Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/03/2024 05:47 AM
We have followed this below document to integrate the Saviynt to Sentinel to fetch all audit logs for Saviynt however analytics query mentioned the document is not fetching the PAM related audit data.
Saviynt SIEM Integration (saviyntcloud.com)
Can you please help to suggest single analytics that will fetch both Saviynt as well as PAM related logging data. From PAM side we need to capture complete details about privilege sessions, privilege requests and servers which were onboarded as endpoints.
04/04/2024 11:35 PM
Hello @Diwakar,
We are checking it internally, if it possible or not, we will confirm you shortly.
Thanks.
04/05/2024 08:33 AM
@Diwakar : For PAM related analytics please refer doc: CPAM-SIEM-Integration.htm
04/09/2024 04:51 AM
@Saathvik I gone through the links however it didnt provided the query to how to fetch the audit data for PAM session requested, we need the audit data for PAM session requested by individual users like how we are getting for IGA for Saviynt SIEM integration Saviynt SIEM Integration (saviyntcloud.com)
Could you please help me with the similar analytics control to get all PAM sessions audit data?
Thanks,
Diwakar.
04/16/2024 02:16 AM
Hi Team,
Can you please provide an update on above query?
Thanks,
Diwakar
04/16/2024 07:36 AM
Hello @Diwakar,
There are 31 out of the box analytic controls for PAM and you can find the list by navigating to Admin -> Sav Roles -> ROLE_SAV_PAMOWNER and select "Analytics" tab. If you search here with name "session", you will be able to see 5 analytic controls (screenshot below). You can use these analytic controls as reference to create any other custom controls.
Thanks
05/08/2024 07:14 AM
@sudeshjaiswal I tried but it's not giving me correct output for current active privilege session. Below query I used to find active JIT sessions.
SELECT accts.name as 'Privileged_ID', sld.LAUNCH_START_DATE, sld.SOURCE_IP_ADDR, eps.DISPLAYNAME as 'ENDPOINT_NAME', eps.CUSTOMPROPERTY16 as 'PLATFORM', ect.CONNECTIONTYPE, eps.CUSTOMPROPERTY17 as 'PROJECT/ACCOUNT', eps.CUSTOMPROPERTY10 as 'REGION', eps.CUSTOMPROPERTY9 as 'IP/DNS' FROM session_launch_detail sld INNER JOIN ffid_sessions ffs on ffs.FFID_SESSIONKEY = sld.SESSIONID INNER JOIN accounts accts on accts.ACCOUNTKEY = ffs.ACCOUNT_KEY INNER JOIN securitysystems ssys on ssys.SYSTEMKEY = accts.SYSTEMID Inner Join externalconnection AS exc1 ON exc1.EXTERNALCONNECTIONKEY = ssys.EXTERNALCONNECTION Inner Join externalconnectiontype AS ect ON ect.EXTERNALCONNECTIONTYPEKEY = exc1.EXTERNALCONNECTIONTYPE INNER JOIN endpoints eps on eps.ENDPOINTKEY = accts.ENDPOINTKEY where sld.LAUNCH_END_DATE is not null;
06/04/2024 11:39 AM
@sudeshjaiswal @Saathvik Can you please provide an update here, we need analytics data for SIEM integration for CPAM like (Past sessions, Current Session, which servers are accessed n all details related to CPAM).
Thanks,
Diwakar.
06/04/2024 09:36 PM
Hello @Diwakar,
Please use the below query,
SELECT accts.NAME AS 'Privileged_ID',
sld.launch_start_date,
sld.source_ip_addr AS 'IP_ADDR',
sld.launch_end_date,
ffs.status,
eps.displayname AS 'ENDPOINT_NAME',
eps.customproperty16 AS 'PLATFORM',
ect.connectiontype,
eps.customproperty17 AS 'PROJECT/ACCOUNT',
eps.customproperty10 AS 'REGION',
eps.customproperty9 AS 'IP/DNS'
FROM session_launch_detail sld
INNER JOIN ffid_sessions ffs
ON ffs.ffid_sessionkey = sld.sessionid
INNER JOIN accounts accts
ON accts.accountkey = ffs.account_key
INNER JOIN securitysystems ssys
ON ssys.systemkey = accts.systemid
INNER JOIN externalconnection AS exc1
ON exc1.externalconnectionkey = ssys.externalconnection
INNER JOIN externalconnectiontype AS ect
ON ect.externalconnectiontypekey = exc1.externalconnectiontype
INNER JOIN endpoints eps
ON eps.endpointkey = accts.endpointkey
WHERE sld.launch_end_date IS NULL;
Note:
SESSION_STATUS_NEW= 1
SESSION_STATUS_ACTIVE= 2
SESSION_STATUS_PAST= 3
Thanks
06/05/2024 01:22 AM
@sudeshjaiswal Ran the query however we are getting below error.
However, when I removed ffs.status, keyword then the query works but it's not giving the right output. Expectation is getting current active PAM session details. Please suggest accordingly.
