ObserveIT Search

Session and User Activity Metadata Search

This topic provides an overview of the ObserveIT Search feature, which is available from the Search tab in the Web Console.

ObserveIT captures all user activity, recording important information about what is seen on the screen, which applications are currently used, what actions the user has performed, the date and time of the action, and more. This "metadata" is stored in the ITM On-Prem (ObserveIT) Database, which is located on a central SQL Server. Because metadata is centrally stored and indexed, it can be used to easily search throughout recorded sessions, and provide a textual breakdown of each user session.

You can search for users who logged in, application sensitive elements that were clicked or viewed, metadata that was captured on risky user activity concerning file copying and data exfiltration through USB storage devices or printing sensitive data, keystrokes typed, applications that were run, specific window titles or URLs viewed, browsing forbidden Website categories, SQL commands containing keywords (such as, a table name), and more. On Unix/Linux systems, you can search for users who logged in, executed specific commands (based on command name, full path, arguments, command switches) or acted under a different user's permissions.

You can limit your search by time, user, endpoint name and endpoint OS.

When searching by an endpoint, you can opt to show the IP in addition to the endpoint name.

You can also choose to show the the time zone where the server is located of the local endpoint time zone.

ObserveIT’s advanced search boosts performance by allowing you to focus a search on specific metadata.

The displayed search results provide the context of the activity, showing the exact location of searched keywords (for example, in a URL, Window title, SQL statement, and so on). Where relevant, the resulting search hit is linked directly to the portion of the video where the action occurred, making it easy to find the exact moment that an action was performed. Within each session, you can watch the full video replay of the user session and see exactly what took place.

For accelerated search performance, it is highly recommended that you install the Microsoft SQL Server Full Text Search (FTS) utility prior to ObserveIT installation.

The following topics describe: