One Identity SPS Session logs
Overview
One Identity Safeguard for Privileged Sessions (SPS) is a core module of the One Identity Safeguard suite that focuses on securing, monitoring, and auditing privileged access to critical systems. It acts as a transparent gateway between administrators and target systems, enabling organizations to control who accesses sensitive resources, record all activity, and detect suspicious behavior in real time.
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
- Vendor: One Identity
- Supported environment: On prem
- Version compatibility: 7.4 and later
- Detection based on: Telemetry
- Supported application or feature: Authentication logs
Configure
This setup guide will show you how to forward your One Identity SPS logs to Sekoia.io.
Prerequisites
- Have an internal log concentrator (e.g., Sekoia.io forwarder, Rsyslog, Syslog-NG, etc.) to receive the logs from One Identity SPS and forward them to Sekoia.io.
Create the intake
Go to the intake page and create a new intake from the format One Identity SPS.
Configure One Identity SPS to forward logs
- Log in to the One Identity Safeguard for Privileged Sessions console.
- Go to
Basic Settings>Management.
- Click the
Universal SIEM Forwardingpanel to expand it.
- Select the
Enablecheckbox.
- Click
+to add a new SIEM destination.
- Name the destination (e.g.,
Sekoia.io). - In the
Addressfield, enter the IP address or hostname of your internal log concentrator. - In the
Portfield, enter the port number for the intake. - Select
CEFas theFormat. - Click
Committo apply the changes.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
CEF:0|OneIdentity|SPS|7.5.1|1244069864|ChannelAlert|0|app=SSH cs1=svc-ikzEJTCD9WXej8SrJHuZNd-XXX_SSH_2_XXXX-951933 cs1Label=Session ID cs2=Commands cs2Label=Event type cs3=psql cs3Label=Matched regexp dst=5.6.7.8 duser=john.doe dvc=3.4.5.6 reason=PatternMatcherRule src=1.2.3.4 start=1752740243075 suser=jane.doe
CEF:0|OneIdentity|SPS|7.5.1|1127618380|FileTransfer|0|act=MKDIR app=SSH cs1=svc-ikzEJTCD9WXej7SrJHuZNd-XXX_SSH_XXXX_2_CNP69-65304 cs1Label=Session ID dst=5.6.7.8 duser=john.doe dvc=3.4.5.6 filePath= fname=/PRODX/SLX/home/john.doe/.workbenchIntermediateFiles/f492e816-ddd6-449f-a1e6-fd6f8679e496 src=1.2.3.4 start=1752740336329 suser=jane.doe
CEF:0|OneIdentity|SPS|7.5.1|1865245228|ServerAuthenticationSuccess|0|app=SSH cs1=svc-ikzEJTCD9WXej7SrJHuZNd-XXX_SSH_XXXX_2_CNP69-65304 cs1Label=Session ID dhost=destinationhost01.test.com dpt=22 dst=5.6.7.8 duser=john.doe dvc=3.4.5.6 shost=sourcehost01.test.com spt=53877 src=1.2.3.4 start=1752740334167 suser=jane.doe
CEF:0|OneIdentity|SPS|7.5.1|911383355|WindowTitleChannelEvent|0|app=RDP cs1=svc-px83DC1jtpyP1s8njff9in-XXX_RDP_2_XXXX-67752-1 cs1Label=Session ID cs2=mRemoteNG - confCons.xml - cnp69prodpxxpp cs2Label=Window title dst=5.6.7.8 duser=john.doe dvc=3.4.5.6 src=1.2.3.4 start=1752732603233 suser=jane.doe
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
No related built-in rules was found. This message is automatically generated.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Application logs |
One identity audit log provides logs about activity done on the application |
Authentication logs |
One identity audit log provides logs about authentication |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "CEF:0|OneIdentity|SPS|7.5.1|1244069864|ChannelAlert|0|app=SSH cs1=svc-ikzEJTCD9WXej8SrJHuZNd-XXX_SSH_2_XXXX-951933 cs1Label=Session ID cs2=Commands cs2Label=Event type cs3=psql cs3Label=Matched regexp dst=5.6.7.8 duser=john.doe dvc=3.4.5.6 reason=PatternMatcherRule src=1.2.3.4 start=1752740243075 suser=jane.doe",
"event": {
"action": "ChannelAlert",
"reason": "PatternMatcherRule"
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"user": {
"name": "john.doe"
}
},
"host": {
"ip": "3.4.5.6"
},
"network": {
"protocol": "SSH"
},
"observer": {
"product": "SPS",
"version": "7.5.1"
},
"oneidentity": {
"session": {
"id": "svc-ikzEJTCD9WXej8SrJHuZNd-XXX_SSH_2_XXXX-951933"
}
},
"related": {
"ip": [
"1.2.3.4",
"3.4.5.6",
"5.6.7.8"
],
"user": [
"jane.doe",
"john.doe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"user": {
"name": "jane.doe"
}
}
}
{
"message": "CEF:0|OneIdentity|SPS|7.5.1|1127618380|FileTransfer|0|act=MKDIR app=SSH cs1=svc-ikzEJTCD9WXej7SrJHuZNd-XXX_SSH_XXXX_2_CNP69-65304 cs1Label=Session ID dst=5.6.7.8 duser=john.doe dvc=3.4.5.6 filePath= fname=/PRODX/SLX/home/john.doe/.workbenchIntermediateFiles/f492e816-ddd6-449f-a1e6-fd6f8679e496 src=1.2.3.4 start=1752740336329 suser=jane.doe",
"event": {
"action": "FileTransfer"
},
"action": {
"name": "MKDIR"
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"user": {
"name": "john.doe"
}
},
"file": {
"name": "f492e816-ddd6-449f-a1e6-fd6f8679e496",
"path": "/PRODX/SLX/home/john.doe/.workbenchIntermediateFiles"
},
"host": {
"ip": "3.4.5.6"
},
"network": {
"protocol": "SSH"
},
"observer": {
"product": "SPS",
"version": "7.5.1"
},
"oneidentity": {
"session": {
"id": "svc-ikzEJTCD9WXej7SrJHuZNd-XXX_SSH_XXXX_2_CNP69-65304"
}
},
"related": {
"ip": [
"1.2.3.4",
"3.4.5.6",
"5.6.7.8"
],
"user": [
"jane.doe",
"john.doe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"user": {
"name": "jane.doe"
}
}
}
{
"message": "CEF:0|OneIdentity|SPS|7.5.1|1865245228|ServerAuthenticationSuccess|0|app=SSH cs1=svc-ikzEJTCD9WXej7SrJHuZNd-XXX_SSH_XXXX_2_CNP69-65304 cs1Label=Session ID dhost=destinationhost01.test.com dpt=22 dst=5.6.7.8 duser=john.doe dvc=3.4.5.6 shost=sourcehost01.test.com spt=53877 src=1.2.3.4 start=1752740334167 suser=jane.doe",
"event": {
"action": "ServerAuthenticationSuccess"
},
"destination": {
"address": "destinationhost01.test.com",
"domain": "destinationhost01.test.com",
"ip": "5.6.7.8",
"port": 22,
"registered_domain": "test.com",
"subdomain": "destinationhost01",
"top_level_domain": "com",
"user": {
"name": "john.doe"
}
},
"host": {
"ip": "3.4.5.6"
},
"network": {
"protocol": "SSH"
},
"observer": {
"product": "SPS",
"version": "7.5.1"
},
"oneidentity": {
"session": {
"id": "svc-ikzEJTCD9WXej7SrJHuZNd-XXX_SSH_XXXX_2_CNP69-65304"
}
},
"related": {
"hosts": [
"destinationhost01.test.com",
"sourcehost01.test.com"
],
"ip": [
"1.2.3.4",
"3.4.5.6",
"5.6.7.8"
],
"user": [
"jane.doe",
"john.doe"
]
},
"source": {
"address": "sourcehost01.test.com",
"domain": "sourcehost01.test.com",
"ip": "1.2.3.4",
"port": 53877,
"registered_domain": "test.com",
"subdomain": "sourcehost01",
"top_level_domain": "com",
"user": {
"name": "jane.doe"
}
}
}
{
"message": "CEF:0|OneIdentity|SPS|7.5.1|911383355|WindowTitleChannelEvent|0|app=RDP cs1=svc-px83DC1jtpyP1s8njff9in-XXX_RDP_2_XXXX-67752-1 cs1Label=Session ID cs2=mRemoteNG - confCons.xml - cnp69prodpxxpp cs2Label=Window title dst=5.6.7.8 duser=john.doe dvc=3.4.5.6 src=1.2.3.4 start=1752732603233 suser=jane.doe",
"event": {
"action": "WindowTitleChannelEvent"
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"user": {
"name": "john.doe"
}
},
"host": {
"ip": "3.4.5.6"
},
"network": {
"protocol": "RDP"
},
"observer": {
"product": "SPS",
"version": "7.5.1"
},
"oneidentity": {
"session": {
"id": "svc-px83DC1jtpyP1s8njff9in-XXX_RDP_2_XXXX-67752-1"
},
"window": {
"title": "mRemoteNG - confCons.xml - cnp69prodpxxpp"
}
},
"related": {
"ip": [
"1.2.3.4",
"3.4.5.6",
"5.6.7.8"
],
"user": [
"jane.doe",
"john.doe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"user": {
"name": "jane.doe"
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
destination.user.name |
keyword |
Short name or login of the user. |
event.action |
keyword |
The action captured by the event. |
event.reason |
keyword |
Reason why this event happened, according to the source |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.path |
keyword |
Full path to the file, including the file name. |
host.ip |
ip |
Host ip addresses. |
host.name |
keyword |
Name of the host. |
network.protocol |
keyword |
Application protocol name. |
observer.product |
keyword |
The product name of the observer. |
observer.version |
keyword |
Observer version. |
oneidentity.session.id |
keyword |
The id of the current session |
oneidentity.window.title |
keyword |
The title of the window |
process.command_line |
wildcard |
Full command line that started the process. |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
source.port |
long |
Port of the source. |
source.user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.