File Activity View

File Activity View

The ObserveIT File Diary provides information about all tracked file activities that occurred on ObserveIT monitored endpoints.

Tracking file-related events and metadata (including the lifecycle history of each tracked file) can help security and risk analysts potentially identify instances of data exfiltration.

From the File Activity view, you can:

  • View details of file activities that occurred during a specified time period and according to specified criteria

    • Created
    • Downloaded
    • Uploaded
    • Copied
    • Moved
    • Renamed
    • Removed
    • Stopped tracking
    • Sent
    • Attached to an email
    • Saved
    • Saved to and email
  • Display session time by the endpoint or server location

  • Filter the tracked file activity display according to specific criteria

  • Export to Excel and print selected tracked file activities

  • Filter file activity by its MIP label

File Activity View Description

  • From the File Diary, the File Activity page opens by default, showing a list of activities that occurred on files during the default period of time (Last Month). By default, the File Activity view displays file events in reverse chronological order, so that the most recent events appear at the top of the list, making them easy to identify.

    The number of activities on the page out of the total number of activities is displayed. By default, the page shows up to 20 activities; you can change the default by selecting 50 or 100 from the Items per page drop-down list above the table.

    Session time by the endpoint or server location: Click to toggle between server and endpoint time.

  • MIP labels: You can choose to show or hide MIP labels in the File Activity View. When you choose to show MIP labels, a column is added to the File Activity view.

Above and to the right of the list, the following icons enable you to:

icon Description

Export selected file activities to Excel. See Exporting and Printing File Activities.

Print selected file activities. See Exporting and Printing File Activities.

For each file activity in the table, the following information is displayed according to the details you filter (see Filtering File Activity Events):

Field Description

Click to select the file activity.

Note: You can select all the file activities at once by clicking the selection icon above the list:

Time

Time that the file activity occurred.

An alert bell icon (color-coded according to severity) is displayed if an alert was triggered for the file activity.

Selecting/deselecting the Show Path check box switches the display between File Path and File Name.

File Name/File Path

Name of the file or the full directory path of the file (if the Show Path check box was selected).

indicates file information is grouped, see File Events Grouping.

Note: Clicking a File Name/File Path opens the File History tab showing details of all the actions and events that occurred on the file. See File History View.

Operation

The action that was performed on the file. Options include:

  • Created
  • Downloaded
  • Uploaded
  • Copied
  • Moved
  • Renamed
  • Removed
  • Stopped tracking
  • Sent
  • Attached
  • Saved
Label Name of the MIPs label for the file. A tooltip with more details is available if you hover over the label.

Details

The object of the file action.

Depending on the file operation, the Details could be a location, file folder, file name, USB serial number, and so on.

Note: Icons show the "type" of details; the following example shows a Dropbox icon:

Login/Secondary

Login name/secondary identification of the user that ran the session in which the file activity occurred.

Application

The application in which the action on the file occurred.

Name/IP

Name or IP address of the endpoint on which the file activity occurred. See Viewing Endpoint and Client Names and IP Addresses.

Clicking the icon opens to the Timeline view. (See Session Details Views.)

Video icon

Clicking the video icon alongside an activity enables you to replay a video of the session. The Session Player opens at the exact location at which the activity occurred (see Replaying User Sessions).

Related Topics:

File Diary

File History View