06/05/2024 01:43 AM
Hello @Diwakar
SELECT accts.NAME AS 'Privileged_ID',
sld.launch_start_date,
sld.source_ip_addr AS 'IP_ADDR',
sld.launch_end_date,
eps.displayname AS 'ENDPOINT_NAME',
eps.customproperty16 AS 'PLATFORM',
ect.connectiontype,
eps.customproperty17 AS 'PROJECT/ACCOUNT',
eps.customproperty10 AS 'REGION',
eps.customproperty9 AS 'IP/DNS'
FROM session_launch_detail sld
INNER JOIN ffid_sessions ffs
ON ffs.ffid_sessionkey = sld.sessionid
INNER JOIN accounts accts
ON accts.accountkey = ffs.account_key
INNER JOIN securitysystems ssys
ON ssys.systemkey = accts.systemid
INNER JOIN externalconnection AS exc1
ON exc1.externalconnectionkey = ssys.externalconnection
INNER JOIN externalconnectiontype AS ect
ON ect.externalconnectiontypekey = exc1.externalconnectiontype
INNER JOIN endpoints eps
ON eps.endpointkey = accts.endpointkey
WHERE sld.launch_end_date IS NULL and ffs.status='2';
The Above query will only provide the output which are active session.
Thanks.
06/05/2024 02:08 AM
@sudeshjaiswal Thanks a lot but not able to see the active sessions. Please the below output.
If you can see, we have once active session:
06/05/2024 10:27 PM
Hello @Diwakar ,
Please use alias in status , it will only show active session.
SELECT accts.NAME AS 'Privileged_ID',
sld.launch_start_date,
sld.source_ip_addr AS 'IP_ADDR',
sld.launch_end_date,
ffs.status as status_of_session,
eps.displayname AS 'ENDPOINT_NAME',
eps.customproperty16 AS 'PLATFORM',
ect.connectiontype,
eps.customproperty17 AS 'PROJECT/ACCOUNT',
eps.customproperty10 AS 'REGION',
eps.customproperty9 AS 'IP/DNS'
FROM session_launch_detail sld
INNER JOIN ffid_sessions ffs
ON ffs.ffid_sessionkey = sld.sessionid
INNER JOIN accounts accts
ON accts.accountkey = ffs.account_key
INNER JOIN securitysystems ssys
ON ssys.systemkey = accts.systemid
INNER JOIN externalconnection AS exc1
ON exc1.externalconnectionkey = ssys.externalconnection
INNER JOIN externalconnectiontype AS ect
ON ect.externalconnectiontypekey = exc1.externalconnectiontype
INNER JOIN endpoints eps
ON eps.endpointkey = accts.endpointkey
WHERE sld.launch_end_date IS NULL and ffs.status='2';
Thanks.
06/06/2024 08:58 AM
@sudeshjaiswal Thanks again for your suggestions unfortunately. I tried to put alias as well but it's still not giving me any output. I even tried with endpoint filter however output is not as per the expectation.
SELECT accts.NAME AS 'Privileged_ID',
sld.launch_start_date,
sld.source_ip_addr AS 'IP_ADDR',
sld.launch_end_date,
ffs.status as status_of_session,
eps.displayname AS 'ENDPOINT_NAME',
eps.customproperty16 AS 'PLATFORM',
ect.connectiontype,
eps.customproperty17 AS 'PROJECT/ACCOUNT',
eps.customproperty10 AS 'REGION',
eps.customproperty9 AS 'IP/DNS'
FROM session_launch_detail sld
INNER JOIN ffid_sessions ffs
ON ffs.ffid_sessionkey = sld.sessionid
INNER JOIN accounts accts
ON accts.accountkey = ffs.account_key
INNER JOIN securitysystems ssys
ON ssys.systemkey = accts.systemid
INNER JOIN externalconnection AS exc1
ON exc1.externalconnectionkey = ssys.externalconnection
INNER JOIN externalconnectiontype AS ect
ON ect.externalconnectiontypekey = exc1.externalconnectiontype
INNER JOIN endpoints eps
ON eps.endpointkey = accts.endpointkey
WHERE eps.displayname='SR31305.ad.*****.com'
Please suggest next or can we have short call to fix this.
Thanks,
Diwakar.
06/12/2024 03:50 AM
@sudeshjaiswal Can you please provide an update, if we can fix this query to get required data for PAM sessions?
06/13/2024 12:37 AM
@sudeshjaiswal Thanks for the session, as discussed, I have shared you the case details through private message, please check with your engineering team and update us with the outcome.
Thanks,
Diwakar.
06/13/2024 02:37 AM - edited 06/13/2024 02:52 AM
Hello @Diwakar,
Please try with the below query,
SELECT u.username,
u.displayname, ffs.status,
ep.endpointname as Hostname,
ep.customproperty9 as IP_Address,
ep.customproperty16 as Operation_System,
ffs.Request_start_date,
ffs.Request_end_date,
ffs.REQUEST_ACCESS_KEY,
CASE
WHEN ffs.status = 1 THEN 'NEW'
WHEN ffs.status = 2 THEN 'ACTIVE'
WHEN ffs.status = 3 THEN 'ENDED'
END AS Session_Status
FROM ffid_sessions ffs
left join users u ON u.userkey=ffs.requested_by
left join endpoints ep on ep.ENDPOINTKEY = ffs.ENDPOINT_KEY
WHERE REQUEST_END_DATE >= curdate() and ffs.status=2 ;
Thanks.
06/13/2024 08:02 AM
@sudeshjaiswal Thanks for the query, with this query we are not getting older Active session but that's because you used end date case, which does not explain why we are seeing Active session when its actually not there in CPAM.
This will create ambiguity when we extract the data for all status. Please help to clarify.
06/13/2024 11:55 PM
Hello @Diwakar,
It’s possible that the revoke task hasn't completed yet or it got errored out, which is why those requests are still appearing under active sessions.
The end date check is correct; we perform this check when displaying active sessions on the ARS page.
Thanks.