: |
statistics.cpu_time |
|
Type: |
long |
|
Displayed: |
True |
The CPU time that indexing this session took in milliseconds.
|
Name: |
Indexing duration |
|
Search field: |
statistics.duration |
|
Type: |
long |
|
Displayed: |
True |
The duration of time that indexing this session took in milliseconds.
|
Name: |
Indexing start time |
|
Search field: |
statistics.start_time |
|
Type: |
date |
|
Displayed: |
True |
The time and date when indexing this session started.
|
Name: |
Indexing status |
|
Search field: |
status |
|
Type: |
string |
|
Displayed: |
True |
Shows if the channel has been indexed successfully or not.
|
Name: |
Indexer ADP version |
|
Search field: |
version.adp |
|
Type: |
string |
|
Displayed: |
True |
The version of the audit data processor used for indexing the session
|
Name: |
Screen content |
|
Search field: |
content |
|
Type: |
string |
|
Displayed: |
False |
Text that appeared on the screen in the session.
|
Name: |
Channel id in trail |
|
Search field: |
channel_id_in_trail |
|
Type: |
long |
|
Displayed: |
False |
The ID of the channel where this content appeared. To check the channel ID (channel_id), select a session and click details. Navigate to details > Channels and click the channel type.
|
Name: |
Analytics Interesting events |
|
Search field: |
analytics.interesting_events |
|
Type: |
string |
|
Displayed: |
True |
Collection of interesting command(s) and window title(s) from the session.
|
Name: |
Analytics Score |
|
Search field: |
analytics.score.aggregated |
|
Type: |
long |
|
Displayed: |
True |
The risk score that the Analytics Module assigned to the session.Ranges from 0 to 100, 100 is the highest risk score.
|
Name: |
Score time |
|
Search field: |
analytics.score.time |
|
Type: |
date |
|
Displayed: |
False |
The scoring time of the given analytics. The different analytics are scored at different times based on the type of the analytics and certain configuration settings.
|
Name: |
Command score |
|
Search field: |
analytics.score.details.command.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Command algorithm.
|
Name: |
FIS score |
|
Search field: |
analytics.score.details.fis.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Frequent Item Set (FIS) algorithm
|
Name: |
Host login score |
|
Search field: |
analytics.score.details.hostlogin.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Host login algorithm.
|
Name: |
Login time score |
|
Search field: |
analytics.score.details.logintime.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Login time algorithm.
|
Name: |
Keystroke score |
|
Search field: |
analytics.score.details.keystroke.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Keystroke algorithm.
|
Name: |
Windowtitle score |
|
Search field: |
analytics.score.details.windowtitle.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Window title algorithm.
|
Name: |
Scripted |
|
Search field: |
analytics.scripted |
|
Type: |
boolean |
|
Displayed: |
True |
True if the One Identity Safeguard for Privileged Analytics module marked the session as scripted because of non-human activity
|
Name: |
Similar Sessions |
|
Search field: |
analytics.similar_sessions |
|
Type: |
string |
|
Displayed: |
True |
Collection of similar sessions from different sources.
|
Name: |
Analytics tags |
|
Search field: |
analytics.tags |
|
Type: |
string |
|
Displayed: |
True |
The Analytics tags section in Search > details.
|
Name: |
Client IP |
|
Search field: |
client.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of the client that initiated the session.
|
Name: |
Client name |
|
Search field: |
client.name |
|
Type: |
string |
|
Displayed: |
True |
The name of the client that initiated the session.
|
Name: |
Client port |
|
Search field: |
client.port |
|
Type: |
port |
|
Displayed: |
True |
The port number of the client that initiated the session.
|
Name: |
Creation time |
|
Search field: |
creation_time |
|
Type: |
date |
|
Displayed: |
True |
The first time the pipeline created the session. It is different from start_time and can be later than start_time.
|
Name: |
Duration |
|
Search field: |
duration |
|
Type: |
long |
|
Displayed: |
True |
The length of the session (how long the session lasted).
|
Name: |
End time |
|
Search field: |
end_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the session was closed.
For ongoing connections, the value is null.
Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2018-10-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.
|
Name: |
Log adapter |
|
Search field: |
log.adapter_name |
|
Type: |
string |
|
Displayed: |
True |
The name of the Log Adapter Plugin. This plugin can be uploaded at Basic Settings > Plugins.
|
Name: |
Log auth method |
|
Search field: |
log.auth_method |
|
Type: |
string |
|
Displayed: |
True |
SSH relayed authentication method. It is configured at SSH Control > Authentication Policies > Relayed authentication methods.
|
Name: |
Log syslog time |
|
Search field: |
log.syslog_time |
|
Type: |
date |
|
Displayed: |
True |
Date of the message in the ISO 8601 compatible standard timestamp format.
|
Name: |
Node ID |
|
Search field: |
node_id |
|
Type: |
string |
|
Displayed: |
True |
The node ID of the Safeguard for Privileged Sessions machine
|
Name: |
Origin |
|
Search field: |
origin |
|
Type: |
string |
|
Displayed: |
True |
How One Identity Safeguard for Privileged Analytics received this session. Can be One Identity Safeguard for Privileged Sessions for sessions based on an audit trail recorded by One Identity Safeguard for Privileged Sessions, or LOG for sessions built from log data.
|
Name: |
Protocol |
|
Search field: |
protocol |
|
Type: |
enum |
|
Displayed: |
True |
The protocol used in the session: Citrix ICA, HTTP, RDP, SSH, Telnet (including TN3270 and TN5250), or VNC.
Possible values:
HTTP: HTTP
ICA: ICA
RDP: RDP
SSH: SSH
TELNET: TELNET
VNC: VNC
|
Name: |
Additional metadata |
|
Search field: |
recording.additional_metadata |
|
Type: |
string |
|
Displayed: |
False |
Data about the session recorded by the different plugins of One Identity Safeguard for Privileged Sessions, for example, when using an Authentication and Authorization plugin.
|
Name: |
Recording Archive date |
|
Search field: |
recording.archive.date |
|
Type: |
date |
|
Displayed: |
True |
The date when the connection was archived or cleaned up.
|
Name: |
Recording Archive path |
|
Search field: |
recording.archive.path |
|
Type: |
string |
|
Displayed: |
True |
The path where the audit trail was archived on the remote server.
|
Name: |
Recording Archive policy |
|
Search field: |
recording.archive.policy |
|
Type: |
string |
|
Displayed: |
True |
The archive policy used to archive the audit trail.
|
Name: |
Recording Archive server |
|
Search field: |
recording.archive.server |
|
Type: |
ip |
|
Displayed: |
True |
The hostname or IP address of the remote server where the audit trail was archived.
|
Name: |
Recording Archived |
|
Search field: |
recording.archived |
|
Type: |
boolean |
|
Displayed: |
True |
Shows if the data (metadata, audit trail) about the session was archived to a remote server.
|
Name: |
Audit trail path |
|
Search field: |
recording.audit_trail |
|
Type: |
string |
|
Displayed: |
False |
The path to the audit trail file on One Identity Safeguard for Privileged Sessions. If One Identity Safeguard for Privileged Sessions has already archived the audit trail, see the Archive path field instead.
. If the session does not have an audit trail, this element is not used. To download the audit trail, see Replaying audit trails in your browser.
|
Name: |
Audit trail download link |
|
Search field: |
trail_download_link |
|
Type: |
string |
|
Displayed: |
True |
The download link to the audit trail file on One Identity Safeguard for Privileged Sessions.
|
Name: |
Recording Authentication method |
|
Search field: |
recording.auth_method |
|
Type: |
string |
|
Displayed: |
True |
The authentication method used in the session.
|
Name: |
Recording Channel policy |
|
Search field: |
recording.channel_policy |
|
Type: |
string |
|
Displayed: |
True |
The Channel policy applied to the session. Channel policy determines the channels permitted in the connection, and if the channel is audited or not. The Channel policy can restrict access based on IP address, user list, user group, or time policy.
You can find the list of channel policies for each protocol at the <Protocol> Control > Channel Policies page.
|
Name: |
Commands available |
|
Search field: |
recording.command_extracted |
|
Type: |
boolean |
|
Displayed: |
True |
True if commands have been extracted from the session. The extracted commands are in the Events field.
|
Name: |
Recording Connection policy |
|
Search field: |
recording.connection_policy |
|
Type: |
string |
|
Displayed: |
True |
The name of the Connection policy that handled the client's connection request.
This is the name displayed on the <Protocol> Control > Connections page of the SPS web interface, and in the name field of the Connection Policy object. You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.
|
Name: |
Recording Connection policy ID |
|
Search field: |
recording.connection_policy_id |
|
Type: |
string |
|
Displayed: |
True |
The ID of the Connection policy that handled the client's connection request.
You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.
|
Name: |
Recording Content reference ID |
|
Search field: |
recording.content_reference_id |
|
Type: |
long |
|
Displayed: |
True |
The unique identifier for the session content search.
|
Name: |
Recording Indexing status |
|
Search field: |
recording.index_status |
|
Type: |
enum |
|
Displayed: |
True |
Shows if the channel has been indexed.
Possible values:
CHANNEL_OPEN: Session is active
INDEXED: Session indexed
INDEXING_FAILED: Session indexing failed
INDEXING_IN_PROGRESS: Session indexing in progress
INDEXING_NOT_REQUIRED: Session indexing not required
NOT_INDEXED: Session is not indexed
NO_TRAIL: Auditing not enabled
INDEXING_ABORTED: Session indexing in progress was aborted
|
Name: |
Has ZAC |
|
Search field: |
recording.has_zac |
|
Type: |
boolean |
|
Displayed: |
False |
Audit Content file is available for the session. This file allows the user to search the content of graphical sessions using the Safeguard Desktop Player.
|
Name: |
Recording Network namespace |
|
Search field: |
recording.network_id |
|
Type: |
string |
|
Displayed: |
True |
The ID of the Linux network namespace where the session originated from.
|
Name: |
Server local IP address |
|
Search field: |
recording.server_local.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of One Identity Safeguard for Privileged Sessions used in the server-side connection.
|
Name: |
Server local name |
|
Search field: |
recording.server_local.name |
|
Type: |
text |
|
Displayed: |
True |
The hostname of One Identity Safeguard for Privileged Sessions used in the server-side connection. If the hostname is not available, this field contains the IP address of One Identity Safeguard for Privileged Sessions.
|
Name: |
Recording Server local port |
|
Search field: |
recording.server_local.port |
|
Type: |
port |
|
Displayed: |
True |
The port number of One Identity Safeguard for Privileged Sessions used in the server-side connection.
|
Name: |
Recording Session ID |
|
Search field: |
recording.session_id |
|
Type: |
string |
|
Displayed: |
True |
A globally unique string that identifies the session. Log messages related to the session contain this ID.
|
Name: |
Target IP address |
|
Search field: |
recording.target.ip |
|
Type: |
ip |
|
Displayed: |
True |
The client originally tried to access this IP address. This can differ from the destination address, for example, when One Identity Safeguard for Privileged Sessions is configured to redirect the connection. The address that the client actually connected to is in the Server address field.
|
Name: |
Target name |
|
Search field: |
recording.target.name |
|
Type: |
text |
|
Displayed: |
True |
The client originally tried to access this host. This can differ from the destination address, for example, when One Identity Safeguard for Privileged Sessions is configured to redirect the connection. The address that the client actually connected to is in the Server address field. If the hostname is not available, this field contains the IP address of the host.
|
Name: |
Recording Target port |
|
Search field: |
recording.target.port |
|
Type: |
port |
|
Displayed: |
True |
The client originally tried to access this port. This can differ from the port of the destination server, for example, when One Identity Safeguard for Privileged Sessions is configured to redirect the connection. The port that the client actually connected to is in the Server port field.
|
Name: |
Recording Verdict |
|
Search field: |
recording.verdict |
|
Type: |
enum |
|
Displayed: |
True |
Indicates what One Identity Safeguard for Privileged Sessions decided about the session.
Possible values:
ACCEPT: Accepted
ACCEPT_TERMINATED: Terminated by a content policy
AUTH_FAIL: Authentication failed
DENY: Connection rejected
FAIL: Connection timed out on the server
GW_AUTH_FAIL: Gateway authentication failed
KEY_ERROR: Hostkey mismatch
USER_MAPPING_FAIL: Usermapping failed
|
Name: |
Recording Window titles available |
|
Search field: |
recording.window_title_extracted |
|
Type: |
boolean |
|
Displayed: |
True |
True if window titles have been extracted from the session. The extracted window titles are in the Window title field.
|
Name: |
Server IP |
|
Search field: |
server.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of the server that One Identity Safeguard for Privileged Sessions connected to. This address was the remote end of the server-side connection.
|
Name: |
Server ID |
|
Search field: |
server.id |
|
Type: |
string |
|
Displayed: |
True |
The id of the server that One Identity Safeguard for Privileged Sessions connected to.
|
Name: |
Server hostname |
|
Search field: |
server.name |
|
Type: |
string |
|
Displayed: |
True |
The hostname of the server that One Identity Safeguard for Privileged Sessions connected to.
|
Name: |
Server port |
|
Search field: |
server.port |
|
Type: |
port |
|
Displayed: |
True |
The port number of the server that One Identity Safeguard for Privileged Sessions connected to.
|
Name: |
Start time |
|
Search field: |
start_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the session was started.
Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2018-10-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.
|
Name: |
Gateway username |
|
Search field: |
user.gateway_username |
|
Type: |
string |
|
Displayed: |
True |
The username used to authenticate on the One Identity Safeguard for Privileged Sessions gateway (that is, in the client-side connection). Sometimes it is also called client-side username.
|
Name: |
Gateway username domain |
|
Search field: |
user.gateway_username_domain |
|
Type: |
string |
|
Displayed: |
True |
The domain of the username used to authenticate on the One Identity Safeguard for Privileged Sessions gateway (that is, in the client-side connection).
|
Name: |
Username |
|
Search field: |
user.name |
|
Type: |
string |
|
Displayed: |
True |
This field contains the username which was used by the user to authenticate to the remote server. Its value is the same as the gateway username when it is available. Otherwise, it will be filled with the server username.
|
Name: |
Name domain |
|
Search field: |
user.name_domain |
|
Type: |
string |
|
Displayed: |
True |
This field contains the domain of the username which was used by the user to authenticate to the remote server. Its value is the same as the gateway domain when it is available. Otherwise, it will be filled with the server domain.
|
Name: |
Server username |
|
Search field: |
user.server_username |
|
Type: |
string |
|
Displayed: |
True |
The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection.
|
Name: |
Server username domain |
|
Search field: |
user.server_username_domain |
|
Type: |
string |
|
Displayed: |
True |
The domain of the username used to log in to the remote server.
|
Name: |
Verdict |
|
Search field: |
verdict |
|
Type: |
enum |
|
Displayed: |
True |
Indicates what One Identity Safeguard for Privileged Sessions decided about the session. A session verdict that originates from log events or other external events.
Possible values:
ACCEPT: Accepted
AUTH_FAIL: Authentication failed
DENY: Connection rejected
FAIL: Connection timed out on the server
PENDING: Connection is pending
TERMINATED: Connection terminated
|
Name: |
Channel is active |
|
Search field: |
channel.active |
|
Type: |
boolean |
|
Displayed: |
False |
True if the session has not ended yet.
|
Name: |
Application |
|
Search field: |
channel.application |
|
Type: |
string |
|
Displayed: |
False |
The name of the application accessed in a seamless Citrix ICA connection.
|
Name: |
Audit stream ID |
|
Search field: |
channel.audit_stream_id |
|
Type: |
string |
|
Displayed: |
False |
The identifier of the channel's audit stream. If the session does not have an audit trail, this element is not used.
|
Name: |
Channel ID |
|
Search field: |
channel.channel_id |
|
Type: |
long |
|
Displayed: |
False |
The unique ID of the channel.
|
Name: |
Client X.509 Subject |
|
Search field: |
channel.client_x509_subject |
|
Type: |
string |
|
Displayed: |
False |
The client's certificate in TELNET or VNC sessions. Available only if the 'Client-side transport security settings > Peer certificate validation' option is enabled in One Identity Safeguard for Privileged Sessions.
|
Name: |
Executed commands |
|
Search field: |
channel.command |
|
Type: |
string |
|
Displayed: |
False |
Lists the commands executed in an SSH session.
|
Name: |
Port-forward target IP |
|
Search field: |
channel.connected.ip |
|
Type: |
ip |
|
Displayed: |
False |
The traffic was forwarded to this IP address in Remote Forward and Local Forward channels.
|
Name: |
Port-forward target name |
|
Search field: |
channel.connected.name |
|
Type: |
text |
|
Displayed: |
False |
The traffic was forwarded to this host in Remote Forward and Local Forward channels. If the hostname is not available, this field contains the IP address of the host
|
Name: |
Port-forward target port |
|
Search field: |
channel.connected.port |
|
Type: |
port |
|
Displayed: |
False |
The traffic was forwarded to this port in Remote Forward and Local Forward channels.
|
Name: |
Device name |
|
Search field: |
channel.device_name |
|
Type: |
string |
|
Displayed: |
False |
The name or ID of the shared device (redirect) used in the RDP connection.
|
Name: |
Channel duration |
|
Search field: |
channel.duration |
|
Type: |
long |
|
Displayed: |
False |
The length of the channel (how long the channel lasted).
|
Name: |
Dynamic channel |
|
Search field: |
channel.dynamic_channel |
|
Type: |
string |
|
Displayed: |
False |
The name or ID of the dynamic channel opened in the RDP session.
