Types of Data You Can Search For

You can search for different types of data from the Search tab of the Web Management Console.

Window title: Search for sessions according to the title of a window that was opened by the user (for example, "hosts.txt - Notepad") or identifies a risky user activity such as LARGEFILECOPY.

Application name: Search for sessions by the name of the specific application(s) that the user ran (for example, "SSMS - SQL Server Management Studio").

Process name: Search for sessions by the name of the process that the user ran (for example, "regedit", "iexplore").

URL: Search for sessions by a specific URL domain or host name (for example, "www.facebook.com/login?..."). In Windows Explorer, the full path of a file that is currently in view is recorded as a URL. You can search for this metadata, and generate alerts and reports on it. See also Visited URL.

Website name: Search for sessions by the actual name of a website (for example, "facebook.com").

Typed Text (key-logging): Search for user activity based on specific text captured by the ObserveIT Key Logger. For details, see ObserveIT Keylogging.

Special/Combination key (key logging): Search usage of special keys and key combinations. Use the modifier and special key buttons to ensure that the syntax is correct.

Performing paste: Search for paste actions of images, files/folders and text. When pasting text, you can search within the pasted text. In addition, when pasting files and folders, you can search within the name of the pasted files/folders and source folders. For details, see Detecting Paste Activity.

Connecting USB storage device: Search for metadata that was captured on attempts to exfiltrate data through the insertion of an USB storage device. You can identify these activities by searching for screenshots with the Window title prefix USBCONNECT. For details, see Detecting the Insertion of a USB-Based External Storage Device.

SQL command: Search for sessions that have specific keywords in SQL statements. For example, if you are suspicious of a user trying to access a list of credit cards in a customer's database, you might search for keyword "CREDIT_CARD".

In-App Element: Search for user interactions with sensitive elements within applications.

Data Activity - Windows and Mac

All file activities: Search within all tracked file activities.

All file copy or move: Search all file copy or move activities only.

File copy or move (Non large): Search for metadata that was captured on attempts to move non-large files (or folders) by copying them to the clipboard or dragging them with the mouse. You can identify these activities by searching for screenshots with the Window title prefix FILECOPY. For details, see Detecting the Copying/Dragging of Files and Folders.
Large file copy or move: Use to search for metadata that was captured on attempts to copy large files or a large number of files to the clipboard. You can identify these activities by searching for screenshots with the Window title prefix LARGEFILECOPY. For details, see Detecting the Copying/Dragging of Files and Folders.
File copy or move to cloud storage: Use to search for file copy or move activity to a local cloud storage folder.
File copy or download to USB device: Use to search for file copy or download activity to USB device. For details, see Exfiltration via USB.

All email activities: Use to search for all tracked email activities.

Email sent (with or without attachments): Use to search for emails sent from an email client.
File attached to an email client: Use to search for file attached to an email.
Saved attachments from an email client: Use to search for attachments saved from an email.

All file print: Use to search for all print activity including large file prints.

File print (Non large): Use to search for metadata that was captured on user attempts to exfiltrate data by printing sensitive or confidential documents. You can identify these activities by searching for screenshots with the Window title prefix PRINTJOB. For details, see Detecting the Printing of Files.
Large file print: Use to search for metadata that was captured on user attempts to exfiltrate data by printing large (exceeding a predefined threshold) documents. You can identify these activities by searching for screenshots with the Window title prefix LARGEPRINTJOB. For details, see Detecting the Printing of Files.

File download/export: Use to search for metadata captured on user attempts to download/export files from any location.

File upload: Use to search metadata captured on user attempts to upload files to websites, attach files to webmail messages or upload to social websites.

Other activities on files:

File rename: Search for files whose name has been changed.
File deletion: Search for files that have been deleted.

User Activity- Unix/Linux

Command name: Use to search for sessions that include a specific Unix command(s) that the user ran. For example, if you are looking for sessions in which a Unix user might be trying to remove a sensitive directory, you could search for keyword "rm".

Top level command: Use to search for sessions that include suspicious Unix commands that are external to the sudo (top level) command boundaries.

Command parameter: Use to search for sessions that include a specific parameter(s) that the user ran in a Unix command. For example, if the sensitive directory that a user is trying to remove is "observeit", you can search for keyword parameter "observeit".

Command output: Use to search for recorded command output in Unix sessions.

System call: Use to search for system calls metadata triggered by commands or scripts in Unix sessions.

Environment variables: Use to search for any environment variables that may be included in Unix/Linux commands. For example, the "sudo" command includes the environment variable "SUDO_USER" with the name of the user that ran the command, so you could search for the environment variable "SUDO_USER=johns".

Windows title: Use to search for sessions according to the title of a window that was opened by the user. This is available for Linux Desktop Agent.

Application name: Use to search for sessions by the name of the specific application(s) that the user ran. This is available for Linux Desktop Agent.

Process name: Use to search for sessions by the name of the process that the user ran. This is available for Linux Desktop Agent.

Website name: Use to search for sessions by the actual name of a website. This is available for Linux Desktop Agent.

URL: Use to search for sessions by a specific URL domain or host name. This is available for Linux Desktop Agent.

Focusing Your Search

The options in the Search within drop-down list are nested. You can close or open nested options by clicking on the . The "All" options filter the search for all lower nested options. For example, selecting "All file activities" will search the metadata of all file activities. Selecting "All file copy or move" will search the metadata of all file copy or move activities both large and non-large, as well as "File copy or move to cloud storage". Selecting "File upload" will limit the search to the metadata of file upload activities only and exclude all other activities.

The options enable you to focus your search on the following metadata attributes:

All fields: If you select this option, the search will be run on all the field types in the list. Note that this option is not recommended as the search process could take a very long time.
All common fields: This option enables you to search on the most commonly used configuration fields; thus accelerating the search process.
Common configuration fields include:
- In-App Element
- Application name
- Window title
- URL
- Website name
- Process name
- Command name (Unix)
- Message/Ticket details
- Comment text

Following is an example of the results of a search (during the last 3 days) for the text "alert" when using the All common fields option:

Related Topic:

ObserveIT Search