Monitoring File Activity to Identify and Prevent Data Exfiltration

File Activity Monitoring

ObserveIT File Activity Monitoring enables you to monitor and detect file activity so you can detect and investigate data exfiltration.

With ObserveiT, you get the full story by monitoring entry point and exit point activities providing a high level of investigative capabilities.

ObserveIT provides visibility on users that download or export specific files from sensitive websites or web applications (such as, Salesforce, Sharepoint, CRM, ERP), whether on the internet or in the local intranet.
ObserveIT monitors files sent from email clients, attached to emails and attachments saved from emails.
ObserveIT tracks files copied, or downloaded to USB devices and lets you determine which devices you want to monitor, authorized and/or not authorized devices.

File Activity Monitoring summaries are linked to the File Diary, Video Player, and Alerts, allowing you to fully understand the user activity around the file action, view a complete history of the tracked file, and quickly investigate any alerts associated with file activity.

Summary information about activities on tracked files is displayed in the Endpoint Diary, User Diary, and Search screens, providing an instantaneous summary view of what happens throughout the session, without having to watch the whole Video playback or run reports.

This feature is supported on Windows and Mac-based operating systems.

In order to monitor file activity, this feature must be enabled in the server's policy settings. See File Activity Monitoring Policies.

Supported web browsers include Firefox, Chrome, Edge on Windows and Safari, and Chrome on MAC.

For example: A user logs in to Salesforce, and downloads a tracked file containing customer contact information; an alert can be generated at this point. The user saves the file to the "Downloads" folder, renames it, and then moves the renamed file to the local sync folder of the Dropbox cloud storage. When this happens, an alert will be generated.

The details of all tracked file activities are reported in the ObserveIT File Diary which also shows the lifecycle of each file's history. Sessions of file activity events can be replayed in the Session Player, and alerts viewed in the Alerts tab of the ObserveIT Web Console. (See Viewing a List of Alerts).

The File History tab provides a full history of all operations that occurred on the alerted file and allows you to jump directly to the Video playback at any point. (See File History View).

The USB History tab shows when a USB device was connected and detects any files copied or downloaded directly to the USB device. (See USB History View).

The ObserveIT installation package includes out-of-the-box alert rules that you can use to detect when files are downloaded from sensitive business web applications, tracked files are exfiltrated to cloud storage sync folders, and so on. For details, please refer to the ObserveIT Insider Threat Library.