Used with the dynamic virtual RDP channel type.
|
Name: |
Channel end time |
|
Search field: |
channel.end_time |
|
Type: |
date |
|
Displayed: |
False |
Date when the channel was closed.
|
Name: |
Environment |
|
Search field: |
channel.environment |
|
Type: |
string |
|
Displayed: |
False |
Date when the channel was closed.
|
Name: |
Four-eyes authorizer |
|
Search field: |
channel.four_eyes_authorizer |
|
Type: |
string |
|
Displayed: |
False |
The username of the user who authorized the session. Available only if four-eyes authorization is required for the channel.
|
Name: |
Four-eyes description |
|
Search field: |
channel.four_eyes_description |
|
Type: |
string |
|
Displayed: |
False |
The description submitted by the authorizer of the session.
|
Name: |
Channel originator IP address |
|
Search field: |
channel.originator.ip |
|
Type: |
ip |
|
Displayed: |
False |
The IP address of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection.
|
Name: |
Channel originator name |
|
Search field: |
channel.originator.name |
|
Type: |
text |
|
Displayed: |
False |
The hostname of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection. If the hostname is not available, this field contains the IP address of the host.
|
Name: |
Originator port |
|
Search field: |
channel.originator.port |
|
Type: |
port |
|
Displayed: |
False |
The number of the forwarded port in Remote Forward and Local Forward SSH channels.
|
Name: |
Rule number |
|
Search field: |
channel.rule_num |
|
Type: |
string |
|
Displayed: |
False |
The number of the line in the Channel policy applied to the channel.
|
Name: |
SCP path |
|
Search field: |
channel.scp_path |
|
Type: |
string |
|
Displayed: |
False |
Name and path of the file copied via SCP. Available only for SCP sessions (Session exec SCP SSH channels) if the Log file transfers to database option isenabled in the Channel Policy of the connection.
|
Name: |
Channel start time |
|
Search field: |
channel.start_time |
|
Type: |
date |
|
Displayed: |
False |
Date when the channel was started.
|
Name: |
Subsystem name |
|
Search field: |
channel.subsystem_name |
|
Type: |
string |
|
Displayed: |
False |
Name of the SSH subsystem used in the channel.
|
Name: |
Channel type |
|
Search field: |
channel.type |
|
Type: |
enum |
|
Displayed: |
False |
Type of the channel.
Possible values:
#drawing: Drawing
CTXCAM: Audio
CTXCDM: Drive
CTXCLIP: Clipboard
CTXCOM1: Printer (COM1)
CTXCOM2: Printer (COM2)
CTXCPM: Printer Spooler
CTXFLSH: HDX Mediastream
CTXLPT1: Printer (LPT1)
CTXLPT2: Printer (LPT2)
CTXSCRD: Smartcard
CTXTW: Drawing (Thinwire)
CTXTWI: Seamless
CTXUSB: USB
SPDBRS: Speedbrowse
auth-agent: Agent
cliprdr: Clipboard
custom: Custom
direct-tcpip: Local forward
drawing: Drawing
drdynvc: Dynamic virtual channel
forwarded-tcpip: Remote forward
http: HTTP
rdpdr: Redirects
rdpdr-disk: Disk redirect
rdpdr-parallel: Parallel redirect
rdpdr-printer: Printer redirect
rdpdr-scard: SCard redirect
rdpdr-serial: Serial redirect
rdpsnd: Sound
seamrdp: Seamless
session-exec: Session exec
session-exec-scp: Session exec SCP
session-shell: Session shell
session-subsystem: Session subsystem
session-subsystem-sftp: Session SFTP
telnet: Telnet
vnc: VNC
websocket: WebSocket
x11: X11 forward
|
Name: |
Channel verdict |
|
Search field: |
channel.verdict |
|
Type: |
enum |
|
Displayed: |
False |
Indicates what One Identity Safeguard for Privileged Sessions decided about the channel.
Possible values:
ACCEPT: Accepted
DENY: Denied
FOUR_EYES_DEFERRED: Waiting for remote username
FOUR_EYES_ERROR: Internal error during four-eyes authorization
FOUR_EYES_REJECT: Four-eyes authorization rejected
FOUR_EYES_TIMEOUT: Four-eyes authorization timed out
|
Name: |
Event Action |
|
Search field: |
event.action |
|
Type: |
string |
|
Displayed: |
False |
The command line without prompt in commands
|
Name: |
Channel ID |
|
Search field: |
event.channel_id |
|
Type: |
string |
|
Displayed: |
False |
The id of the channel the event belongs to.
|
Name: |
Event content |
|
Search field: |
event.content |
|
Type: |
string |
|
Displayed: |
False |
The command executed, or the window title detected in the channel (for example, ls, exit, or Firefox).
|
Name: |
Protocol details |
|
Search field: |
event.details |
|
Type: |
string |
|
Displayed: |
False |
The details of the protocol used for the operation.
|
Name: |
Operation |
|
Search field: |
event.operation |
|
Type: |
string |
|
Displayed: |
False |
The type of the operation that occurred, for example, Create file (in the case of FTP) or GET (in the case of HTTP).
|
Name: |
Path |
|
Search field: |
event.path |
|
Type: |
string |
|
Displayed: |
False |
The path (if any) used by the operation that occurred.
|
Name: |
Event ID |
|
Search field: |
event.record_id |
|
Type: |
long |
|
Displayed: |
False |
The identifier of the event within the audit trail (.zat file).
|
Name: |
Response code |
|
Search field: |
event.response_code |
|
Type: |
long |
|
Displayed: |
False |
The status code of the protocol response (if any) returned.
|
Name: |
Event date |
|
Search field: |
event.time |
|
Type: |
date |
|
Displayed: |
False |
The date when the event happened.
|
Name: |
Event type |
|
Search field: |
event.type |
|
Type: |
string |
|
Displayed: |
False |
The type of the event, for example, command, screen_content, window_title.
|
Name: |
Alert type |
|
Search field: |
alert.alert_type |
|
Type: |
enum |
|
Displayed: |
False |
The type of the alert.
Possible values:
adp.event.command: A command entered in SSH or Telnet.
adp.event.screen.content: Alert triggered by the screen content.
adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.
adp.event.screen.windowtitle: The title of the window in graphic protocols.
|
Name: |
Channel ID |
|
Search field: |
alert.channel_id |
|
Type: |
string |
|
Displayed: |
False |
The id of the channel the alert belongs to.
|
Name: |
Matched regexp on action |
|
Search field: |
alert.matched_action |
|
Type: |
string |
|
Displayed: |
False |
The regular expression that matched the command line without prompt
|
Name: |
Matched content |
|
Search field: |
alert.matched_content |
|
Type: |
string |
|
Displayed: |
False |
The content the alert matched.
|
Name: |
Matched regexp |
|
Search field: |
alert.matched_regexp |
|
Type: |
string |
|
Displayed: |
False |
The regular expression that matched the content.
|
Name: |
Alert ID |
|
Search field: |
alert.record_id |
|
Type: |
long |
|
Displayed: |
False |
The identifier of the alert within the audit trail (.zat file).
|
Name: |
Rule name |
|
Search field: |
alert.rule_name |
|
Type: |
string |
|
Displayed: |
False |
The name of the content policy rule.
|
Name: |
Alert time |
|
Search field: |
alert.time |
|
Type: |
date |
|
Displayed: |
False |
The timestamp of the alert.
|
Name: |
From API |
|
Search field: |
trail_download.from_api |
|
Type: |
boolean |
|
Displayed: |
False |
The audit trail downloaded via API or not.
|
Name: |
Trail download ID |
|
Search field: |
trail_download.id |
|
Type: |
string |
|
Displayed: |
False |
The ID of an audit trail download event.
|
Name: |
Download ip |
|
Search field: |
trail_download.ip_address |
|
Type: |
ip |
|
Displayed: |
False |
The ip address from where the download is requested.
|
Name: |
Download time |
|
Search field: |
trail_download.time |
|
Type: |
date |
|
Displayed: |
False |
The exact time when the user downloaded the audit trail file.
|
Name: |
Downloader username |
|
Search field: |
trail_download.username |
|
Type: |
string |
|
Displayed: |
False |
The username that was used to download the audit trail of the session.
|
Name: |
Commands indexed |
|
Search field: |
indexer_info.config.command.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if commands were extracted while indexing the session.
|
Name: |
Keyboard buffering interval |
|
Search field: |
indexer_info.config.keyboard.buffer_interval |
|
Type: |
double |
|
Displayed: |
False |
The buffering interval in milliseconds used when extracting keyboard events while indexing the session.
|
Name: |
Keyboard extracted |
|
Search field: |
indexer_info.config.keyboard.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if keyboard events were extracted while indexing the session.
|
Name: |
Mouse buffering interval |
|
Search field: |
indexer_info.config.mouse.buffer_interval |
|
Type: |
double |
|
Displayed: |
False |
The buffering interval in milliseconds used when extracting mouse events while indexing the session.
|
Name: |
Mouse extracted |
|
Search field: |
indexer_info.config.mouse.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if mouse events were extracted while indexing the session.
|
Name: |
Near real-time indexing |
|
Search field: |
indexer_info.config.near_realtime |
|
Type: |
boolean |
|
Displayed: |
False |
True if indexing this session was done near real-time (when the session was still active).
|
Name: |
OCR languages |
|
Search field: |
indexer_info.config.ocr_languages |
|
Type: |
string |
|
Displayed: |
False |
The language configuration for optical character recognition used when indexing the session.
|
Name: |
Screen content indexed |
|
Search field: |
indexer_info.config.screen.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if screen content was extracted while indexing the session.
|
Name: |
OCR tradeoff |
|
Search field: |
indexer_info.config.screen.omnipage_trade_off |
|
Type: |
string |
|
Displayed: |
False |
The tradeoff used for optical character recognition when extracting screen content while indexing the session.
|
Name: |
Titles indexed |
|
Search field: |
indexer_info.config.title.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if window titles were extracted while indexing the session.
|
Name: |
Indexing error |
|
Search field: |
indexer_info.error.message |
|
Type: |
string |
|
Displayed: |
False |
The reason why indexing failed
|
Name: |
Indexing cpu time |
|
Search field: |
indexer_info.statistics.cpu_time |
|
Type: |
long |
|
Displayed: |
False |
The CPU time that indexing this session took in milliseconds.
|
Name: |
Indexing duration |
|
Search field: |
indexer_info.statistics.duration |
|
Type: |
long |
|
Displayed: |
False |
The duration of time that indexing this session took in milliseconds.
|
Name: |
Indexing start time |
|
Search field: |
indexer_info.statistics.start_time |
|
Type: |
date |
|
Displayed: |
False |
The time and date when indexing this session started.
|
Name: |
Indexing status |
|
Search field: |
indexer_info.status |
|
Type: |
string |
|
Displayed: |
False |
Shows if the channel has been indexed successfully or not.
|
Name: |
Indexer ADP version |
|
Search field: |
indexer_info.version.adp |
|
Type: |
string |
|
Displayed: |
False |
The version of the audit data processor used for indexing the session
|
Name: |
Indexer version |
|
Search field: |
indexer_info.version.worker |
|
Type: |
string |
|
Displayed: |
False |
The version of the indexer worker used for indexing the session
|
Name: |
ZAC created |
|
Search field: |
indexer_info.config.zac.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if an Audit Content file was created while indexing the session.
|
Name: |
Screen content |
|
Search field: |
screen.content |
|
Type: |
string |
|
Displayed: |
False |
Text that appeared on the screen in the session.
|
Name: |
Channel id in trail |
|
Search field: |
screen.channel_id_in_trail |
|
Type: |
long |
|
Displayed: |
False |
The ID of the channel where this content appeared. To check the channel ID (channel_id), select a session and click details. Navigate to details > Channels and click the channel type.
|
Name: |
From API |
|
Search field: |
from_api |
|
Type: |
boolean |
|
Displayed: |
True |
The audit trail downloaded via API or not.
|
Name: |
Trail download ID |
|
Search field: |
id |
|
Type: |
string |
|
Displayed: |
True |
The ID of an audit trail download event.
|
Name: |
Download ip |
|
Search field: |
ip_address |
|
Type: |
ip |
|
Displayed: |
True |
The ip address from where the download is requested.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy
