One Identity Safeguard for Privileged Sessions 6.9.3 - Administration Guide

SessionClosed due to content policy violation

Description of the message: Emitted when content policy with termination action enabled is violated

Example message:

{"verdict":"TERMINATED","timestamp":"1568640063579","severity":"0","session_id":"svc-9S9nqpGqdns6GAJxULWjHp-my_connection-53","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","event_type_id":"449510124","event_name":"SessionClosed","connection_policy":"my_connection","client_port":"45946","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta","auth_method":"password","gateway_username":"gwtestauto"}

The message contains the following fields.

Description: basic message type: meta

Example: meta

Description: numeric identifier of message type

Example: 449510124

Description: the type of the message

Example: SessionClosed

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the server username

Example: root

Description: the server domain, if known

Example: acme.com

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Description: the IP address of the server

Example: 10.170.255.206

Description: the port number on the server

Example: 22

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

Description: the type of authentication used in gateway authentication

Example: password

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: TERMINATED

ChannelAlert triggered

Description of the message: Emitted when channel alert triggered by content policy

Example message:

{"event_type_id":"1244069864","event_name":"ChannelAlert","session_id":"svc-eyKp4M2pDBpbwHW4nCSe36-my_connection-14","severity":"0","timestamp":"1567509110329","server_username":"root", "gateway_username":"gwtestauto","server_name":"server.acme.com","server_address":"10.170.255.206","server_port":"22","client_name":"client.acme.com","client_address":"10.30.0.24","client_port":"56988","protocol":"SSH","connection_policy":"my_connection","base_type_name":"content_alert","alerting_type":"adp.event.command","matched_regexp":"sudo","matched_content":"sudo","rule_name":"PatternMatcherRule"}

The message contains the following fields.

Description: numeric identifier of message type

Example: 1244069864

Description: the type of the message

Example: ChannelAlert

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the server username

Example: root

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Description: the IP address of the server

Example: 10.170.255.206

Description: the port number on the server

Example: 22

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

Description: basic message type: content_alert

Example: content_alert

Description: the type of the event triggering the alert e.g. Command, Full screen content

Example: Command

Description: the regexp matching the content that triggered the alert

Example: sudo

Description: the screen content violating channel policy

Example: $ sudo

Description: the rule triggering alert

Example: PatternMatcherRule

ServerConnect on initial contact

Description of the message: Emitted when SPS connects to the serverfor the first time in the session

Example message:

{"timestamp":"1557913242888","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-43","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"107115592","event_name":"ServerConnect","connection_policy":"my_connection","client_port":"59190","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Description: basic message type: meta

Example: meta

Description: numeric identifier of message type

Example: 107115592

Description: the type of the message

Example: ServerConnect

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Description: the IP address of the server

Example: 10.170.255.206

Description: the port number on the server

Example: 22

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

ServerConnect for secondary channels

Description of the message: Emitted when SPS connects to the serverfor opening further channels. The difference from initial connection is that the server user name is known and authenticated this time.

Example message:

{"timestamp":"1557913242888","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-43","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"107115592","event_name":"ServerConnect","connection_policy":"my_connection","server_username":"root","client_port":"59190","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Description: basic message type: meta

Example: meta

Description: numeric identifier of message type

Example: 107115592

Description: the type of the message

Example: ServerConnect

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the server username

Example: root

Description: the server domain, if known

Example: acme.com

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Description: the IP address of the server

Example: 10.170.255.206

Description: the port number on the server

Example: 22

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

ServerAuthenticationSuccess

Description of the message: Emitted after the server authentication successfully happened

Example message:

{"timestamp":"1557913243423","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-43","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1865245228","event_name":"ServerAuthenticationSuccess","connection_policy":"my_connection","client_port":"59190","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Description: basic message type: meta

Example: meta

Description: numeric identifier of message type

Example: 1865245228

Description: the type of the message

Example: ServerAuthenticationSuccess

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the server username

Example: root

Description: the server domain, if known

Example: acme.com

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Description: the IP address of the server

Example: 10.170.255.206

Description: the port number on the server

Example: 22

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

ServerAuthenticationFailure

Description of the message: Emitted after the server authentication failed

Example message:

{"timestamp":"1557913134598","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-33","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1262825953","event_name":"ServerAuthenticationFailure","connection_policy":"my_connection","client_port":"56692","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Description: basic message type: meta

Example: meta

Description: numeric identifier of message type

Example: 1262825953

Description: the type of the message

Example: ServerAuthenticationFailure

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: contains the non authenticated server username

Example: root

Description: the non authenticated server domain, if known

Example: acme.com

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Description: the IP address of the server

Example: 10.170.255.206

Description: the port number on the server

Example: 22

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

GatewayAuthenticationFailure

Description of the message: Emitted after a failed gateway authentication. Note that the gateway username here is not authenticated and will not be retained in further messages to avoid confusion with an authenticated gateway user.

