What's New
Release Notes for the current ObserveIT release can be found here.
New Features and Enhancements
New Console Users Roles
Console User roles have been added. These roles are in addition to the already existing roles.
-
Alerts Analyst: This role is the same as View-Only Admin with additional access to Alert & Prevent Rules and Lists (within the Configuration area). This role cannot access any other ObserveIT configuration options.
-
Settings Admin: This role is the same as Config Admin (which has access to the Configuration area only), but does not have access to Alert & Prevent Rules and Lists (within the Configuration area). Users with this role can see all users and their permissions, but can create or delete only Settings Admin users.
MIP Labels
The Agent also detects MIP label changes on tracked files. This provides additional visibility when monitoring suspicious activity on sensitive files. Using label change detection when a file is exfiltrated lets you fine tune alerts, reduce noise and gives you a more comprehensive view of file activity. Label changes display in the File Diary and File History, User and Endpoint Diary and in the Session Player views. Alert Rules can be created based on MIP label change activity to detect when a monitored user modifies a MIP Label.
See: MIP Integration
Linux Desktop UI Monitoring is now GA
Linux Desktop UI Monitoring provides a graphical view for Linux systems that support a graphical environment. The Linux Desktop Agent captures screenshots and metadata for application usage and Web browsing. This feature is supported on Gnome for Debian 8-10, Ubuntu 18.04-20.04, and CentOS 7.9-8.3.
See: Linux Desktop UI Monitoring Overview
USB Device ID
USB Device ID is now stored and displayed as a separate field. Previously, it was included in the USB Label field.
USB Device ID is displayed in Endpoint and User Diary, File Diary, Alerts, Search and in the Session Player. The field Device ID is also available when generating reports for USBConnect and File Activity types. You can also search by USB Device IDs in a free text search.
USB Device IDs can be used when defining alerts for files exfiltrated to a USB device (Exfiltrated File > To USB device > USB whose Device ID) and detecting connected USBs (Detect connected USB > USB ID)
Audit Screen Enhancement
In the Operator column of Audit Sessions list, (Configuration > Security & Privacy > Audit > Sessions), the text "this screen" displays next to an operator who opened a video session player from the Audit Sessions screen. This indication allows you to differentiate between a Console User who acts as an Auditor (usually reviewing and analyzing the Audit screens) and a Console User who acts as Analyst.
In addition, you can filter the view to show:
-
Any screen (the default): Shows video sessions played from the Audit Session screen and any other screen
-
This screen: Shows only video sessions played from the Audit Sessions screen
-
Other screens: Shows only video session played from any screen other than the Audit Sessions screen
Extract Email for AD Group
For console users who are configured as part of an AD group defined in the Console User screen, the email that is stored within the Active Directory for each user (member) can be extracted if needed. With this feature, when a session that was saved (in the Session Player Screen), is ready for download, the user (from the AD group) who saved the session will receive an email.
Endpoint Grouping Enhancements
In order to add massive amount of endpoints to an existing custom Endpoint Group, the Add Endpoints to Group window in Configuration > Endpoint Management > Endpoint Groups) has been improved:
-
The column Custom Endpoint Groups was added. This column displays what custom groups each endpoint is already associated with.
-
The filter Filter by Endpoint Groups was added at the top of the screen. This allows you to view only endpoints that are associated with specific custom group or endpoints that have not associated yet with any custom group. This is useful after deploying the Agent to new endpoints.
-
The Select All link at the bottom was enhanced. Users select whether the selection should be applied only to the current page or to endpoints on all pages.
See: Modifying Members in Endpoint Groups
System Event for mTLS Server-Side Enforcement
A new checkbox was added to the Security screen in Configuration > Security & Privacy to trigger an event when it is detected that the server-side does not enforce mTLS agent-server communication.
See: Enforcing mTLS by the Server
New API for Agent-Server Communication
A new enhanced API for Agent-Server communication is now supported. Older Agents (before 7.12) will not be able to communicate with the server using this API. From 7.12.0, this option is selected by default.
In clean installations of version 7.12.0 (or later), this option is selected by default. Upon upgrading from versions earlier than 7.12, this option is not selected by default and requires manual activation. If you want to upgrade your agents as well, first make sure this option is not selected, then uninstall old agents, then activate this option and install the new agents.
For customers with Linux Agents, you must disable this option or the Agent will not be able to communicate.
To enable, select Configuration > Security & Privacy > Security & Privacy > Security
See: Force Using New API for Agent-Server Communication
Archiving/Deleting Process Status Enhancement
Archiving/Deleting process now handles Alerts and Agent updates with statuses.
Supported Platforms
Release 7.12.0 supports Agents from release 7.8.0 and above.
From this version, Website Categorization module can be installed on Windows Server version 2016 or later. Window Server 2012 is no longer supported for the Website Categorization module.
7.12.0 is the last version to support:
SQL Server 2012/2014 Enterprise
Win 32 bit Agents
Win 8.x 64 bit
Win Server 2012 (not R2)
Debian 9.1 and lower