ITM On-Prem (ObserveIT) Reporting

Reporting and Auditing

ITM On-Prem (ObserveIT) reporting can be used by novice administrators to generate reports based on preconfigured built-in reports, or by experienced administrators and security auditors who require flexible application usage reports and trend analysis reviews. Experienced administrators and security auditors can also create comprehensive customized reports based on their own requirements. Reports can provide aggregated or summary information about all monitored user activity on Windows, Mac, or Unix-based endpoints.

ITM On-Prem (ObserveIT) reporting capabilities significantly enhance security operations and regulatory compliance by providing reports on alerts, websites visited, documents printed, USB storage device connections, file/folder copying, large file/folder copying, typed keylogger data, SQL queries executed against production databases, installing and uninstalling applications, system events, user logins, and more. Captured metadata can be used to expose potential data leaks by generating reports that show for example, when corporate or sensitive files were copied or printed, when a user connected a USB storage device, when notification or blocking messages were displayed to users, when large files were copied or printed, and so on.

In addition, ITM On-Prem (ObserveIT) reporting on audit log information (such as, user logins, sessions, and saved sessions in which console users were active) provides valuable security auditing and change management.

All captured user activity metadata from Windows, Mac, and Unix/Linux Agents can be reported on, including all metadata captured by the ITM On-Prem (ObserveIT) Keylogger.

ITM On-Prem (ObserveIT) provides preconfigured built-in reports (System Reports) that you can use directly in your organization, or customize to suit your own requirements (Custom Reports). System Reports can be run immediately, scheduled to be run at specific intervals, and copied; they cannot be edited or deleted. Custom Reports can be run, scheduled, copied, edited, and deleted. New custom reports can be manually created from these reports. Sample (custom) reports can be edited and customized to suit your own requirements.

Reports can be scheduled for regular delivery or run ad-hoc, and sent via email to administrators or security auditors. Reports can be converted to Excel format and downloaded. In addition, if configured, video replay can be launched directly from any report.

Managing and configuring reports is done from the Reports tab in the ITM On-Prem Web Console. You can create, run, schedule, edit, and delete reports.

For details and an example of how to create a customized report, see Creating a Custom Report.

Report Types

ITM On-Prem (ObserveIT) enables you to configure and customize the following types of reports:

  • Alerts: Configure this report type to view sessions with summary information about alerts on monitored Windows, Mac, or Unix-based endpoints. For examples and a description of the metadata you can include in this type of report, see Alert Report Configuration.

  • Applications: Configure this report type to view sessions on activities that occurred on applications or websites with which the user interacted. This report type can also be used to detect sessions in which potential data leaks occurred; for example, corporate or sensitive files were copied or printed, a USB storage device was connected, large files were copied or printed, and so on. For details, see Application Report Configuration.

  • Audit Logins: Configure this report type to view information about user logins. For example, "All logins to the Web console during the last month". For details, see Auditing Report Configuration .

  • Audit Saved Sessions: Configure this report type to view information about saved sessions. For example, "All recorded ITM On-Prem (ObserveIT) sessions that were saved for viewing offline during the last month". For details, see Auditing Report Configuration .

  • Audit Sessions: Configure this report type to view information about sessions. For example, All sessions in the Web Console which were replayed by the user during the last 24 hours". For details, see Auditing Report Configuration .

  • Commands: Configure this report type to view sessions about commands that were executed on monitored Unix-based endpoints. For example, "Unix commands entered on a specific date grouped by session title". For details, see Command Report Configuration.

  • Comments: Configure this report type to view comments that were added to sessions in the Activities View or Search View of the Endpoint/User Diary. For example: "All comments added by a specific user to sessions during the last 24 hours". For details, see Comment Report Configuration.

  • DBA Activity: Configure this report type to view sessions on SQL queries that were executed by DBAs against production databases. For example:

    • Report on all destructive SQL statements (that use keywords such as "drop" or "truncate") either on specific table names or on all tables

    • Report on SQL statements that were executed on sensitive tables. (This report requires mentioning only the names of the tables in the "Include list" command)

    For details, see DBA Activity Report Configuration.

  • Endpoints: Configure this report type to view session activities on monitored endpoints. For example: "Sessions by endpoint over the past week". For details, see Endpoint Report Configuration .

  • Email Activity: Configure this report type to view user actions on emails. Emails activity is detected when emails are sent, attachments are saved and files are attached. For details, see Email Activity Report Configuration.

  • File Activity: Configure this report type to view user actions on files. File activity is detected when files are downloaded or exported from sensitive websites or web applications, or when copied or downloaded to a USB device. For details, see File Activity Report Configuration.

  • Key Logging: Configure this report type to view sessions that include captured keylogger data that was typed by the user on monitored Windows or Mac-based endpoints. For example, this report type could be used to detect sessions in which the user typed a not allowed phrase in an email, or sensitive words while browsing social media websites. For details, see Key Logging Report Configuration.

  • Messages: Configure this report type to view sessions about messages that were displayed when a user logged on to a monitored endpoint, enabling you to track user interactions with the desktop. For example, "Messages displayed to all users who logged on to a specific server". For details, see Message Report Configuration.

  • Paste: Configure this report type to view sessions about pasted content, text, files and folders.. For details, see Paste Report Configuration.

  • Tickets: If an IT ticketing system is integrated in ObserveIT, you can configure a report about ticketing policies on the monitored endpoints. For example:

    • View all sessions that relate to a specific ticket number.

    • View sessions in which specific users received a ticketing policy message upon logging in to the monitored endpoints.

    For details, see Ticket Report Configuration.

  • Users: Configure this report type to view sessions about users that accessed the monitored endpoints. For example: "Users that accessed specific monitored endpoints during a specified period of time, grouped according to User Name". For details, see User Report Configuration.

  • USB Connect: Configure this report type to view USB Connect activity. For details, see USB Connect Report Configuration.

Following is an example of the Report List page showing a list of reports.

Report Management

The ITM On-Prem Web Console provides several ways to run reports and export user activity log data:

  • The report generator includes built-in reports and customizable report rules for filtering by user/user group, endpoint/endpoint group, date, application, resources accessed, and more.

  • Reports can be run ad-hoc or delivered on a schedule by email.

  • Full-text Google-like searching allows pinpoint identification of user sessions.

  • User activity log drill-down allows each session to be viewed item-by-item, to see which applications were run and which actions were performed during that session.

You can do the following: