observeit technical solution overviewfiles.observeit.com/docs/observeit-technical-solution... ·...

OBSERVEIT TECHNICAL SOLUTION OVERVIEW © 2017 ObserveIT. All rights reserved. 1

OBSERVEIT TECHNICAL SOLUTION OVERVIEW

This document outlines the key features, system architecture, deployment scenarios, system requirements,

product installation, security and privacy infrastructure, data management, and integration capabilities of

ObserveIT Enterprise.

This document was written for ObserveIT Enterprise version 7.1.0.

TABLE OF CONTENTS 1 Complete Insider Threat Solution ........................................................................................ 3

Key Components .......................................................................................................................... 3 2 Key Solution Features ......................................................................................................... 5

2.1 Insider Threat Intelligence .................................................................................................. 5 2.2 File Activity Monitoring ....................................................................................................... 9 2.3 Visual Forensics ................................................................................................................. 12 2.4 Advanced Key Logging ....................................................................................................... 13 2.5 User Activity Alerts ............................................................................................................ 14 2.6 Website Categorization ..................................................................................................... 17 2.7 Session and User Activity Metadata Search ...................................................................... 17 2.8 Reporting and Auditing ..................................................................................................... 18 2.9 DBA Activity Audit ............................................................................................................. 19 2.10 Privileged Identity Management ....................................................................................... 20 2.11 Identity Theft Detection .................................................................................................... 20 2.12 User Session Locking ......................................................................................................... 21 2.13 Policy Messaging and Recording Notification ................................................................... 21

3 System Architecture .......................................................................................................... 22

3.1 Overall Architecture .......................................................................................................... 22 3.2 Windows Agent ................................................................................................................. 23 3.3 Unix/Linux Agent ............................................................................................................... 24 3.4 Mac Agent ......................................................................................................................... 25 3.5 Application Server ............................................................................................................. 26 3.6 Web Console ..................................................................................................................... 26 3.7 Database Server ................................................................................................................ 26

4 Deployment Scenarios ...................................................................................................... 27

4.1 Standard Agent-based Deployment (Servers and Desktops) ............................................ 27 4.2 Jump Server Gateway ........................................................................................................ 28 4.3 Outbound Jump Server Gateway ...................................................................................... 29 4.4 Citrix Server for Published Applications ............................................................................ 30 4.5 Hybrid Deployment: Agent-Based + Gateway................................................................... 31

5 Sizing and System Requirements ....................................................................................... 32


5.1 Small Deployments ............................................................................................................ 32 5.2 Medium Deployments ....................................................................................................... 33 5.3 Large Deployments with High-Availability ........................................................................ 34

6 Installation Overview ........................................................................................................ 36

6.1 One-Click Installation ........................................................................................................ 36 6.2 Custom Installation ........................................................................................................... 36 6.3 Windows Agent Installation .............................................................................................. 37 6.4 Unix/Linux or Mac Agent Installation ................................................................................ 37

7 Key Configuration Settings ................................................................................................ 39

7.1 Rules Configuration ........................................................................................................... 39 7.2 Console Users (ObserveIT Administrator Users) ............................................................... 41 7.3 Recording Policies ............................................................................................................. 42 7.4 SMTP, LDAP, Active Directory ........................................................................................... 43

8 Security and Privacy Infrastructure .................................................................................... 44

8.1 Windows Agent ................................................................................................................. 44 8.2 Unix/Linux Agent ............................................................................................................... 44 8.3 Data Security in Transit ..................................................................................................... 44 8.4 Data Security at Rest ......................................................................................................... 45 8.5 Installation Security ........................................................................................................... 45 8.6 System Health Monitoring ................................................................................................ 46 8.7 Configuration Change Auditing ......................................................................................... 47 8.8 User Privacy Protection ..................................................................................................... 47

9 Data Management ............................................................................................................ 49

9.1 Database Structure ............................................................................................................ 49 9.2 Database Storage .............................................................................................................. 49 9.3 File System Storage ........................................................................................................... 49 9.4 Metadata Storage.............................................................................................................. 49 9.5 Archiving ............................................................................................................................ 50

10 Integrating ObserveIT Data into Third-Party SIEM Systems ................................................. 51

10.1 SIEM System Integration Using Native SIEM Apps ............................................................ 51 10.2 SIEM System Integration Using Database API ................................................................... 53 10.3 SIEM System Integration Using Monitor Log Data ............................................................ 53

11 Integrating ObserveIT Data into Network Management (Alerting) Systems ........................ 57

12 Integrating ObserveIT with a Service Desk System ............................................................. 57

13 Agent API for Process-Oriented Integration ....................................................................... 59


1 Complete Insider Threat Solution

ObserveIT provides a comprehensive solution to Identify and Eliminate Insider Threat.

ObserveIT enables organizations to precisely identify and proactively protect against malicious and negligent

behavior of everyday users, privileged users, and remote vendors, and high-risk employees. ObserveIT enables

security and risk analysts to track and monitor file activities in order to identify and alert on instances of data

exfiltration. ObserveIT significantly reduces security incidents by changing user behavior through real-time

education and deterrence coupled with full-screen video capture of security policy violations; investigation time is

thus reduced from days of sifting through logs to minutes of playing back video. User activity profiling of risky

users enables the investigation of aggregated information about user activities in order to identify and resolve

insider threats more easily.

ObserveIT monitoring of both User Activity and File Activity are critical for detecting Insider Threat and data

exfiltration. File Activity Monitoring enables organizations to track and alert when files are downloaded or

exported using browsers or web-based applications, and when files are copied or moved to default local sync

folders of cloud storage services.

ObserveIT's Insider Threat Intelligence platform increases security awareness by educating employees about

out-of-policy behavior whether malicious or negligent. Through policy notification and enforcement, users can be

educated to change their behavior. The ObserveIT User Risk Dashboard provides Security Analysts and

Investigators with an easy way to track users that have experienced any type of policy notification or

enforcement as a result of violating company policy or security rules. Every user notification message triggers an

alert that notifies security specialists about the incident and updates the user’s risk score. Preventive actions

enable security and compliance officers to stop users from breaching security or violating company policies by

forcibly logging off users from unauthorized machines and closing harmful applications.

The ObserveIT monitoring software acts like a security camera on your endpoints, monitoring and recording all

user activity on Windows and Unix/Linux servers and desktops. The system generates video recordings, user

activity logs, behavioral analytics and real-time alerts. The result is a complete solution for identifying and

managing user-based risk. Regardless of protocol or application, ObserveIT records any window session via a

terminal or console, in a compressed and searchable format. The ObserveIT software captures all activity and

generates textual audit logs, even for applications that do not produce their own internal logs. Every action that

is performed by remote vendors, developers, system administrators, and business users, connected via RDP,

SSH, Telnet, Citrix, direct console login, or any other protocol on physical and virtual machines, such as Citrix and

VMWare, is recorded by video. Video replay provides bullet-proof forensic evidence, and video content analysis

can identify all actions that were performed.

ObserveIT can help satisfy compliance requirements for PCI, SOX, HIPAA, and NISPOM.

Key Components

• Insider Threat Library: ObserveIT's extensive library of out-of-the-box alert rules cover the most common scenarios of risky user activities, with built-in policy notifications designed to increase the security awareness of users, and reduce overall company risk.

• File Activity Monitoring: Track and alert on files that were downloaded or exported using a browser or web-based application, from the internet or intranet. Alert if a tracked file is copied or moved to the default local sync folder of cloud storage services.

• Policy notification and enforcement: Define company policies and security regulations and enforce them by posting specific, detailed notification and blocking messages in real-time to any user violating these rules.

• Policy enforcement: Prevent malicious or unauthorized Linux commands from being executed based on flexible Prevention rules defined by customers.


• Preventive actions: Stop users from breaching security or violating company policies by forcibly logging off from unauthorized machines and closing harmful applications.

• Track changes in user behavior: Security Analysts and investigators can track users that have experienced policy notifications or enforcement as a result of violating company policy or security rules, and pinpoint users with the highest number of policy violations and users whose behavior is not improving with time.

• User Behavior Analytics and Risk Scoring: Assess the risk of every user, analyze and score user activity to identify any actions that are out of role, suspicious, or in violation of security policies.

• User Activity Profile: Access a risky user's profile in order to investigate and view aggregated information about the user's activities, such as, which applications they are using, where they spend most of their time, and so on.

• Protect employee privacy: Anonymization of users in the Dashboard and Web Console protects the privacy of recorded users.

• User Activity Monitoring and Alerting: Capture all user activity, generates textual audit logs, screen recordings and alerts for risky behavior on desktops and servers.

• Efficient alert rule management: Alert rules are grouped by Categories and assigned to User Lists.

• Website Categorization: Automatically detect categories of Websites that end users are browsing, enabling alerts to be generated on browsing categories such as Gaming, Adults, Infected or Malicious Websites, Phishing Websites, and more.

• Field-Level Application Logging and Auditing: Track what is happening within on-premise and cloud apps, including those with no internal logging facilities of their own.

• Live-Session Response and Visual Forensics: Provide video replay and analysis of real-time and historic user actions, and the ability to actually stop user activity.

• Department level risk management via Active Directory Group-based permissions: Large organizations can manage the risk of their employees in departments or groups, each owned by a dedicated security team member or manager.

• Detection of potential data leaks and exfiltration when copying files, connecting USB Devices, or printing sensitive documents: Enriched metadata recording to enable the tracking of user actions such as copying/dragging files and folders, the insertion of USB-based external storage devices into a computer, or printing large documents.

• Import and export of detection rules: Enable customers to share real-time information about risky user activity and out-of-policy behavior with other departments/users and organizations.


2 Key Solution Features

2.1 Insider Threat Intelligence

ObserveIT's Insider Threat Intelligence provides a platform to assess the risk of every user, analyze and score

user activity, with the goal of identifying user actions that are out-of-role, suspicious, or in violation of security

policies. File Activity Monitoring helps to detect data theft, provides a user and data activity summary of exactly

what happened, and helps counteract some of the most common ways that users attempt to export and

transfer sensitive data out of the organization. The Insider Threat Intelligence platform also provides access to

the profiles of users to help investigate risky users by viewing their regular activity. Insider threat is prevented

by educating employees about out-of-policy behavior, whether malicious or negligent. Through policy

notification and enforcement, users can be educated to change their behavior.

ObserveIT has the capability to categorize billions of websites and alert when users browse sites with malicious,

phishing, unacceptable or counter-productive content, thus providing high visibility into employees' web

browsing habits and the detection of security risk from Insider Threat.

2.1.1 Insider Threat Library

ObserveIT provides an extensive library of out-of-the-box detection scenarios that can be used by Business users

and Administrators to detect insider threat on Windows, Mac, and Unix/Linux systems.

The ObserveIT Analytics Library Package contains 230 rules that cover the most common scenarios of risky user

activities that might generate alerts. Rules have built-in policy notifications that are designed to increase the

security awareness of users, and reduce overall company risk. Grouped according to security Categories to help

navigation and facilitate their operation and maintenance, rules can also be mapped to types of user groups,

such as Privileged Users, Everyday Users, Remote Vendors, and so on, each with a specific risk level.

The Insider Threat Library is maintained by an ObserveIT Content Manager and released as a ZIP file to

customers, providing them with the most up-to-date insider threat scenarios.

2.1.2 Viewing User Behavior and Risk Score

The ObserveIT User Risk Dashboard provides Security Analysts and Investigators with an easy way to track users

that have experienced any type of policy notification or enforcement resulting from a violation of company

policy or security rules. Every user notification message triggers an alert that notifies security specialists about

the incident and updates the user’s risk score.

In the ObserveIT User Risk Dashboard, you can view overall organizational risk from insider threats and view a

prioritized list of users and applications that present the greatest risk to your company.

The Dashboard provides an overall view of user risk and behavior trends over a period of time. Graphs illustrate

the number of alerts that were triggered each day, the number of out-of-policy notifications displayed to users

each day, and the number of users involved in those alerts and notifications.

Security analysts (including security and compliance staff, and those who review insider threats, compliance, or

out-of-policy risks) can quickly locate and identify where user risk is coming from and investigate users. At a

glance, you can see a user risk summary, breakdown of risky users by risk levels, number of new users at risk,

top risky applications and alerts. The dashboard highlights new users who become risky, denoted by recent

changes in their user risk score.


ObserveIT allows large organizations to manage the risk of their employees in separate departments or groups,

each owned by a dedicated security team member or manager. The monitored users of each department are

configured based on Active Directory Groups/Users ensuring full segregated permissions across the product –

including all risky user data, risk summary statistics, session recordings, alerts and reports.

The following information for each user at risk helps you prioritize which users to first investigate:

• General information about the user such as title, department and personal photo.

• Risk score color-coded by risk level, and score change since the previous day.

• Out-of-policy notifications and behavior trends.

• Which applications and alerts contributed most to the user’s total risk score, so you can understand where the risk is coming from and take corrective action.

• A timeline of when the risky activity occurred.

Figure 1 – ObserveIT User Risk Dashboard

ObserveIT User Analytics calculates a user-centric risk score that is displayed in the dashboard to identify and

prioritize users who present the most risk to an organization. The score is an intelligent aggregation of a user’s

activity alerts during the last month. The daily risk score tracks a user’s risk day by day, allowing you to easily

identify score changes and act first on users whose risk level have recently changed. You can customize score

thresholds per risk level for both alert rules and users to control what is considered critical, high, medium, or

low risk in your organization.

2.1.3 User Activity Profile

ObserveIT enables Security Analysts to access risky users’ profiles to investigate employee or remote vendor

activity, such as:

• Where do users spend most of their time?

• Which applications do they use?

• How much time do users spend in applications?

• How much time during working hours is the user idle?


• Which computers are used to work on or to connect from?

• Which shared accounts are being used?

• Is anything abnormal about the user's behavior?

By viewing the normal behavior of a user or comparing it with the user’s peers, investigators can quickly determine if the activity that is being investigated is indeed risky.

Dynamic filtering capabilities enable you to focus your investigation on specific applications, endpoints, login accounts, and/or remote client machines. An overall view of user activity during the specified profile period is

displayed in a User Activity Over Time graph.

Figure 2 – ObserveIT User Activity Profile

2.1.4 Policy Notification and Enforcement

ObserveIT enables you to easily define your company policies and security regulations and enforce them by

posting a specific, detailed notification message in real-time to any user violating these rules. The notification

message can be triggered each time the rule is violated, or alternatively only once per user session.

Warning notification messages automatically disappear after a few seconds so there is no impact on end-user

productivity. Customers can choose to have the notification branded with their company logo, or leave it

generic. Once the notification is displayed, the user can click to view the policy/security requirements directly

from the message itself and have the option to provide a comment explaining their misbehavior or to

acknowledge the message.

Blocking messages prevent users from continuing whatever they are doing. Users are forced to review the

message, acknowledge it, and provide their comment (optionally, depending on configuration) before they can

continue with their work. The policy/security requirements are available directly from the message.


Figure 3 – Windows End-User Blocking Message

On Unix/Linux systems, a policy notification is applied by writing the real-time notification message text directly

to the terminal output. Users become aware of the security/policy violation message and can keep on with their

work. The text is not added as input to the currently running command – hence there is no impact on any

interactive or back processes. A simple clear command (^L) will clear the text message.

Figure 4 – Unix/Linux End-User Warning Notification

ObserveIT can prevent unauthorized Linux commands from being executed based on flexible Prevent rules that you can define. For example, if a user runs an SFTP command from a remote server with intent to bypass security controls, the command will be blocked from execution preventing remote user access to the sensitive file(s). When a Policy Enforcement rule is triggered, the end user receives the standard operating system “Permission denied” message together with an optional message configured by security administrators.


In addition, ObserveIT preventive actions enable security and compliance officers to stop users from breaching

security or violating company policies. Users can be forcibly logged off from machines that they are not

authorized to access or to prevent them from continuing with activities that are risky or malicious. Applications

or websites that users should not be running can be forcibly closed, including "triggering" applications (for

example, when users browse forbidden websites or website categories, or execute potentially harmful SQL

commands).

Figure 5 – Logging Off and Closing Application End-User Messages

2.1.5 Tracking User Behavior Change via Policy Violations and Notifications

ObserveIT enables you to track users that have experienced policy notifications or enforcement, pinpointing

users with the highest number of policy violations and whose behavior is not improving with time.

In the ObserveIT User Risk Dashboard, an indication is displayed next to a risky user’s photo showing the

number of out-of-policy notifications. A trend arrow indicates if the user behavior has improved with time. For

more details, a tooltip shows extra information about the types of violations involved so analysts can drill down

to view full details of any incident including playing the video recording.

Figure 6 – Out-of-Policy Behavior Tooltip

2.2 File Activity Monitoring

ObserveIT’s File Activity Monitoring enables security analysts to detect data exfiltration before it happens, with

full file audit. Many organizations store sensitive data in content management systems such as Microsoft

SharePoint, Box for Business, Google for Work, and other storage systems accessed via a web interface.

Sensitive data is accessed daily from web/cloud applications (CRM, ERP, trading systems, health applications,


and other business applications) presenting a massive security challenge. ObserveIT’s File Activity Monitoring

provides visibility on users that download specific files from websites or web applications, whether on the

internet or in the local intranet. ObserveIT tracks accessed files and alerts administrators when a tagged file is

moved to a local cloud sync & share folder, such as Dropbox.

Figure 7 – Alert Details on Exfiltrating a Tracked File

The alert details show the original name of the exfiltrated file and the website from which the file was downloaded.

The details of all tracked file activities are reported in the ObserveIT File Diary which also shows the lifecycle of

each file's history. File activities metadata can be exported to Excel and printed. Sessions of file activity events

can be replayed in the Session Player.

You can search related file activity for users that are suspicious, and view the full history of the file on any activity.

Figure 8 – Viewing and Filtering Tracked Files in the File Diary


The File History tab provides a full history of all operations that occurred on the alerted file and allows you to

jump directly to the Video playback at any point.

Figure 9 – Viewing the Tracked File’s History


2.3 Visual Forensics

Playing back a user session shows exactly what occurred on-screen. Playback speed is adjustable. On the right

side of the player window is an activity summary panel which lists, in chronological order, every action

performed during the session. Clicking an action jumps directly to that portion of the video—just like navigating

chapters on a DVD. Alerts triggered from the session are indicated on the timeline, and during playback alert

details are automatically displayed at the exact time they occurred.

Figure 10 – Windows Session Playback

ObserveIT goes far beyond simply recording on-screen activity. All on-screen activity is transcribed into an easy-

to-read user activity log so that you don’t need to watch the video to know what the user did. User activity logs

can be selected by endpoint (Endpoint Diary page), by user (User Diary page), or by keyword search (Search

page). Clicking on any specific event in the log launches the video playback from that exact moment.

You can see at a glance exactly what a user did during a session, and if any suspicious activities were performed.


Figure 11 – User Activity Log

2.4 Advanced Key Logging

Key loggers track and record an employee’s or vendor’s computer activities for the purposes of monitoring,

root-cause analysis, forensic investigation and regulatory auditing. ObserveIT key logging offers unique

capabilities not available in any other key logging solution.

ObserveIT Key Logging enables security analysts to detect and generate alerts on:

• Sensitive keywords and commands that users typed in desktop applications, websites, and shell command tools.

• Data exfiltration attempts by users typing protected keywords in emails or chat applications, social media sites, etc.

• Commands executed in CLI tools such as Windows CMD, PowerShell, PuTTY or Mac Terminal.

ObserveIT administrators and compliance auditors can search for text entered by a user, as well as certain

application/system selections, and then jump directly to the session video recording at that exact location.

To prevent users who are authorized to access the database from viewing passwords or other sensitive data, data captured by the ObserveIT key logger is hashed (using the SHA256 salted hash algorithm). There is no way to reverse (un-hash) the hashed data. ObserveIT Administrators cannot disable Key logger hashing from the ObserveIT Web Console.


2.5 User Activity Alerts

The Alerts feature provides ObserveIT with a proactive, real-time detection, deterrence and prevention

mechanism. Alerts are user-defined notifications which are generated when suspicious login events or user

activity occurs during a session. When alerts are triggered, textual notifications can be displayed warning users

about potential security violations so that they can take remedial action. In some cases, users can be "denied

access" and hence prevented from continuing with their current activity.

Alerts are integrated throughout the ObserveIT Web Console (in the User Risk Dashboard, User Diary, Endpoint

Diary, Search pages, and video Session Player) and can be easily integrated into an organization’s existing SIEM

system.

The ObserveIT installation package includes an extensive library of out-of-the-box alert rules that Business users and Administrators can use to detect risky user activity and trigger alerts on Windows, Mac, or Unix/Linux machines.

Following are some examples of risky user activities that might trigger alerts:

• Logging-in locally or remotely to unauthorized endpoints by unauthorized users or from unauthorized clients

• Sending sensitive documents to a local/network printer during irregular hours

• Copying files or folders that are either sensitive or located in a sensitive location during irregular hours

• Connecting a USB storage device (or mobile phone) in order to copy sensitive information

• Using Cloud storage backup or large file-sending sites that are not allowed by company policy

• Storing passwords in files that can be easily detected by password harvesting tools

• Clicking links within emails that open Phishing websites

• Browsing contaminating websites with high potential security risk

• Browsing websites with unauthorized content (gambling, adults, etc.)

• Being non-productive by wasting time on Social Networks, Chat, Gaming, Shopping sites, and so on

• Searching the Internet for information on malicious software, such as steganography tools (for hiding text-based information within images)

• Accessing the Darknet using TOR browsers

• Performing unauthorized activities on endpoints, such as, running webmail or Instant Messaging services

• Running malicious tools such as, password cracking, port scanning, hacking tools, or non-standard SETUID programs on Linux/Unix

• Hiding information and covering tracks by running secured/encrypted email clients, clearing browsing history, zipping files with passwords, or tampering with audit log files

• Attempting to gain higher user privileges (for example, via the su or sudo commands, running an application as Administrator)

• Performing copyright infringement by browsing copyright-violating websites or by running P2P tools

• Changing the root password by regular user or searching for directories with WRITE/EXECUTE permissions in preparation for an attack (on Linux/Unix)

• Performing IT sabotage by deleting local users or files in sensitive directories (on Linux/Unix)

• Creating backdoors by adding users/groups to be used later un-innocently

• Installing questionable or unauthorized software such as hacking/spoofing tools on either desktops or sensitive endpoints

• Accessing sensitive administration tools or configurations, such as Registry Editor, Microsoft Management Console, PowerShell, Firewall settings, etc.


2.5.1 Alerts Review and Response

ObserveIT’s enhanced alert review workflow enables Incident Response teams to drive incident investigation. A

workflow status can be set for each alert indicating whether it is being reviewed, has been identified as an issue,

or ended up being a non-issue. Adding comments to alerts enables you to provide feedback on findings and

decisions regarding the triggered alerts. The Alerts display can be filtered according to specific comment text, or

to show all alerts with comments. In the alert’s details, you can view existing comments (or hide them).

Comments are also displayed while browsing alerts in Gallery mode.

The capability to export metadata about alerts to PDF reports enables the sharing of real-time information for

collaboration during investigation on risky user activity and specific incidents with other departments/users

(such as, HR, Legal, managers) who do not have access to ObserveIT.

Figure 12 – Exporting Alerts to a PDF Report

Alerts can also be exported to your SIEM for further collaboration.

2.5.2 Alerts Display Modes

You can view alerts in various display modes. For example, Gallery mode provides a view of the user

environment, enabling you to see the context of exactly what the user was doing when an alert was triggered.

You can browse through the screenshots of each alert while viewing the full alert details next to each screen,

and easily replay sessions in which alerts occurred.


Figure 13 – Viewing Slideshow of Alerts with Alert Details Emphasized

By clicking the Video playback icon, you can open the Session Player at the screen location where an alert

was generated. The following shows an example of the video replay of a session during which several alerts

occurred.

Figure 14 – Replaying Sessions with Alerts


2.6 Website Categorization

ObserveIT provides high visibility into employees' web browsing habits. Using URL Filtering technology,

ObserveIT can automatically detect categories of Websites that end users are browsing, enabling alerts to be

generated on browsing categories such as Gaming, Adults, Infected or Malicious Websites, Phishing Websites,

and more. ObserveIT has over 28 billion indexed URLs that are updated daily with new websites and new

security risks. Website Categorization supports flexible deployment modes whether your endpoint can access

the internet directly or via a protected proxy.

Note: To trigger alerts on Internet browsing, the Website Categorization module must be installed.

2.7 Session and User Activity Metadata Search

ObserveIT captures all sessions and user activity, recording important information about what is seen on the

screen, which applications are used, what actions are performed, the date and time of actions, and other

specific metadata attributes. This "metadata" is stored in the ObserveIT database, which is located on a central

SQL Server. Because metadata is centrally stored and indexed, it can be used to easily search throughout

recorded sessions and provide a textual breakdown of each user session. As part of any investigation process, it

is crucial to be able to quickly locate forensic data. ObserveIT’s advanced search boosts performance by allowing

you to focus a search on specific metadata.

You can search for users who logged in, application sensitive elements that were clicked or viewed, metadata

that was captured on risky user activity concerning file copying and data exfiltration through USB storage

devices or printing sensitive data, keystrokes typed, applications that were run, specific window titles or URLs

viewed, browsing forbidden Website categories, SQL commands containing keywords (such as, a table name),

and more. On Unix/Linux systems, you can search for users who logged in, executed specific commands (based

on command name, full path, arguments, command switches) or acted under a different user's permissions.

You can also filter searches based on specific login users, specific machines, and specific time periods. Matched

keywords are highlighted.

For accelerated search performance, it is highly recommended that you install the Microsoft SQL Server Full Text Search (FTS) utility prior to ObserveIT installation.

Figure 15 – Searching for Sessions and User Activities

The displayed search results provide the context of the activity, showing the exact location of searched

keywords (for example, in a URL, Window title, SQL statement, and so on). Where relevant, the resulting search

hit is linked directly to the portion of the video where the action occurred, making it easy to find the exact


moment that an action was performed. Within each session, you can watch the full video replay of the user

session and see exactly what took place.

2.7.1 Capture Metadata on Potential Data Leaks

ObserveIT enriches the recording of metadata by enabling the capture of user activity related to potential data

leaks. Any user attempt to move files (or folders) by copying them to the clipboard or dragging them with the

mouse is immediately captured by ObserveIT, together with the names of the files as well as their source

location and size. Thresholds can be defined to indicate a LARGE file copy based on the number of files being

copied and/or their total size. In addition, if a user connects any USB storage device (including a mobile phone),

ObserveIT immediately captures the device description (i.e., model and manufacturer) and the mapped drive

letter.

Furthermore, copying to the clipboard text from sensitive applications can now be tracked and alerted on,

providing administrators with additional detection visibility on potential data leaks.

The ObserveIT detection mechanism also captures metadata relating to user attempts to print sensitive or

confidential data. Upon a user attempt to print files or documents, ObserveIT immediately captures the titles of

the files, the printer, and the number of pages being printed, while differentiating between the printing of large

and standard size documents. This enriched metadata is fully integrated across the product, allowing customers

to detect and deter any out-of-policy behavior or risky activity of their employees with regard to file copying and

data exfiltration through USB storage devices or printing sensitive data.

Users can define alerts when sensitive files are being copied or printed, pop up a notification or blocking

message when a USB storage device is connected, generate reports, search for specific files being copied or

printed, and export the new metadata to their favorite SIEM system.

2.8 Reporting and Auditing

ObserveIT reporting can be used by novice administrators to generate reports based on preconfigured built-in

reports, or by experienced administrators and security auditors who require flexible application usage reports

and trend analysis reviews. Experienced administrators and security auditors can also create comprehensive

customized reports based on their own requirements. Reports can provide aggregated or summary information

about all monitored user activity on Windows, Mac, or Unix-based endpoints.

ObserveIT reporting capabilities significantly enhance security operations and regulatory compliance by

providing reports on alerts, websites visited, documents printed, USB storage device connections, file/folder

copying, large file/folder copying, typed key logger data, SQL queries executed against production databases,

installing and uninstalling applications, system events, user logins, and more. Captured metadata can be used to

expose potential data leaks by generating reports that show for example, when corporate or sensitive files were

copied or printed, when a user connected a USB storage device, when notification or blocking messages were

displayed to users, when large files were copied or printed, and so on.

The ObserveIT Web Console provides several ways to run reports and export user activity log data:

• The report generator includes built-in reports and customizable report rules for filtering by user/user group, endpoint/endpoint group, date, application, resources accessed, and more.

• Reports can be run ad-hoc or delivered on a schedule by email.

• Full-text Google-like searching allows pinpoint identification of user sessions.

• User activity log drill-down allows each session to be viewed item-by-item, to see which applications were run and which actions were performed during that session.


• Video replay can be launched directly from any audit view or report.

• Specific audit video can be exported for delivery as a simple HTML file for forensic evidence delivery.

2.9 DBA Activity Audit

DBA Activity Auditing provides monitoring of SQL queries executed by DBAs against production databases. SQL

query activity is captured by ObserveIT when the DBA is using a DB management tool on an ObserveIT-

monitored computer. A recommended configuration is to ensure that all DBAs for whom recording is required

must connect through a Windows gateway, on which the ObserveIT Agent and the DB management tool

application are installed.

Figure 16 – Capturing SQL Queries

Using ObserveIT, administrators and auditors can review all SQL queries performed on a given date or filter

results by database, DB User, endpoint, login ID, or any text contained within the queries. SQL queries are also

included in the session activity details displayed in the Endpoint Diary and User Diary pages. When using the

Search page in Metadata (user activity log) mode, text matches within SQL queries will also return the relevant

sessions in the search results.


2.10 Privileged Identity Management

When admin users log in using a shared account (for example, administrator, root), ObserveIT can be configured

to present specific users with a secondary challenge-response, forcing them to specify their named-user account

ID. Secondary IDs can be tied to an Active Directory repository, or can be managed locally in the ObserveIT Web

Console. ObserveIT’s Secondary Identity mechanism allows you to manage and secure shared-user access

without requiring the overhead, complexity, or expense of password rotation or password vaults.

Figure 17 – Shared-User Login Triggers Secondary User Authentication

2.11 Identity Theft Detection

ObserveIT’s Identity Theft Detection module brings a new approach to preventing and discovering incidents of

stolen privileges. Today, security officers provide users with tools and education on how to protect their identity

(such as, Two-Factor Authentication, Password complexity, reset rules, and so on). But once an identity is stolen,

no tool can clearly identify or track the incident, and the responsibility for detection lies entirely on the security

officer. ObserveIT enables you to include users in the detection process, and thus make users responsible for

their identities. IT identity theft incidents can be detected and neutralized much quicker when users have a

means to flag unauthorized logins.

For each monitored endpoint, ObserveIT keeps track of authorized/confirmed pairings of User IDs and client

machines. If a user logs in to an endpoint from a client that is not paired to the user, an email is sent to the user.

For example:

• A hacker steals a password and logs in from a remote machine. An email is sent to the user saying “The user ‘johnsmith’ just logged in to server WEBSRV-PROD from unauthorized IP address 11.22.33.44. Please confirm that it was you who performed this action.”

• An internal user steals an administrator’s password and logs in to a server from her own desktop, generating an email saying, “The user ‘johnsmith’ logged in to server DBPROD-4 from unauthorized desktop KATHY-DSKTP. Please confirm that it was you who performed this action.”

The user can either confirm or deny the action. In parallel, an event is logged for the administrator to track and

monitor unauthorized pairings. Granular security rules can be applied to specify how to manage each user

confirmation.


2.12 User Session Locking

With ObserveIT, you can view live user sessions in real time. If required, you can interact with the user of each

session by sending messages (for example, “You should not be running SQL queries on the production

database.”) and can also stop the user session entirely by locking the session.

2.13 Policy Messaging and Recording Notification

Policy information can be delivered to users as they log into a server or desktop. This policy info can include

notification of auditing activity (for example, “Please note that all activity on this machine is recorded.”). Policy

information can also relate to company or regulatory policies (“Please note that PCI requirements mandate that

no database traces be implemented on this server.”).

Policy messages can also be set to require the user’s response. This can be used to record the user’s

acknowledgment that he/she is being recorded (a legal requirement in some jurisdictions). Users can optionally

be prevented from completing their logon to the computer until they provide a confirmation and/or response.

Figure 18 – Policy Messaging Delivered to the User on Windows and on Unix/Linux


3 System Architecture

3.1 Overall Architecture

ObserveIT is a software-based User Activity Monitoring and internal risk identification platform. Software

agents running on Windows and/or Unix/Linux gateways, and servers and/or desktops capture user activity data

and send it to an ObserveIT Application Server. The Application Server sends the relevant user activity log and

screen video data to a Database Server for storage. Administrators manage the system and access user activity

logs, screen video, reports and other features using the ObserveIT Web Console, which is served by the

Application Server.

Figure 19 – ObserveIT Architecture


3.2 Windows Agent

The ObserveIT Windows Agent is a software component that is installed on any Windows-based operating

system (server or desktop) that you want to record. You can deploy as many ObserveIT Agents as required up to

the licensing limit. For a small number of monitored endpoints, it is recommended that you manually install the

Agent on each system.

The Windows Agent is a user-mode executable that binds to every user session. As soon as a user logs into a

monitored endpoint, the Agent begins recording based on the configured recording policy.

From the moment a user logs on, the Windows Agent starts capturing user activity data logs and, if configured,

screen video. All captured user activity data can be searched for, reported on, configured for alerts, and

integrated with SIEM systems. The Agent sends all screen capture video and textual activity logs to the

ObserveIT Application Server for processing and storage.

Figure 20 – Windows Agent Architecture

By default, the Agent records the screen only when actual user activity is detected at the keyboard or mouse;

during idle time (when there is no user activity on the machine), the Agent does not generate logs of screen

capture data. However, optional time-based recording allows the recording of everything that appears on the

screen even when the user is idle or not present – which can be useful, for example, to record the output of

lengthy scripts run by IT users.

