Saviynt Forums

Diwakar · ‎04/03/2024

We have followed this below document to integrate the Saviynt to Sentinel to fetch all audit logs for Saviynt however analytics query mentioned the document is not fetching the PAM related audit data.

Saviynt SIEM Integration (saviyntcloud.com)

Can you please help to suggest single analytics that will fetch both Saviynt as well as PAM related logging data. From PAM side we need to capture complete details about privilege sessions, privilege requests and servers which were onboarded as endpoints.

sudeshjaiswal · ‎04/04/2024

Hello @Diwakar,

We are checking it internally, if it possible or not, we will confirm you shortly.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Saathvik · ‎04/05/2024

@Diwakar : For PAM related analytics please refer doc: CPAM-SIEM-Integration.htm

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Diwakar · ‎04/09/2024

@Saathvik I gone through the links however it didnt provided the query to how to fetch the audit data for PAM session requested, we need the audit data for PAM session requested by individual users like how we are getting for IGA for Saviynt SIEM integration Saviynt SIEM Integration (saviyntcloud.com)

Could you please help me with the similar analytics control to get all PAM sessions audit data?

Thanks,

Diwakar.

Diwakar · ‎04/16/2024

Hi Team,

Can you please provide an update on above query?

Thanks,

Diwakar

sudeshjaiswal · ‎04/16/2024

Hello @Diwakar,

There are 31 out of the box analytic controls for PAM and you can find the list by navigating to Admin -> Sav Roles -> ROLE_SAV_PAMOWNER and select "Analytics" tab. If you search here with name "session", you will be able to see 5 analytic controls (screenshot below). You can use these analytic controls as reference to create any other custom controls.

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎05/08/2024

@sudeshjaiswal I tried but it's not giving me correct output for current active privilege session. Below query I used to find active JIT sessions.

SELECT accts.name as 'Privileged_ID', sld.LAUNCH_START_DATE, sld.SOURCE_IP_ADDR, eps.DISPLAYNAME as 'ENDPOINT_NAME', eps.CUSTOMPROPERTY16 as 'PLATFORM', ect.CONNECTIONTYPE, eps.CUSTOMPROPERTY17 as 'PROJECT/ACCOUNT', eps.CUSTOMPROPERTY10 as 'REGION', eps.CUSTOMPROPERTY9 as 'IP/DNS' FROM session_launch_detail sld INNER JOIN ffid_sessions ffs on ffs.FFID_SESSIONKEY = sld.SESSIONID INNER JOIN accounts accts on accts.ACCOUNTKEY = ffs.ACCOUNT_KEY INNER JOIN securitysystems ssys on ssys.SYSTEMKEY = accts.SYSTEMID Inner Join externalconnection AS exc1 ON exc1.EXTERNALCONNECTIONKEY = ssys.EXTERNALCONNECTION Inner Join externalconnectiontype AS ect ON ect.EXTERNALCONNECTIONTYPEKEY = exc1.EXTERNALCONNECTIONTYPE INNER JOIN endpoints eps on eps.ENDPOINTKEY = accts.ENDPOINTKEY where sld.LAUNCH_END_DATE is not null;

Diwakar · ‎06/04/2024

@sudeshjaiswal @Saathvik Can you please provide an update here, we need analytics data for SIEM integration for CPAM like (Past sessions, Current Session, which servers are accessed n all details related to CPAM).

Thanks,

Diwakar.

sudeshjaiswal · ‎06/04/2024

Hello @Diwakar,

Please use the below query,

SELECT accts.NAME           AS 'Privileged_ID',
       sld.launch_start_date,
       sld.source_ip_addr   AS 'IP_ADDR',
       sld.launch_end_date,
       ffs.status,
       eps.displayname      AS 'ENDPOINT_NAME',
       eps.customproperty16 AS 'PLATFORM',
       ect.connectiontype,
       eps.customproperty17 AS 'PROJECT/ACCOUNT',
       eps.customproperty10 AS 'REGION',
       eps.customproperty9  AS 'IP/DNS'
FROM   session_launch_detail sld
       INNER JOIN ffid_sessions ffs
               ON ffs.ffid_sessionkey = sld.sessionid
       INNER JOIN accounts accts
               ON accts.accountkey = ffs.account_key
       INNER JOIN securitysystems ssys
               ON ssys.systemkey = accts.systemid
       INNER JOIN externalconnection AS exc1
               ON exc1.externalconnectionkey = ssys.externalconnection
       INNER JOIN externalconnectiontype AS ect
               ON ect.externalconnectiontypekey = exc1.externalconnectiontype
       INNER JOIN endpoints eps
               ON eps.endpointkey = accts.endpointkey
WHERE  sld.launch_end_date IS NULL; 


Note: 

 SESSION_STATUS_NEW=  1
 SESSION_STATUS_ACTIVE=  2
 SESSION_STATUS_PAST=  3

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎06/05/2024

@sudeshjaiswal Ran the query however we are getting below error.

However, when I removed ffs.status, keyword then the query works but it's not giving the right output. Expectation is getting current active PAM session details. Please suggest accordingly.

sudeshjaiswal · ‎06/05/2024

Hello @Diwakar

SELECT accts.NAME           AS 'Privileged_ID',
       sld.launch_start_date,
       sld.source_ip_addr   AS 'IP_ADDR',
       sld.launch_end_date,
       eps.displayname      AS 'ENDPOINT_NAME',
       eps.customproperty16 AS 'PLATFORM',
       ect.connectiontype,
       eps.customproperty17 AS 'PROJECT/ACCOUNT',
       eps.customproperty10 AS 'REGION',
       eps.customproperty9  AS 'IP/DNS'
FROM   session_launch_detail sld
       INNER JOIN ffid_sessions ffs
               ON ffs.ffid_sessionkey = sld.sessionid
       INNER JOIN accounts accts
               ON accts.accountkey = ffs.account_key
       INNER JOIN securitysystems ssys
               ON ssys.systemkey = accts.systemid
       INNER JOIN externalconnection AS exc1
               ON exc1.externalconnectionkey = ssys.externalconnection
       INNER JOIN externalconnectiontype AS ect
               ON ect.externalconnectiontypekey = exc1.externalconnectiontype
       INNER JOIN endpoints eps
               ON eps.endpointkey = accts.endpointkey
WHERE  sld.launch_end_date IS NULL and ffs.status='2';

The Above query will only provide the output which are active session.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎06/05/2024

@sudeshjaiswal Thanks a lot but not able to see the active sessions. Please the below output.

If you can see, we have once active session:

sudeshjaiswal · ‎06/05/2024

Hello @Diwakar ,

Please use alias in status , it will only show active session.

SELECT accts.NAME           AS 'Privileged_ID',
       sld.launch_start_date,
       sld.source_ip_addr   AS 'IP_ADDR',
       sld.launch_end_date,
	   ffs.status as status_of_session,
       eps.displayname      AS 'ENDPOINT_NAME',
       eps.customproperty16 AS 'PLATFORM',
       ect.connectiontype,
       eps.customproperty17 AS 'PROJECT/ACCOUNT',
       eps.customproperty10 AS 'REGION',
       eps.customproperty9  AS 'IP/DNS'
FROM   session_launch_detail sld
       INNER JOIN ffid_sessions ffs
               ON ffs.ffid_sessionkey = sld.sessionid
       INNER JOIN accounts accts
               ON accts.accountkey = ffs.account_key
       INNER JOIN securitysystems ssys
               ON ssys.systemkey = accts.systemid
       INNER JOIN externalconnection AS exc1
               ON exc1.externalconnectionkey = ssys.externalconnection
       INNER JOIN externalconnectiontype AS ect
               ON ect.externalconnectiontypekey = exc1.externalconnectiontype
       INNER JOIN endpoints eps
               ON eps.endpointkey = accts.endpointkey
WHERE  sld.launch_end_date IS NULL and ffs.status='2';

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎06/06/2024

@sudeshjaiswal Thanks again for your suggestions unfortunately. I tried to put alias as well but it's still not giving me any output. I even tried with endpoint filter however output is not as per the expectation.

SELECT accts.NAME AS 'Privileged_ID',
sld.launch_start_date,
sld.source_ip_addr AS 'IP_ADDR',
sld.launch_end_date,
ffs.status as status_of_session,
eps.displayname AS 'ENDPOINT_NAME',
eps.customproperty16 AS 'PLATFORM',
ect.connectiontype,
eps.customproperty17 AS 'PROJECT/ACCOUNT',
eps.customproperty10 AS 'REGION',
eps.customproperty9 AS 'IP/DNS'
FROM session_launch_detail sld
INNER JOIN ffid_sessions ffs
ON ffs.ffid_sessionkey = sld.sessionid
INNER JOIN accounts accts
ON accts.accountkey = ffs.account_key
INNER JOIN securitysystems ssys
ON ssys.systemkey = accts.systemid
INNER JOIN externalconnection AS exc1
ON exc1.externalconnectionkey = ssys.externalconnection
INNER JOIN externalconnectiontype AS ect
ON ect.externalconnectiontypekey = exc1.externalconnectiontype
INNER JOIN endpoints eps
ON eps.endpointkey = accts.endpointkey
WHERE eps.displayname='SR31305.ad.*****.com'

Please suggest next or can we have short call to fix this.

Thanks,

Diwakar.

Diwakar · ‎06/12/2024

@sudeshjaiswal Can you please provide an update, if we can fix this query to get required data for PAM sessions?

Diwakar · ‎06/13/2024

@sudeshjaiswal Thanks for the session, as discussed, I have shared you the case details through private message, please check with your engineering team and update us with the outcome.

Thanks,

Diwakar.

sudeshjaiswal · ‎06/13/2024

Hello @Diwakar,

Please try with the below query,

SELECT u.username,
u.displayname, ffs.status,
ep.endpointname as Hostname,
ep.customproperty9 as IP_Address,
ep.customproperty16 as Operation_System,
ffs.Request_start_date,
ffs.Request_end_date,
ffs.REQUEST_ACCESS_KEY,
CASE
         WHEN ffs.status = 1 THEN 'NEW'
         WHEN ffs.status = 2 THEN 'ACTIVE'
         WHEN ffs.status = 3 THEN 'ENDED'
   END AS Session_Status
FROM ffid_sessions ffs
left join users u ON u.userkey=ffs.requested_by
left join endpoints ep on ep.ENDPOINTKEY = ffs.ENDPOINT_KEY
WHERE REQUEST_END_DATE >= curdate() and ffs.status=2 ;

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Diwakar · ‎06/13/2024

@sudeshjaiswal Thanks for the query, with this query we are not getting older Active session but that's because you used end date case, which does not explain why we are seeing Active session when its actually not there in CPAM.

This will create ambiguity when we extract the data for all status. Please help to clarify.

sudeshjaiswal · ‎06/13/2024

Hello @Diwakar,

It’s possible that the revoke task hasn't completed yet or it got errored out, which is why those requests are still appearing under active sessions.
The end date check is correct; we perform this check when displaying active sessions on the ARS page.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Saviynt Forums

PAM logs for Saviynt SIEM integration