Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.3 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving Cleaning up audit data Using plugins Forwarding data to third-party systems Starling integration
User management and access control
Login settings Managing One Identity Safeguard for Privileged Sessions (SPS) users locally Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database Authenticating users to a RADIUS server Authenticating users with X.509 certificates Authenticating users with SAML2 Managing user rights and usergroups Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes
Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing One Identity Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)
Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received Using UPN usernames in audited SSH connections
Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Message types forwarded to SIEMs

There are three major categories of messages that One Identity Safeguard for Privileged Sessions (SPS): forwards to the SIEM: content, meta, and score.

  • Content messages represents events when SPS detects interesting textual content in the session, such as a command execution or new window title.

  • Meta messages represent events that change the session state and/or carry new information about a session.

  • Score messages represent scoring events when SPS has calculated an initial score for the session, or updated the score for the session.

The following tables provide a summary of events for the different message types.

Content messages
Table 3: Summary of events for content messages
Event Id Event Name Description
127084214 CommandChannelEvent Emitted when a command is detected in the session text.
911383355 WindowTitleChannelEvent Emitted when a window title is detected in a graphical session.
1127618380 FileTransfer Emitted when SCP file transfer is detected in the SSH protocol.
Meta messages
Table 4: Summary of events for meta messages
Event Id Event Name Description
1843867026 GatewayAuthenticationFailure Emitted if gateway authentication is configured and the user failed to authenticate through the gateway.
1865245228 ServerAuthenticationSuccess Comes after the server authentication successfully happened.
1262825953 ServerAuthenticationFailure Emitted if the server authentication failed.
107115592 ServerConnect Comes after the server authentication successfully happened.
998298775 RdpEmbeddedInTsg Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario. This message will only contain the gateway_username optional field.
1639978560 ServerNameResolved Emitted when the server_name field was successfully resolved to an ip address. This message will only contain the server_address optional field.
449510124 SessionClosed Emitted when the session ends.
Score messages
Table 5: Summary of events for score messages
Event Id Event Name Description
1991765353 SessionScored The message contains the aggregate score and one scoring algorithm name and score.

Message format forwarded to SIEMs

The messages are standard syslog messages in RFC3164 format (also called legacy-syslog or BSD-syslog format). The body of the syslog message (the MESSAGE part) can be formatted as one of:

  • Common Event Format (CEF), based on the ArcSight CEF specification rev. 16, 22 July 2010

  • JavaScript Object Notation (JSON)

  • JSON-CIM format (available in SPS version 5.11 and later).

CEF

CEF (Common Event Format): the mapping to CEF will be described in terms of mapping from the JSON format to CEF. In CEF all relevant keys are present, but the value may be empty if it is not known.

Header

Here <...> is substituted with the actual values.

CEF:0|OneIdentity|SPS|<SPS_version>|<event_type_id>|<event_name>|<severity>|

Extensions

CEF extensions that are always present:

app: string, equal to Application protocol

cs1: string, equal to session_id

cs1Label: string, equal to literal "Session ID"

dst: string, equal to Destination address

duser: string, equal to Destination username

dvc: string, equal to Device address

src: equal to Source address

start: equal to timestamp

suser: equal to Source username

For details on the exact messages and the fields they contain, see CEF messages.

JSON

JSON (JavaScript Object Notation): the generated JSON structure is flat and the keys in the JSON depend on what kind of event is described. Some keys are always present in all messages. There are also keys that are message type specific, but may be missing if the related information is not available.

Keys that are always present and filled:

base_type_name: string, specifies the main category of the message, one of "meta", "content" or "score".

client_address: string, the IP address of the client.

client_name: string, the client hostname or IP address if hostname is not known.

client_port: integer, the port number of the client.

connection_policy: string, the name of the Connection Policy related to the session.

event_type_id: integer, a unique number specifying the message type (primarily for CEF).

event_name: string, the name of the event type.

gateway_username: string, the authenticated gateway username if there was a successful gateway authentication.

protocol: string, the application-level protocol.

session_id: string, the unique identifier of the session.

severity: integer, 0-10, the score of the session divided by 10 at the time of the message was created. The value is 0 if the score is not available.

timestamp: string, milliseconds since Unix epoch.

For details on the exact messages and the fields they contain, see JSON messages.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating