One Identity Safeguard for Privileged Sessions 7.1.1 - Using Splunk with One Identity Safeguard for Privileged Sessions

Table of Contents

Introduction The Splunk Add-on

Event types

The Splunk App

Visualizing events and performing gap analysis with the Splunk App Macros and search expressions

Visualizing events and performing gap analysis with the Splunk App

The Splunk App > Visualizing events and performing gap analysis with the Splunk App

Prerequisites and restrictions

To visualize events from SPS, you must have your SPS configured to forward events to Splunk and the Splunk Add-on installed.
To use the gap analysis function, you must have the Splunk App and the Splunk Add-on for Microsoft Windows or the Splunk Add-on for Unix and Linux installed.

Installation

For information about the setup process, see The Splunk App.

Visualizing events using the One Identity Safeguard for Privileged Sessions dashboard

The One Identity Safeguard for Privileged Sessions dashboard visualizes data from SPS (including your events parsed and indexed by the Splunk Add-on and the metadata that the Splunk Add-on attaches to those events).

To access the One Identity Safeguard for Privileged Sessions dashboard

Login to the Splunk Enterprise online administration page.
Select One Identity Safeguard for Privileged Sessions under Apps.
Figure 1: The One Identity Safeguard for Privileged Sessions dashboard

The top filters bar allows you to configure your filters, the middle section shows an overview of logged sessions, and the lower section shows a more detailed list of audited sessions.

Under Time filter you can set a time interval in which you want to browse your data, and configure relevant settings. Under Refresh Rate you can specify a refresh rate (if you want to). To hide the Time filter and Refresh Rate items, click Hide Filters/Show Filters.

Below the filters bar, you see the details of logged sessions (such as SPS Session Count, the number of Critical Severity Sessions, and the number of High Severity Sessions) in the given time range.

The listed elements below SPS Session details show the audited sessions.

The One Identity Gap Report dashboard

The One Identity Gap Report dashboard allows you to use other sources of information about your audited hosts (for example, Microsoft Windows logs or Unix/Linux logs) as well as those originating from SPS to compare the two sources of information and see if all the necessary sessions are audited without audit gaps

To access the One Identity Gap Report dashboard

Login to the Splunk Enterprise online administration page.
Select One Identity Safeguard for Privileged Sessions under Apps.
Click One Identity Gap Report on the top tab bar to switch from the the One Identity Safeguard for Privileged Sessions dashboard.

Figure 2: The One Identity Gap Report dashboard

The top filters bar allows you to configure your filters and whether you want to visualize your RDP or your SSH sessions, the middle section shows an overview of logged sessions, and the lower section shows a more detailed list of unaudited sessions.

You can set a time interval in which you want to browse your data, and configure relevant settings under the Time filter. Under Refresh Rate you can specify a refresh rate (if you want to). The Run Panels option allows you to switch between RDP and SSH sessions. To hide the Time filterand Refresh Rate items, click the Hide Filters/Show Filters.

Below the filters bar, you see the number of audited sessions (under SPS RDP Login Count), and the number of logged sessions (under Windows Interactive Logins) in the given time range.

Under Gaps in RDP Login Events, a bar chart shows the proportion between audited and logged sessions, by day.

Under RDP Audit Gap Details, you can see the specific data (such as Time (for the audit gap date), the number of Audited Events, the number of Logged Events and the number of unaudited sessions, under Audit Gap), grouped by day.

Macros and search expressions

The Splunk App > Macros and search expressions

If you have the Splunk App installed on your Splunk, but want to build your own custom dashboard, you can use the event types and macros defined by the app. The events originating from SPS are CIM-compliant (specifically, they use the Network Sessions, the Network Traffic and the Intrusion Detection data models), so the field names will be familiar. For more information about Splunk's Search Tutorial, click here.

Macros

The table below lists macros defined by the Splunk App and their descriptions.

Macro name	Description
OI_SPS_events	Individual events coming from SPS
OI_SPS_sessions	Sessions audited by SPS (events correlated into full sessions)
OI_SPS_monitored_hosts	Hosts monitored by SPS
OI_SPS_scored_sessions	Sessions audited by SPS which have a score given by SPS analytics
OI_SSH_logins	All SSH sessions coming from SPS
OI_WIN_interactive_logins	All windows interactive logins audited by SPS

Useful search expressions for SPS-specific events

The macros listed in the Macros section can be used to narrow your search in Splunk for SPS-specific events. You can see a few useful search expressions below.

example_user was on server 1.2.3.4

`OI_SPS_events` tag=authentication dest_ip=1.2.3.4 user=example_user
List users logged onto server 1.2.3.4

`OI_SPS_events` tag=authentication dest_ip=1.2.3.4 | table user | uniq
Get ID of all sessions with rm command

`OI_SPS_events` eventtype=oneidentity_sps_command_channel_event command=rm | table session_id | uniq
Get ID of sessions with a score higher than 70

`OI_SPS_events` aggregated_score>70 | table session_id | uniq

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem