implement actions on collected analytics

Hi Dario,

The purpose for this feature is for SPS to provide data analysis on the user behavior but SPS itself is not taking further actions based on that information if that is what you meant.

As per Admin guide section here:

Analyzing data using One Identity Safeguard for Privileged Analytics

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.5/administration-guide/91#TOPIC-2157798

Thanks!

Hello Tawfiq nice to hear you!

thank you for the details. Everything is clear. I actually meant whether it is possible to send any specific events or scores to a SIEM. E.g. they want to send to the SIEM if a score exceeds the threshold of 80 or if it is possible to send to a SIEM other types of events or scores. It is then the SIEM that will take action with alerts or notifications.I understand that the only thing SPS can do is to send events externally (through UNIVERSAL SIEM FW), but in relation to analytics, what events can be sent? Only an analytics score? Also, do I have to activate other functions on SPS or is the baseline active from the moment I activate the ‘Privileged Account Analytics’ service and assign the policy to rdp and ssh connections? Does the score I see confirm that the baseline is correct and that the SPS service is indeed active?

Hi Dario,

Message types sent to SIEM include:

- Content messages:
Content messages represents events when SPS detects interesting textual content in the session, such as a command execution or new window title.

- Meta messages:
Meta messages represent events that change the session state and/or carry new information about a session.

- Score messages:
Score messages represent scoring events when SPS has calculated an initial score for the session, or updated the score for the session.

Reference:
https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.5/administration-guide/30#TOPIC-2157554

For Analytics, you are correct, only the score is included.

Example CEF format:

CEF:0|OneIdentity|SPS|<SPS_version>|<event_type_id>|<event_name>|<severity>|

Severity: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

If you are already seeing the analytics data in SPS when searching the audit trails that means that Analytics is active and working correct.

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.5/administration-guide/92#TOPIC-2157800

Thanks!

ok Tawfiq thank you very much 

Last question: which is the difference between USE and TRUST in the algorythms that i can select?

thank you!

ok Tawfiq thank you very much 

Last question: which is the difference between USE and TRUST in the algorythms that i can select?

thank you!

Hi Dario,

Configure analytics

For each algorithm, select one of the following values:

• Disable: Select this value if you do not want to use a particular algorithm
  
  
• Use: Select this value if you want to use a particular algorithm.
  
  
• Trust: Select this value if you want to use a particular algorithm, and wish to include in the final aggregated score all the scores given by this algorithm.
  
  
  • Remember that during score aggregation, the lowest and highest scores are removed. You can choose to override this principle by selecting Trust for those algorithms that you wish to have a bigger weight in the final, aggregated, single score.

Referenced from the SPA configuration guide section here:
https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.5/safeguard-for-privileged-analytics-configuration-guide/2#TOPIC-2158334

In summary, Trust will include more data (all the scores) and Use will remove the lowest and highest scores for that particular algorithm.

Thanks!