There are three major categories of messages that One Identity Safeguard for Privileged Sessions (SPS): forwards to the SIEM: content, meta, and score.
-
Content messages represents events when SPS detects interesting textual content in the session, such as a command execution or new window title.
-
Meta messages represent events that change the session state and/or carry new information about a session.
-
Score messages represent scoring events when SPS has calculated an initial score for the session, or updated the score for the session.
The following tables provide a summary of events for the different message types.
Content messages
Table 3: Summary of events for content messages
| 127084214 |
CommandChannelEvent |
Emitted when a command is detected in the session text. |
| 911383355 |
WindowTitleChannelEvent |
Emitted when a window title is detected in a graphical session. |
| 1127618380 |
FileTransfer |
Emitted when SCP file transfer is detected in the SSH protocol. |
Meta messages
Table 4: Summary of events for meta messages
| 1843867026 |
GatewayAuthenticationFailure |
Emitted if gateway authentication is configured and the user failed to authenticate through the gateway. |
| 1865245228 |
ServerAuthenticationSuccess |
Comes after the server authentication successfully happened. |
| 1262825953 |
ServerAuthenticationFailure |
Emitted if the server authentication failed. |
| 107115592 |
ServerConnect |
Comes after the server authentication successfully happened. |
| 998298775 |
RdpEmbeddedInTsg |
Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario. This message will only contain the gateway_username optional field. |
| 1639978560 |
ServerNameResolved |
Emitted when the server_name field was successfully resolved to an ip address. This message will only contain the server_address optional field. |
| 449510124 |
SessionClosed |
Emitted when the session ends. |
Score messages
Table 5: Summary of events for score messages
| 1991765353 |
SessionScored |
The message contains the aggregate score and one scoring algorithm name and score. |
The messages are standard syslog messages in RFC3164 format (also called legacy-syslog or BSD-syslog format). The body of the syslog message (the MESSAGE part) can be formatted as one of:
-
Common Event Format (CEF), based on the ArcSight CEF specification rev. 16, 22 July 2010
-
JavaScript Object Notation (JSON)
-
JSON-CIM format (available in SPS version 5.11 and later).
CEF (Common Event Format): the mapping to CEF will be described in terms of mapping from the JSON format to CEF. In CEF all relevant keys are present, but the value may be empty if it is not known.
Header
Here <...> is substituted with the actual values.
CEF:0|OneIdentity|SPS|<SPS_version>|<event_type_id>|<event_name>|<severity>|
Extensions
CEF extensions that are always present:
app: string, equal to Application protocol
cs1: string, equal to session_id
cs1Label: string, equal to literal "Session ID"
dst: string, equal to Destination address
duser: string, equal to Destination username
dvc: string, equal to Device address
src: equal to Source address
start: equal to timestamp
suser: equal to Source username
For details on the exact messages and the fields they contain, see CEF messages.
JSON (JavaScript Object Notation): the generated JSON structure is flat and the keys in the JSON depend on what kind of event is described. Some keys are always present in all messages. There are also keys that are message type specific, but may be missing if the related information is not available.
Keys that are always present and filled:
base_type_name: string, specifies the main category of the message, one of "meta", "content" or "score".
client_address: string, the IP address of the client.
client_name: string, the client hostname or IP address if hostname is not known.
client_port: integer, the port number of the client.
connection_policy: string, the name of the Connection Policy related to the session.
event_type_id: integer, a unique number specifying the message type (primarily for CEF).
event_name: string, the name of the event type.
gateway_username: string, the authenticated gateway username if there was a successful gateway authentication.
protocol: string, the application-level protocol.
session_id: string, the unique identifier of the session.
severity: integer, 0-10, the score of the session divided by 10 at the time of the message was created. The value is 0 if the score is not available.
timestamp: string, milliseconds since Unix epoch.
For details on the exact messages and the fields they contain, see JSON messages.
