Filtering the User Activity Profile Display

Filtering the information displayed for a user's activity profile enables you to focus your investigation of user behavior on the most relevant areas. For example, you might want to show only activity that occurred on a specific server, during a specific period of time, on a specific computer, while the user was connected remotely, when using a specific application, and so on. Filtering can provide insight into the computers, client machines, and shared accounts that were used by the user; including exactly how much time was spent in each of them.

Profile data is based on the currently defined activity period. The date from which the collection of activity began is displayed at the top right corner of the User Activity Profile page. The activity period is not affected by filtering.

The Filter by: section at the left of the User Activity Profile page provides options for filtering the display of data in the User Activity Over Time graph and Applications list.

You can filter the User Activity Profile page to display data that evaluates user activity time when using:

  • Applications: specific applications.

  • Endpoint types: specific types of computers: Windows Desktops, Windows Servers, Terminal Servers/Citrix, Linux/Unix.

  • Application types: Desktop applications (both Windows and Mac applications), Websites, or All types of applications (including Unix/Linux).

  • Endpoints: specific computers (according to computer name or IP address).

  • Login account: specific login accounts. Filtering by login accounts enables you to detect if the domain user was using a shared account, on which computers, and for how long. Options include Active Directory domain accounts, Windows shared accounts, Unix/Linux, and Mac accounts.

  • Remotely connecting from: remote "Client" machine(s).

Note the following:

  • Filtering by some items automatically changes other related filters. For example, if you filter Endpoint types according to Windows Servers, then the list of Computers will display only Windows Server computers.

  • If a filter category includes more items than are currently displayed, a More hyperlink appears which you can click to show additional items.

  • To clear the current selections and reset the filters, click Clear at the top of the filtering section.

To filter the list of applications

  • In the Filter by: section, click in the Applications text box, and select the required applications from the drop-down list. The list includes applications that the user is permitted to access and in which activity occurred during the currently defined time period.

    By default, All applications is selected.

    The number of selected applications will be displayed in the text box; for example, 3 out of 34.

    Note: Filtering by Applications will change the filter options in the other filtering sections (described below) to display only data that is relevant to the selected applications.

To view user activity time on specific endpoint types

In the Endpoint types section, select the types of computers on which the ITM On-Prem (ObserveIT) Agents are installed:

  • All types (default)

  • Windows Desktops

  • Windows Servers

  • Terminal Servers/Citrix

  • Unix/Linux

To view user activity time on specific types of applications

In the Application types section, select the types of applications:

  • All (default)

  • Desktop applications (includes both Windows and Mac applications)

  • Websites

  • Linux/Unix commands

To view user activity time on specific endpoints

In the Endpoints section, select the name or IP address of the specific computers, or select All (the default) to view the results for all endpoints on which user activity was performed.

To view user activity time according to login accounts

  • In the Login account section, select the specific login account names, or select All (the default) to view the user activity time for all login accounts.

    Login accounts can be Active Directory domain accounts ("domain\login"), Windows shared accounts, Unix/Linux or Mac accounts. For Active Directory login accounts, the activity time calculation is based on the Active Directory account being used as the primary login. In the case of login accounts that use secondary authentication, the activity time is counted only on the primary login (for example, "Admin") and not on the Active Directory user. For example: If a user logs in as "observeit-sys\micky", all activity is counted under this login account. If the user were to login as "Admin" with secondary user "observeit-sys\micky", all activity is associated with the user "observeit-sys\micky"; however the time is counted for the "Admin" login account.

To view user activity time on remotely connected client machines

  • In the Remotely connecting from section, select the Client machines that were used to record activity, or select All (the default) to view the time spent on activities that were recorded on all remotely connected Client machines.