立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Sessions 6.5.0 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS) The Welcome Wizard and the first login Basic settings
Supported web browsers and operating systems The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving and cleanup Forwarding data to third-party systems Joining to One Identity Starling
User management and access control Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) RPC API The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS) Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Message types forwarded to SIEMs

There are three major categories of messages that One Identity Safeguard for Privileged Sessions (SPS): forwards to the SIEM: content, meta, and score.

  • Content messages represents events when SPS detects interesting textual content in the session, such as a command execution or new window title.

  • Meta messages represent events that change the session state and/or carry new information about a session.

  • Score messages represent scoring events when SPS has calculated an initial score for the session, or updated the score for the session.

The following tables provide a summary of events for the different message types.

Content messages
Table 3: Summary of events for content messages
Event Id Event Name Description
127084214 CommandChannelEvent Emitted when a command is detected in the session text.
911383355 WindowTitleChannelEvent Emitted when a window title is detected in a graphical session.
1127618380 FileTransfer Emitted when SCP file transfer is detected in the SSH protocol.
Meta messages
Table 4: Summary of events for meta messages
Event Id Event Name Description
1843867026 GatewayAuthenticationFailure Emitted if gateway authentication is configured and the user failed to authenticate through the gateway.
1865245228 ServerAuthenticationSuccess Comes after the server authentication successfully happened.
1262825953 ServerAuthenticationFailure Emitted if the server authentication failed.
107115592 ServerConnect Comes after the server authentication successfully happened.
998298775 RdpEmbeddedInTsg Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario. This message will only contain the gateway_username optional field.
1639978560 ServerNameResolved Emitted when the server_name field was successfully resolved to an ip address. This message will only contain the server_address optional field.
449510124 SessionClosed Emitted when the session ends.
Score messages
Table 5: Summary of events for score messages
Event Id Event Name Description
1991765353 SessionScored The message contains the aggregate score and one scoring algorithm name and score.

Message format forwarded to SIEMs

The messages are standard syslog messages in RFC3164 format (also called legacy-syslog or BSD-syslog format). The body of the syslog message (the MESSAGE part) can be formatted as one of:

  • Common Event Format (CEF), based on the ArcSight CEF specification rev. 16, 22 July 2010

  • JavaScript Object Notation (JSON)

  • JSON-CIM format (available in SPS version 5.11 and later).

CEF

CEF (Common Event Format): the mapping to CEF will be described in terms of mapping from the JSON format to CEF. In CEF all relevant keys are present, but the value may be empty if it is not known.

Header

Here <...> is substituted with the actual values.

CEF:0|OneIdentity|SPS|<SPS_version>|<event_type_id>|<event_name>|<severity>|

Extensions

CEF extensions that are always present:

app: string, equal to Application protocol

cs1: string, equal to session_id

cs1Label: string, equal to literal "Session ID"

dst: string, equal to Destination address

duser: string, equal to Destination username

dvc: string, equal to Device address

src: equal to Source address

start: equal to timestamp

suser: equal to Source username

For details on the exact messages and the fields they contain, see CEF messages.

JSON

JSON (JavaScript Object Notation): the generated JSON structure is flat and the keys in the JSON depend on what kind of event is described. Some keys are always present in all messages. There are also keys that are message type specific, but may be missing if the related information is not available.

Keys that are always present and filled:

base_type_name: string, specifies the main category of the message, one of "meta", "content" or "score".

client_address: string, the IP address of the client.

client_name: string, the client hostname or IP address if hostname is not known.

client_port: integer, the port number of the client.

connection_policy: string, the name of the Connection Policy related to the session.

event_type_id: integer, a unique number specifying the message type (primarily for CEF).

event_name: string, the name of the event type.

gateway_username: string, the authenticated gateway username if there was a successful gateway authentication.

protocol: string, the application-level protocol.

session_id: string, the unique identifier of the session.

severity: integer, 0-10, the score of the session divided by 10 at the time of the message was created. The value is 0 if the score is not available.

timestamp: string, milliseconds since Unix epoch.

For details on the exact messages and the fields they contain, see JSON messages.

相关文档