Viewing Search Results

After clicking the Search button (see Filtering Your Search), the search results will be displayed according to the criteria you defined. For a description of the different data types you can search for, see Types of Data You Can Search For.

The Search page can also be accessed from other areas of the Web Console:

  • By clicking the Search link in the Activities view of the Endpoint Diary, you can perform search operations for endpoints. For details, see Activities View (Endpoint Diary).

  • By clicking the Search link in the Activities view of the User Diary, you can perform search operations for user logins. For details, see Activities View (User Diary).

  • When viewing alert details in the Alerts page, when clicking an Alert ID link, the Search page opens, displaying all sessions that include the alert. For details, see Searching for Sessions by Alert ID.

In all cases, search results are displayed according to the specified search criteria and provide the context of actions performed. After clicking Search, a progress bar shows the timeline for the search process.

Examples

The following example shows the results of a database search within the Command name data type for Unix sessions that ran the command "ls" during the last 2 months.

The following example shows the results of a database search within All fields for sessions in which the keyword "upload" was used within the last 3 months.

Results are displayed according to date in reverse chronological order, the latest first. Each session entry displays the time of the session, the endpoint on which the session was recorded, name of the client from which the user logged in, name of the user that logged in to the session, and a Video icon. Click the Video icon to launch the ObserveIT Session Player and replay the recorded session (see Replaying User Sessions). A icon appearing next to a session indicates that the session is live, and that a user is currently logged in to the endpoint; clicking this icon will launch the Session Player in real-time playback mode.

The results of up to 20 sessions can be displayed in the Search page. If the search results contain more than 20 sessions, a View More button is displayed at the end of the page; by clicking this button an additional 20 sessions can be displayed, and so on for the next 20 sessions.

Notes

  • By clicking the icons, you can toggle on or off the display of an individual session's search details. All instances of the searched keyword are highlighted.

  • If a session's screenshots are stored in the file system, and the path does not exist or is unavailable, the specific session is grayed out with the message "This session folder does not exist or is inaccessible."

  • Clicking opens the session details for all the sessions.

  • If alerts were generated during the session, an alert icon indication (color-coded according to the highest alert severity level) is displayed. Clicking the alert indication opens a popup window showing the specific alert(s) and the number of alert instances. Clicking the View All button opens the Session Player enabling you to replay a video of the alert(s). For example:

Viewing Session Details

  • Click and then Summary or Timeline to view more detail in the Summary view or Timeline view.

    Summary view: For Windows/Mac sessions, this view displays a list of the applications or websites that the user accessed during the session according to the name in the title bar of the windows opened. Details of the activities performed in the application/website are listed. In addition it provides a summary of the user file activity, and any DBA activity performed in this session. For Unix/Linux sessions, the Summary view displays a list of commands that has been executed during the session. In this mode, the activity is not shown in chronological order.

    Timeline view: For both Windows/Mac and Unix/Linux sessions, this view displays user activity in chronological order detailing each action taken in the sequence they were performed.

The following information summarizing the session can be displayed:

  • Session Information: provides summary information about any comments that were added to sessions, messages displayed to a user during the session, and/or ticket numbers associated with the user.

  • Data Activity: appears only if File Activity Monitoring (FAM) activity occurred during the session. The summary of activity on tracked and non-tracked files can display any of the following types of activities:

    • Downloads / Exports from Web Applications / Sites: expanding this section opens a list of websites/web applications from which a tracked file was downloaded/exported.

    • Uploads: Expanding this section opens a list of uploads of tracked and non-tracked files to any website or web-application such as webmail or social media.

    • Copying tracked files to Cloud Storage Sync Folders: expanding this section opens a list of cloud storage sync folders to which a tracked file was exfiltrated and the name of the Website from which the tracked file originated.

    • Other activities on tracked files: expanding this section opens a list of activities that occurred on the tracked files (with number of instances displayed in parenthesis).

    • Each of the above activity types displays (in parenthesis) the total number of events that occurred for the activity type; for example, Downloads / Exports from Web Applications / Sites (90). Clicking the number opens the File Diary automatically filtered to the session ID and activity type, and listing all the event details (for more information, see File Activity View).

  • User Activity (Window Titles): displays a list of the applications or websites that the user accessed during the session according to the titles of the windows opened. Details of the activities performed in the application/website are listed. Clicking the Video icon launches the Session Player at the point at which the activity occurred.

    The links that appear at the top of the expanded session allow you to:

    Link Description

    Add a comment to the session.

    Print the same data displayed in the Timeline view.

    Downloads an Excel file of the data displayed in the Timeline view.