Example message:

{"timestamp":"1557913110027","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-31","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1843867026","event_name":"GatewayAuthenticationFailure","connection_policy":"my_connection","client_port":"56020","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Description: basic message type: meta

Example: meta

Description: numeric identifier of message type

Example: 1843867026

Description: the type of the message

Example: GatewayAuthenticationFailure

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the non authenticated gateway username

Example: gwtestauto

Description: the non authenticated gateway user domain if known

Example: acme.com

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

SessionClosed of successfully authenticated session

Description of the message: Emitted when the session ends and server authentication and any gateway authentication was successful. There may be further messages related to the session after this message due to post processing of session data!

Example message:

{"timestamp":"1557912701233","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-6","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"449510124","event_name":"SessionClosed","connection_policy":"my_connection","client_port":"46958","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta","auth_method":"password","verdict":"ACCEPT"}

The message contains the following fields.

Description: basic message type: meta

Example: meta

Description: numeric identifier of message type

Example: 449510124

Description: the type of the message

Example: SessionClosed

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the server username

Example: root

Description: the server domain, if known

Example: acme.com

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Description: the IP address of the server

Example: 10.170.255.206

Description: the port number on the server

Example: 22

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

Description: the type of authentication used in gateway authentication

Example: password

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: ACCEPT

SessionClosed after a failed gateway authentication

Description of the message: Emitted when the session ends because gateway authentication failed.

Example message:

{"timestamp":"1557912725391","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-9","protocol":"SSH","event_type_id":"449510124","event_name":"SessionClosed","connection_policy":"my_connection","client_port":"47444","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta","verdict":"AUTH_FAIL"}

The message contains the following fields.

Description: basic message type: meta

Example: meta

Description: numeric identifier of message type

Example: 449510124

Description: the type of the message

Example: SessionClosed

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

SessionClosed after a failed server authentication

Description of the message: Emitted when the session ends because server authentication failed.

Example message:

{"timestamp":"1557912748990","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-11","verdict":"AUTH_FAIL","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"449510124","event_name":"SessionClosed","connection_policy":"my_connection","client_port":"47840","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Description: basic message type: meta

Example: meta

Description: numeric identifier of message type

Example: 449510124

Description: the type of the message

Example: SessionClosed

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Description: the IP address of the server

Example: 10.170.255.206

Description: the port number on the server

Example: 22

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

RdpEmbeddedInTsg

Description of the message: Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario.

Example message:

{"timestamp":"1558007294417","severity":"0","session_id":"svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-50-4","protocol":"RDP","gateway_username":"gwtestauto","event_type_id":"998298775","event_name":"RdpEmbeddedInTsg","connection_policy":"my_connection","client_port":"51270","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Description: basic message type: meta

Example: meta

Description: numeric identifier of message type

Example: 998298775

Description: the type of the message

Example: RdpEmbeddedInTsg

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the authenticated gateway username

Example: gwtestauto

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

SessionScored

Description of the message: Score messages represent scoring events when SPS has calculated an initial or changed score for the session.

Example message:

{"timestamp":"1558009822701","severity":"7","session_id":"svc-62a6XGcPzaFvLYDhVYDYXj-my_connection-0","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1991765353","event_name":"SessionScored","connection_policy":"my_connection","client_port":"35620","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"score","algorithm_score":"18","algorithm_name":"keystroke","aggregated_score":"70"}

The message contains the following fields.

Description: basic message type: score

Example: score

Description: numeric identifier of message type

Example: 1991765353

Description: the type of the message

Example: SessionScored

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the server username

Example: root

Description: the server domain, if known

Example: acme.com

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Description: the IP address of the server

Example: 10.170.255.206

Description: the port number on the server

Example: 22

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

Description: the average score from all enabled analytics algorithms

Example: 50

Description: the name of the algorithm that changed value

Example: keystroke

Description: the new score value of the algorithm that changed value

Example: 60

CommandChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"timestamp":"1557912701166","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-6","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"127084214","event_name":"CommandChannelEvent","connection_policy":"my_connection","command":"exit","client_port":"46958","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"content"}

The message contains the following fields.

Description: basic message type: content

Example: content

Description: numeric identifier of message type

Example: 127084214

Description: the type of the message

Example: CommandChannelEvent

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the server username

Example: root

Description: the server domain, if known

Example: acme.com

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Description: the IP address of the server

Example: 10.170.255.206

Description: the port number on the server

Example: 22

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH

Description: SPS connection policy name

Example: my_connection

Description: the full command detected

Example: exit

WindowTitleChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"window_title":"Shortcut Tools Application Tools Administrative Tools","timestamp":"1558007305516","severity":"0","session_id":"svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-50-4","server_username":"Administrator","server_port":"3389","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"RDP","gateway_username":"gwtestauto","event_type_id":"911383355","event_name":"WindowTitleChannelEvent","connection_policy":"my_connection","client_port":"51270","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"content"}

The message contains the following fields.

Description: basic message type: content

Example: content

Description: numeric identifier of message type

Example: 911383355

Description: the type of the message

Example: WindowTitleChannelEvent

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Description: the server username

Example: root

Description: the server domain, if known

Example: acme.com

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Description: the IP address of the server

Example: 10.170.255.206

Description: the port number on the server

Example: 22

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Description: the IP address of the client

Example: 10.30.0.24

Description: the port number on the client

Example: 38014

Description: SPS supported protocol

Example: SSH