When network connectivity between the Agent and the Application Server is unavailable, the Windows Agent

maintains an offline buffer to temporarily collect data. The buffer size is customizable. Once connectivity is

restored, the buffered data is delivered to the Application Server.

Supported Platforms for Windows Agents Microsoft Windows Server 2008/2008 R2/2012/2012 R2/2016, Windows 7, 8, 8.1, and 10.

For an up-to-date list of supported Windows platforms, refer to:

http://documentation.observeit.com/7.1/#supported_platforms.htm.

http://documentation.observeit.com/7.1/#supported_platforms.htm


3.3 Unix/Linux Agent

The ObserveIT Unix/Linux Agent is a software component that can be installed on any supported UNIX or Linux

system that you want to monitor.

The Unix/Linux Agent runs in user mode and is triggered when an interactive session is created on a monitored

machine (connected via SSH, Telnet, Rlogin, and so on). It records user activity inside the sessions, including

interactive user activity and system functions such as OPEN, EXEC, CHMOD and others. The recorded data is sent

to the ObserveIT Application Server and can be replayed or searched for input commands, system functions and

output data. All recorded data can be searched, reported, configured for alerts, and integrated with SIEM

systems.

SFTP sessions to Unix/Linux machines can also be recorded, logged, searched, configured for alerts and

integrated with SIEM systems, in the same manner as SSH sessions.

Figure 21 – Unix/Linux Agent Architecture

When a user logs-in on a Unix/Linux machine, the Agent is started and begins recording the shell actions based

on a predefined data recording policy.

The ObserveIT Unix/Linux Agent captures all the internal actions and the names of files and resources that are

effected by command line operations. All output, commands and important system functions inside commands

are captured and forwarded to the Agent, which sends it to the ObserveIT Application Server for processing and

storage.

In offline mode, the ObserveIT Agent allows local storage of the recorded data in the event of network

malfunction or disconnection. When network connectivity is re-established, the ObserveIT Service transmits the

locally cached data back to the Application Server. To prevent the local disk from reaching its full capacity, the

volume of local data cache is limited per offline session.

Attempting to stop the recording process will terminate the user session, preventing any further user activity

from not being recorded.


Supported Platforms for Unix/Linux Agents

• Solaris 10 (updates 7-11) and Solaris 11 (updates 1-3)

• RHEL/CentOS 4.8-4.9, RHEL/CentOS 5.10-5.11, RHEL/CentOS 6.6-6.9, and RHEL/CentOS 7.0-7.3

• Ubuntu 12.04, 14.04, and 16.04

• Oracle Linux 4.8-4.9, Oracle Linux 5.10-5.11, Oracle Linux 6.6-6.8 and Oracle Linux 7.0-7.3

• SLES SuSE 11 SP2-SP3, and SLES SuSE 12

• AIX 6.1, AIX 7.1, and AIX 7.2

• HP-UX 11.31

• Debian 6, 7 and 8

• Amazon Linux AMI 2015.03

For a full list of supported platforms for Unix/Linux Agents, refer to:

http://documentation.observeit.com/7.1/#supported_platforms.htm.

3.4 Mac Agent

The ObserveIT Mac Agent software can be installed on any Mac platform (mainly desktop) which requires

monitoring. Mac Agents appear in the ObserveIT license as Windows Workstations. The OS version is MAC; the

OS Type is Windows.

The Mac Agent has full recording capabilities and supports the following features:

• Key logging

• Alerts

• Video and metadata recording

• Configurable recording policies (include/exclude users, applications, or URLs)

• Record when Agent is offline

• Recording notification message

• Out-of-policy notifications (warning and blocking messages)

• Log Off and Close Application actions

• Health monitoring – detect if the Agent is offline or has been tampered with

All the metadata that is collected from the Mac Agent is searchable, reportable, can be alerted on, and can be

exported to SIEM systems.

Risky activity that is performed on the Mac Agent is consolidated with other risky activities from the same user,

providing a unified risk score for the user and a user-centric view in the User Risk Dashboard.

Supported Platforms & System Requirements for Mac Agents

• Mac desktop, laptop, server software versions:

• OSX 10.10 Yosemite

• OSX 10.11 El Capitan

• MacOS Sierra 10.12

• VNC support for remote connections

• Fast user switch for recording multiple users

• Minimum hardware requirements for deploying ObserveIT Agents on Mac operating systems are:

• 1.6 GHz or faster Intel Core processor

• 4 GB RAM or more

• 1 GB free hard disk space

• 100 Mb/1Gb Ethernet adapter (1 Gigabit link speed recommended)

http://documentation.observeit.com/7.1/#supported_platforms.htm


3.5 Application Server

The ObserveIT Application Server is an ASP.NET application that runs on a Windows Server-based computer

(physical server or VM), in the context of Microsoft Internet Information Server (IIS).

Recorded data is sent by the Agents to the Application Server, which stores the data in SQL Server databases

and file system shared folders. Windows-based operating system recorded data is divided into 2 sections: the

metadata (approx. 30% of the total storage size) and the graphical images (approx. 70% of the total storage

size). UNIX/Linux-based operating system recordings are 100% metadata.

The Application Server also maintains recording policies and other configuration data, actively communicates

with Agents to deliver configuration updates and to monitor system health, handles data

maintenance/archiving, and generates reports.

3.6 Web Console

The ObserveIT Web Console is also an ASP.NET application that runs in the context of Microsoft Internet

Information Server (IIS). It is the primary interface for audit review, video replay, and reporting, as well as for

configuring and administering ObserveIT. All configuration information is stored in the ObserveIT Database

Server. The Web Console includes granular policy rules for limiting access to sensitive data.

In most cases, the ObserveIT Web Console component is installed on the same computer as the ObserveIT

Application Server (one of them if there are multiple Application Servers).

3.7 Database Server

By default, ObserveIT uses Microsoft SQL Server for data storage. This storage includes user activity

configuration data, user analytics data, textual audit metadata and possibly the screenshots captured by the

ObserveIT Agents for video replay. ObserveIT can also be configured to store the video replay screenshots in file

system storage instead of in the SQL database, either on the local hard drive of the ObserveIT Application

Server, or on a file share in the network. In these cases, the MS SQL Server database is still used for storing user

activity log and configuration data. ObserveIT can work with SQL Server Express, but it is not recommended due

to its size limitations. Connectivity with the database is on standard TCP port 1433.


4 Deployment Scenarios

ObserveIT can be deployed in several different ways, as shown below. The different methods are not mutually-

exclusive, allowing for a hybrid deployment when required.

4.1 Standard Agent-based Deployment (Servers and Desktops)

The standard method of deployment involves deploying the ObserveIT Agent on each machine to be monitored.

An Agent is installed on each machine that is being monitored, which captures activity on the machine and feeds

the video/log data to the Application Server.

Figure 22 – Agent-Based Deployment


4.2 Jump Server Gateway

The Jump Server (Terminal Server) Gateway deployment is the ideal solution for logging all user configuration

changes on remote network devices, servers, desktops and DB servers. In this topology, the ObserveIT Agent is

deployed only on a gateway machine; only one Agent is required for recording all sessions. Users are routed via

the gateway, and ObserveIT records all user sessions in which the user connects to another target machine via

RDP, SSH or other protocol. Client applications (such as, Microsoft SQL Server Management Studio, browsers,

and others) are recorded with full user activity log analysis on the gateway.

In this deployment, ObserveIT does not record any user session in which a user logs on directly to a target

machine (via local console login, or via a direct RDP/SSH/etc. window) that is not routed via a gateway. The

volume of user activity log data captured is less than for the full Agent deployment because the ObserveIT Agent

on the gateway does not have access to OS-specific information on the target machine. For example, it cannot

detect the name of a file opened within an RDP window.

Figure 23 – Terminal Server Gateway (Jump Server) Deployment


Figure 24 – Linux Gateway (Jump Server) Deployment

4.3 Outbound Jump Server Gateway

The Jump Server Gateway topology described above can also be used for environments in which remote users

need to access multiple external resources. For example, a Managed Services Provider that needs to support

multiple customers and wants to record and audit all the actions performed by the support employees.

The topology is essentially the same as for the Jump Server Gateway; the only difference is the location of each

resource – that is, the Terminal Server is not on the same network as the target machines.

Figure 25 – Outbound Jump Server


4.4 Citrix Server for Published Applications

The ObserveIT Agent can be deployed on a Citrix Server in order to record all activities that take place within

Published Applications served by the Citrix machine.

Figure 26 – Citrix Server Deployment


4.5 Hybrid Deployment: Agent-Based + Gateway

The Hybrid topology is the most commonly-used ObserveIT deployment because it allows you to simultaneously

deploy any combination of the above topologies.

Any remote or local user can be routed via a gateway. This enables ObserveIT to capture and record every

outbound session which can be replayed at any time. Agents can also be deployed on specific sensitive

endpoints that require a more detailed audit, including any logins performed by privileged users with direct

access to the endpoints. ObserveIT provides full user activity log data analysis and recorded video of all user

actions that take place on sensitive endpoints – upon which Agents are installed – for which privileged users

have direct access (and can therefore bypass the gateway).

Figure 27 – Hybrid Deployment: Gateway + Agent


5 Sizing and System Requirements

5.1 Small Deployments

For installations with low user activity (less than 1,000 monitored users in average user cases), an “All in One”

installation can be utilized, which means that the Application Server, Web Console and Database Server are all

installed on the same platform. This platform can be a physical server, or it can be a virtual machine running in a

typical virtualization solution.

Figure 28 – Small Implementation

System Requirements and Data Sizing for Small Deployments

• Physical Server with 4-8 Core CPU 2.4 GHZ or higher (processor configuration as needed)

• 16 GB of RAM

• Operating System hard disk: 80 GB (15K or SSD)

• 2 NICs - 1 GB Ethernet (10 GB Ethernet is recommended)

ObserveIT Agents

Web Console Access

“All in One”• Database Server• App Server• Web Console


5.2 Medium Deployments

For medium-sized implementations of ObserveIT comprising 1,000-6,000 monitored endpoints in average user

cases, it is preferable for the MS SQL Server to be installed separately from the Application Server/Web Console.

If required, an existing SQL Server can be used, or a new instance can be created.

Depending on the company’s data storage strategies, a file system storage method for screen-capture data

might be considered for this size deployment.

Figure 29 -Medium Implementation

System Requirements and Data Sizing for Medium Deployments For each Application Server*, the recommended requirements are:

• 8 Core CPU 2.4 GHZ

• 16 GB RAM


* It is recommended to add another Application Server for every 2,000 concurrent users. For more specific sizing

information, or for configurations exceeding 1,000 Agents, contact an ObserveIT representative.

For the SQL Server, the recommended requirements are:

• Physical Server with 12 Core CPU 2.4 GHZ

• 32 GB of RAM

• 24 TB for 1 month’s data retention

For specific recommendations, contact an ObserveIT representative.

ObserveIT Agents

Web Console Access

App Server & Web Console

Database Server


5.3 Large Deployments with High-Availability

ObserveIT supports large enterprise implementations comprising more than 6,000-10,000 concurrent users per

site. Optimized database storage configuration and Application Server performance provide support for an

increasingly large number of ObserveIT business users.

If you have more than 10,000 users relying on your expected user activity and ObserveIT configurations, you

may still be able to actively monitor all your users with no difficulties using the specifications listed in System

Requirements and Data Sizing for Large Deployments. However, it is recommended to consult an ObserveIT

representative.

For best practices for common scenarios and benchmark data for assessing a customer’s hardware configuration requirements (Application Servers, Database Servers, and Storage) in large scale deployments, contact an ObserveIT representative.

Large enterprise implementations of ObserveIT will typically be accompanied by load balancing (LB), high-

availability (HA) and redundancy requirements. Key factors for deploying HA include:

• Two or more endpoints running the ObserveIT Application Server and Web Console

• Cluster-based implementation of Microsoft SQL Server

• SQL Server using a dedicated storage device or, alternatively, using ObserveIT’s file system storage mechanism for visual screenshot data storage

Load Balancer Implementation When full LB and HA are required, you can use a software-based load balancer (such as Microsoft NLB) or

hardware-based load balancer (such as F5). Optionally, this can be further augmented by a failover cluster for

the Application Server with an active/passive cluster that has only one node operational at any given time. Also,

more nodes can be added, as needed, to the failover cluster.

Figure 30 – Load Balancing Implementation

ObserveIT Agents

MS SQL Server Failover Cluster

App Server 2

DNS Records:oitsrv A 192.168.100.10

App Server 1

192.168.100.10


File System Storage To improve performance of the MS SQL Server, it is sometimes recommended to use ObserveIT’s file system

storage capabilities. In this deployment, the SQL Server is still used for user activity log and configuration data,

but the actual screenshot images are stored in a file system directory structure, which is fully managed by

ObserveIT.

Figure 31 – File System Storage

System Requirements and Data Sizing for Large Deployments For each Application Server*, the recommended requirements are:

• 8 Core CPU 2.4 GHZ

• 16 GB RAM


* It is recommended to add another Application Server for every 2,000 concurrent users. For more specific sizing

information, or for configurations exceeding 1,000 Agents, contact an ObserveIT representative.

For the SQL Server, the recommended requirements are:

• Physical Server with 24 Core CPU 2.4 GHZ

• 64 GB or higher RAM (OS 2012)

• 15 TB for SQL server, 35 TB for file system (1 month’s data retention)

For specific recommendations, contact an ObserveIT representative.

ObserveIT Agents

App Server & Web Console

Database Server

File SystemStorage


6 Installation Overview

6.1 One-Click Installation

One-Click installation is the easiest way to deploy ObserveIT in the most common environments. The main

installation screen provides settings for configuring the SQL Server, Web Console and License. One-Click

installation will also install an Agent locally on the Application Server machine. The installation automatically

configures the Web Console to work with the secure HTTPS protocol using a self-signed certificate.

Figure 32 – One-Click Installation

6.2 Custom Installation

Each of the ObserveIT components can be installed separately as part of a custom installation, whereby you can

distribute the components and use advanced configuration options as needed.

Active Directory Domain membership is not mandatory, although ideally all components should be placed on

domain members. This enables usage of AD groups for Console Users; filtering of AD groups for Privileged

Identity Management; DNS integration for Agent auto-configuration; and GPO-based installation.


6.3 Windows Agent Installation

Windows Agent installation is performed over a standard Windows installer package (.MSI) that is well

supported by software distribution applications and Group Policy (GPO). The Windows Agent can be installed by

using the default installation (using a simple batch file) or by using a custom installation which allows you to

configure advanced settings, including the Agent registration mode and user recording policy.

For improved security, you may also be required to provide a security password when installing or uninstalling

the Agent. Requiring a password to install Agents prevents the unauthorized recording of computers and the

unauthorized consumption of ObserveIT licenses. By also requesting a password on uninstallation of an Agent,

unauthorized removal of a computer from ObserveIT's list of recorded machines is prevented.

No reboot is required after installation. Optionally, a system tray icon can be configured to be displayed on the

machine when the Agent is running.

6.4 Unix/Linux or Mac Agent Installation

The Unix/Linux or Mac Agent installer is a self-extracting file which includes the package and the installation

program. All Unix/Linux or Mac Agent installation files are centrally located.

The Agent installation procedure is the same for all platforms; a single installation script can be used for every

supported platform.

For example: ./observeit-agent-Ubuntu-12.04-precise-5.8.0.156.run -- -i -s 10.3.0.72

For improved security, you may also be required to provide a security password when installing or uninstalling

the Agent.

The installation script can also be run in interactive or silent mode:

• Interactive mode: The installation program prompts you to enter the installation parameters that are required to configure the Agent. Prompts are triggered if the user does not specify the name of the Application Server or if registration to the Application Server fails.

• Silent mode: The installation program does not prompt for any configuration options during the installation process.


The following example shows an ObserveIT interactive installation on a Linux Agent, and the Linux directory

structure:

Figure 33 – Interactive Unix/Linux Installation


7 Key Configuration Settings

7.1 Rules Configuration

Alert and prevent rules define the conditions under which an alert will be triggered. Administrators can

configure flexible, fully-customizable alert and prevent rules which can help to detect malicious user activities,

prevent unauthorized and malicious activity via policy enforcement, increase security awareness through user

education and policy notifications, detect known patterns of risky behavior using the built-in library of alert

rules, and so on.

Figure 34 – Alert Rule Configuration

For each rule, a detection policy defines the conditions that will trigger an alert (based on robust combinations

of Who, Did What, On Which Computer, When, and From Which Client), and additional actions to be taken

when the alert is triggered. User warning notifications and blocking messages notify users in real-time about any

out-of-policy behavior. Users can acknowledge a message, add a comment explaining their actions, and follow a

link to view the company policy. If required, the security administrator can also select to start recording a user

when a security violation is detected. Preventive actions, such as forced log off and forcibly closing

applications/websites, enable security officers to stop users from breaching or violating company policies. On

Linux systems, ObserveIT prevent rules can be configured to block unauthorized Linux commands, including

SFTP commands, from being executed. For example, if a user attempts to run commands that manipulate

sensitive protection policy files, the user will be denied access to the protection policy files. Video recording of

user commands and terminal output can be activated on Linux prevent rules.


