• State Not Answered
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 307 views
  • Users 0 members are here
Options
Related

implement actions on collected analytics

dario guastella
1 month ago

I enabled the ‘Privileged Account Analytics’ function in SPS. I created the policy under ‘Policies --> Analytics Policies’. I assigned this policy on the two connections RDP and SSH. Since then, SPS collects information and displays a value alongside each session. The client asks us how we can take action based on the score or on certain observed behaviour. Can this be done? How can it be done? How can the score displayed on each session be used?

Parents
  • 0 1 month ago

    Hi Dario,

    The purpose for this feature is for SPS to provide data analysis on the user behavior but SPS itself is not taking further actions based on that information if that is what you meant.

    As per Admin guide section here:

    Analyzing data using One Identity Safeguard for Privileged Analytics

    One Identity Safeguard for Privileged Sessions (SPS) integrates data from SPS to use as the basis of user behavior analysis. SPA uses machine learning algorithms to scrutinize behavioral characteristics (using data from SPS), and generates user behavior profiles for each individual privileged user. SPA compares actual user activity to user profiles in real time, with profiles being continually adjusted using machine learning. When SPA detects unusual activity, this is indicated on the user interface of SPS in the form of high scores and visualized insight.

    https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.5/administration-guide/91#TOPIC-2157798

    Thanks!

  • 0 1 month ago in reply to Tawfiq.Ahmad

    Hello Tawfiq nice to hear you!

    thank you for the details. Everything is clear. I actually meant whether it is possible to send any specific events or scores to a SIEM. E.g. they want to send to the SIEM if a score exceeds the threshold of 80 or if it is possible to send to a SIEM other types of events or scores. It is then the SIEM that will take action with alerts or notifications.I understand that the only thing SPS can do is to send events externally (through UNIVERSAL SIEM FW), but in relation to analytics, what events can be sent? Only an analytics score? Also, do I have to activate other functions on SPS or is the baseline active from the moment I activate the ‘Privileged Account Analytics’ service and assign the policy to rdp and ssh connections? Does the score I see confirm that the baseline is correct and that the SPS service is indeed active?

Reply
  • 0 1 month ago in reply to Tawfiq.Ahmad

    Hello Tawfiq nice to hear you!

    thank you for the details. Everything is clear. I actually meant whether it is possible to send any specific events or scores to a SIEM. E.g. they want to send to the SIEM if a score exceeds the threshold of 80 or if it is possible to send to a SIEM other types of events or scores. It is then the SIEM that will take action with alerts or notifications.I understand that the only thing SPS can do is to send events externally (through UNIVERSAL SIEM FW), but in relation to analytics, what events can be sent? Only an analytics score? Also, do I have to activate other functions on SPS or is the baseline active from the moment I activate the ‘Privileged Account Analytics’ service and assign the policy to rdp and ssh connections? Does the score I see confirm that the baseline is correct and that the SPS service is indeed active?

Children