• State Not Answered
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 65 views
  • Users 0 members are here
Options
Related

implement actions on collected analytics

dario guastella
2 days ago

I enabled the ‘Privileged Account Analytics’ function in SPS. I created the policy under ‘Policies --> Analytics Policies’. I assigned this policy on the two connections RDP and SSH. Since then, SPS collects information and displays a value alongside each session. The client asks us how we can take action based on the score or on certain observed behaviour. Can this be done? How can it be done? How can the score displayed on each session be used?

Parents
  • 0 2 days ago

    Hi Dario,

    The purpose for this feature is for SPS to provide data analysis on the user behavior but SPS itself is not taking further actions based on that information if that is what you meant.

    As per Admin guide section here:

    Analyzing data using One Identity Safeguard for Privileged Analytics

    One Identity Safeguard for Privileged Sessions (SPS) integrates data from SPS to use as the basis of user behavior analysis. SPA uses machine learning algorithms to scrutinize behavioral characteristics (using data from SPS), and generates user behavior profiles for each individual privileged user. SPA compares actual user activity to user profiles in real time, with profiles being continually adjusted using machine learning. When SPA detects unusual activity, this is indicated on the user interface of SPS in the form of high scores and visualized insight.

    https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.5/administration-guide/91#TOPIC-2157798

    Thanks!

  • 0 2 days ago in reply to Tawfiq.Ahmad

    Hello Tawfiq nice to hear you!

    thank you for the details. Everything is clear. I actually meant whether it is possible to send any specific events or scores to a SIEM. E.g. they want to send to the SIEM if a score exceeds the threshold of 80 or if it is possible to send to a SIEM other types of events or scores. It is then the SIEM that will take action with alerts or notifications.I understand that the only thing SPS can do is to send events externally (through UNIVERSAL SIEM FW), but in relation to analytics, what events can be sent? Only an analytics score? Also, do I have to activate other functions on SPS or is the baseline active from the moment I activate the ‘Privileged Account Analytics’ service and assign the policy to rdp and ssh connections? Does the score I see confirm that the baseline is correct and that the SPS service is indeed active?

  • 0 1 day ago in reply to dario guastella

    Hi Dario,

    Message types sent to SIEM include:

    - Content messages:
    Content messages represents events when SPS detects interesting textual content in the session, such as a command execution or new window title.

    - Meta messages:
    Meta messages represent events that change the session state and/or carry new information about a session.

    - Score messages:
    Score messages represent scoring events when SPS has calculated an initial score for the session, or updated the score for the session.

    Reference:
    https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.5/administration-guide/30#TOPIC-2157554

    For Analytics, you are correct, only the score is included.

    Example CEF format:

    CEF:0|OneIdentity|SPS|<SPS_version>|<event_type_id>|<event_name>|<severity>|

    Severity: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

    If you are already seeing the analytics data in SPS when searching the audit trails that means that Analytics is active and working correct.

    https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.5/administration-guide/92#TOPIC-2157800

    Thanks!

Reply Children
No Data