The Rule Engine Service component on the Application Server processes the activity data and generates alerts based on rules which are active.

The administrator can configure a notification policy which defines whom should be notified when an alert is

generated, and how they will be notified.

For enhanced management and operation, alert rules can be assigned to one or more user groups (a.k.a “User

Lists”) such as Privileged Users, Everyday Users, Remote Vendors, Terminated Employees, Users in a Watch-List,

Executives, Developers & DevOps. Privileged Users and Everyday Users lists are prepopulated based on common

Active Directory groups. These lists can be modified, and other lists can be easily created or populated by

assigning them individual users or Active Directory groups.

In addition, alert rules can be assigned to security Categories (such as, Data Exfiltration, Hiding Information and

Covering Tracks, Running Malicious Software, Performing Unauthorized Admin Tasks, and more) in order to help

navigation and facilitate rules operation and maintenance.

Categories can be applied on Windows, Mac, or Unix/Linux operating systems. Some categories are relevant for

all systems.

Alert rules in the Insider Threat Library are already grouped into Categories and assigned to relevant User Lists with appropriate risk levels.

7.1.1 Importing and Exporting Rules

ObserveIT allows the importing and exporting of rules. Importing is managed by a straightforward wizard that

notifies you in advance about any potential conflict or missing data on the target environment. Exporting rules is

simply done by selecting the rules you wish to export and providing the location for the export file.

The ability to export and import rules extends ObserveIT's Insider Threat Solution, by enabling the sharing of

real-time information about risky user activity and out-of-policy behavior with other departments/users in an

organization and with other organizations.

Rules can be integrated with external HR systems; ObserveIT User Lists can be exported and imported as a

comma-delimited format file (CSV), so for example, you can simply export your current "Employee watch-list"

from your HR system and import it into your list in ObserveIT.

Alert, policy, and prevent rules can be easily migrated between staging or other environments (such as, from

POC to UAT to Production).

ObserveIT customers and business partners can use the exported/imported ObserveIT rules to detect risky user

activity and out-of-policy behavior on their own Windows or Unix/Linux machines. After the export/import

process is completed, the rules can be edited as required to suit the needs of the organization.

Note: System rules in the ObserveIT Insider Threat Library are automatically and regularly updated without the need to upgrade to the latest version. The export of System Rules from the ObserveIT Insider Threat Library (ITL) is managed by ObserveIT. System rules are exported with their User List assignments; any changes that were made in List Items are included in the file to be imported.


7.2 Console Users (ObserveIT Administrator Users)

The following permission levels can be defined for user accounts with access to the Web Console:

• Admin: This role grants the highest permissions and allows administrators to make configuration changes, view user activity logs and play back all recorded session videos.

• View-Only Admin: This role allows administrators to view session recordings but not access any ObserveIT configuration options.

• Config Admin: This role maintains user privacy by allowing administrative access to most configurations options in the Web Console but prevents the viewing of any user activity logs or screen recordings.

Different levels of access can be defined for specific users or user groups. Console users can be granted

permissions to view recorded sessions on one or more endpoints (on which the ObserveIT Agent is installed),

endpoint groups, individual users (domain\user), or Active Directory groups. These permissions are given to

users based on their defined role.

Permissions can also be assigned to Active Directory groups to view and access session data on specific endpoints or endpoint groups. When configured, only session data that applies to the Active Directory group will be available.

Figure 35 – Console User Configuration


7.3 Recording Policies

Recording Policies are sets of configuration options that control aspects of how the monitored endpoint is

configured. By using Recording Policies, the administrator can configure one set of recording settings and apply

these settings on many monitored endpoints simultaneously. Policy settings include:

• Enabling Agent Recording

• Enabling Identity Theft Detection

• Enabling Agent API

• Restricting Recording to RDP Sessions

• Enabling Hotkeys

• Enabling Key Logging

• Enabling In-App Elements Detection

• Enabling File Activity Monitoring

• Enabling Entire Screen Capture

• Optimizing Screen Capture Data Size

• Enabling Recording Notification

• Recording in Color or Grayscale

• Setting Session Timeout

• Setting Keyboard Stroke Recording Frequency

• Setting Continuous Recording

• Data Recording Policy

• Offline Recording Policy

• Stealth and Privacy Policy

• Data Loss Detection Policy

• Identification Policy (Secondary User Identification/PIM)

• User Recording Policy

• Application Recording Policy

• Non-Interactive Programs Recording Policy

• Agent Logging and Debugging

• Memory Management

Figure 36 – Recording Policy Templates


7.4 SMTP, LDAP, Active Directory

SMTP configuration enables ObserveIT to send messages and scheduled reports to Console Users.

Figure 37 – SMTP Settings Configuration

LDAP integration is commonly used for secondary user authentication.

Figure 38 – LDAP Settings Configuration

If during installation, the endpoint which hosts the ObserveIT Application Server component is a member of an

Active Directory domain, this connector is created automatically. If the endpoint is not a member of a domain

during installation, but is made a member later, the connector can still be created.


8 Security and Privacy Infrastructure

ObserveIT is a highly-secure, enterprise-class platform designed for full reliability and non-repudiation.

8.1 Windows Agent

The Windows Agent is protected by a multi-layered “watchdog” mechanism that continuously monitors the

recording Agent. If the Agent process is unexpectedly stopped, the watchdog immediately restarts it and reports

the incident to the Application Server. If so configured, the event will also be reported to a SIEM system and/or

an email address.

ObserveIT detects any Agent files or offline data that has been tampered with or has incurred data loss, and

generates events which can be viewed in the Web Console and Administrator Dashboard. These events can also

be sent to an email address and/or to an integrated SIEM system.

8.2 Unix/Linux Agent

The ObserveIT watchdog mechanism also continuously monitors the Unix/Linux Agent. The Unix/Linux Agent

hooks to the terminal device and to the user shell. Thus, if there is any attempt to stop/kill the Agent logger

process, the watchdog will immediately report the incident and terminate the shell process.

Tampering with Unix/Linux Agent files or offline data also generates events which can be viewed in the Web

Console and Administrator Dashboard.

8.3 Data Security in Transit

Communication between the ObserveIT components is handled over the HTTP protocol.

SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encryption protocols are fully supported for

securing all HTTPS traffic between the client machine and the server running the ObserveIT Web Console.

If required, an IPSec tunnel can also be used to protect the Agent-to-Server traffic.

Figure 39 – HTTPS and IPSec Security


8.4 Data Security at Rest

Data that is stored in MS SQL Server automatically inherits all the data protection mechanisms already in place

for corporate databases.

Additionally, ObserveIT will encrypt all screen recordings when the Image Security option is enabled. In this

situation, the ObserveIT Agents and Application Server will use a token exchange mechanism to encrypt all

session data. The recordings are digitally signed by the Application Server when stored in the database.

When ObserveIT detects any tampering with a session’s data (for example, if a DBA deleted an incriminating

screenshot from within the session recording), a warning indicator appears for that session in the Web

Console:

Figure 40 – Data Integrity Warning Indicator

For privacy, all screen capture data (whether stored in an SQL database or in the file system) can be encrypted

by a synchronous Rijndael 256-bit key. To further protect this key, the key itself can be encrypted by an

asynchronous 1024-bit X509 certificate (with RSA encryption key). This encryption is also inherited by any

sessions exported for offline viewing.

ObserveIT Agents are FIPS (Federal Information Processing Standards) compliant. Both Windows and Unix/Linux Agents comply with the FIPS security standard and can be deployed on any supported FIPS-enabled machine. The TLS encryption protocol is used to secure traffic between the ObserveIT Agents and the ObserveIT Application Server.

8.5 Installation Security

The ObserveIT administrator can protect against improper or unauthorized Agent installation by requiring the

person installing or uninstalling any Agent to provide a security password, which is registered on the Application

Server. Requiring a password to install Agents prevents the unauthorized recording of computers and the

unauthorized consumption of ObserveIT licenses. By enforcing a password also on uninstallation of an Agent,

the unauthorized removal of a computer from ObserveIT's list of recorded machines is prevented.

The main ObserveIT Administrator Dashboard and mini Administrator Dashboard display the number of Agents

that were recently installed and uninstalled. In addition, if configured, notifications via email can report

successful or failed installation/uninstallation events due to security password enforcement.


8.6 System Health Monitoring

ObserveIT provides comprehensive monitoring of all system components, providing administrators with a high-

level system health overview, along with drill-down capabilities to quickly investigate any issues. An

Administrative Dashboard presents administrators with graphical summaries of the operational statuses of

installed ObserveIT Agents and Infrastructure, enabling you to see at-a-glance any issues requiring attention,

such as communication faults, data loss, dwindling disk space or Agent tampering. Most Dashboard elements

can be clicked to drill down into the details of that element.

Figure 41 – Administrator Dashboard

You can easily drill down from the Dashboard to the affected entity, and then directly to the individual events

that led to a specific incident. Additionally, the status of the most important elements is highlighted in a “mini

Admin Dashboard” that appears at the top of every ObserveIT page, providing immediate drill-down to more

details:

Figure 42 – Mini Admin Dashboard

Email alerts can be configured to inform administrators of critical issues in real time. Links in the email lead

directly to the ObserveIT Web Console for further information or investigation.

The following types of system events are covered by the Dashboard; they can be included in email alerts and

they can be integrated within a third-party SIEM system via simple integration:

• Agent or Service killed or stopped

• Agent went offline, lost data or experienced communication problems

• Agent tampered with

• Agents installed and uninstalled

• Application Server went offline


8.7 Configuration Change Auditing

ObserveIT provides detailed auditing reports that show critical configuration changes that were made while

working in the Web Console. For example, when anonymization is enabled/disabled, when an endpoint is

unregistered, or when an Agent's recording was turned off or changes were made in a Recording Policy

configuration, you can track exactly who did this and when it happened. These reports are valuable for security

auditing and change management.

Figure 43 – Auditing Web Console Changes

8.8 User Privacy Protection

ObserveIT provides the following options for protecting user privacy:

• Anonymization of user details: ObserveIT can be configured to work in “Anonymized” mode. In this mode, all personal user information in the Dashboard and the Web Console is encoded – so there is no way to identify the name of the user, the role or department, or see the user's personal photo. Computers that are accessed and login accounts being used can also be anonymized. A Security Analyst or an Investigator using the system can still get detailed visibility to the risky users including their alerts and activity, but without their personal identity being exposed.

Figure 44 – Anonymized Users in the ObserveIT Dashboard


If there is a need to expose user details during the investigation process, an Exposure Request can be

submitted, and the request will be reviewed and approved (or rejected) by an authorized administrator

acting as the Privacy Officer. In addition, certain users or groups (e.g., Remote Vendors) can be excluded

from being anonymized, and high ranking individuals (e.g., the CISO) can be allowed to view data in the clear

(i.e., not anonymized).

• Granular access rights: ObserveIT users’ access can be restricted so that they can be assigned permissions to view sessions of specific endpoints, endpoint groups, individual users, or Active Directory groups. Permissions are reflected in session recordings throughout the Web Console. For example, the Database group manager can view sessions by DBAs on any computer, plus any user session that took place on the database server. This ensures relevant access by authorized users while blocking inappropriate access by users without a valid reason. These rules extend to all user activity logs, reports and video replay. Granular access rights also apply in the User Risk Dashboard where security analysts are permitted to view and monitor only the risky users and their data to which they have been assigned permissions.

• Start video recording upon alert: The “Start video recording” action in the Alert/Policy Rule protects user privacy by allowing the recording of metadata only and adding video as further evidence of user actions only when a specific alert has been triggered. This feature provides ObserveIT with activity data required for analyzing user behavior without disclosing any sensitive data that might appear on the user screen.

• Dual Password Protection for Playback (4-Eyes Protection): ObserveIT allows you to specify a second password (not managed by the ObserveIT administrator) that is required for replaying the video of a user session. This ensures both audit completeness and employee privacy. In typical situations, IT management (via an ObserveIT administrator) holds the main ObserveIT password, and legal counsel or a union rep holds the second password. This satisfies stringent privacy protection regulations, including BDSG (Germany), CNIL (France), DPD 95/46/EC (EU), and Human Rights Act (UK). Granular deployment allows textual audit logs to be accessed by compliance officers (without the second password), whereas video replay requires legal counsel authorization (both passwords).

• ObserveIT self-auditing: ObserveIT audits itself, capturing logs and videos of every ObserveIT user who views recorded sessions.

• Recording Policy options: ObserveIT lets you decide which users/user groups to record, which applications not to record (for example, facebook) and the recording level (for example, metadata only with no video).


9 Data Management

9.1 Database Structure

By default, ObserveIT utilizes the following databases, which are created during installation:

• ObserveIT: Stores all the user activity configuration data and textual audit metadata captured by the ObserveIT Agents.

• ObserveIT_Analytics: Stores the data that is displayed in the Insider Threat Intelligence Dashboard. This includes alerts statistics and users' score data over time, aggregated by users, applications and alert types. It also stores user profile information, such as job title, photo, department, region, email address and more.

• ObserveIT Data: By default, stores all the ObserveIT screenshot images captured by ObserveIT Agents. Screenshot images can also be stored in the file-system.

• ObserveIT_Archive_1: The archive storage database stores both the archived user-activity metadata and screenshot images (unless file-system storage is configured).

• ObserveIT_Archive_template: Used for backup and restore when creating a new archive database.

9.2 Database Storage

All data stored in SQL databases can utilize existing backup solutions that are built in to MS SQL Server or third-

party database backup solutions.

The SQL Server database is used to store user activity configuration data, user analytics data, textual audit

metadata and possibly (unless the file-system is used) the screenshots captured by the ObserveIT Agents for

video replay. To prevent data loss as the database becomes full, ObserveIT allows you to configure additional

storage space. You can configure a threshold specifying the maximum disk space that is allocated for the

database. A system event is generated when the database storage threshold (%) reaches its configured limit,

alerting you to configure additional storage space by updating the specified threshold or by running the archive

process.

9.3 File System Storage

Visual screenshots represent the largest portion of ObserveIT’s data storage needs. For large scale deployments

and to prevent SQL Server database performance issues, you can configure the video replay screenshots for file-

system storage instead of in the SQL database, either on the local hard drive of the ObserveIT Application Server

or on a file share in the network. When using file-system storage, there is still a need to maintain the SQL Server

database in order to store the textual metadata and ObserveIT configuration data.

ObserveIT automatically manages the directory where you specify that screenshot data should be stored,

including an auto-generated and archived subdirectory tree per date and per session.

9.4 Metadata Storage

ObserveIT also records important information about what is seen on the screen, which applications are

currently used, what actions the user has performed, the date and time of the action and more. This "metadata"

stored in ObserveIT's database is located on a central SQL Server. Because metadata is centrally stored and

indexed, it can be used to easily search throughout all recorded sessions and provide a textual breakdown of

each user session. Recorded metadata is a very important aspect of the auditing experience and capabilities.


9.5 Archiving

ObserveIT has built-in database archiving capabilities to move data from the main ObserveIT database to a

secondary database. Storing obsolete and irrelevant data online reduces the overall performance of a database

server. By archiving data, you can decrease disk space usage and reduce the maintenance required, for example,

in defragmentation, backup and restore procedures. From a performance point of view, if a production

database or file system storage has obsolete data that is never or rarely used, query execution can be time-

consuming because queries also scan obsolete data. To improve query performance, you should move obsolete

data from the production database to another archive database.

Archiving of data can also be performed on file systems that are used for storing screen capture data.

Archiving jobs can be launched manually or can be scheduled for automatic periodic archive rotation.

Figure 45 – Archiving Data

The archive process moves the image (screen capture) data, but maintains the user activity log data for search

purposes. This ensures that the data that consumes the most storage is moved, while maintaining the

searchability of user activity log information. Video replay can be launched directly from an archived session.


10 Integrating ObserveIT Data into Third-Party SIEM Systems

ObserveIT’s user activity data can be integrated with third-party SIEM monitoring systems (such as Microsoft

System Center Operation Manager, IBM QRadar, HP ArcSight, Splunk, and McAfee SIEM/ELM) in order to

enhance real-time alerting and reporting capabilities. The ObserveIT log data can be integrated with SIEM

systems also by providing the data in database API format, or by exporting ObserveIT monitor log files which can

be imported to an organization’s existing SIEM system.

The following types of ObserveIT log data can be exported to SIEM systems:

• User Activity

• DBA Activity

• Session Activity

• Alerts

• System Events

• In-App Elements

• Audit Sessions

• Audit Logins

• Audit Configuration

10.1 SIEM System Integration Using Native SIEM Apps

ObserveIT’s user activity data can be integrated with Native SIEM Apps: IBM QRadar and Splunk.

The ObserveIT App for IBM Qradar/Splunk provides security analysts and investigation teams with powerful user

activity metadata, smart user behavior alerts, and powerful user context to help identify and investigate Insider

Threats and other user-based threats directly from within the App. Security teams can correlate ObserveIT

metadata with other data sources to create smarter alerts and stop threats before they happen.

A one-click link from the App to the ObserveIT Web Console provides full Video Playback and deeper analysis of user behavior.

All ObserveIT metadata and alerts can be integrated into the Observer App for IBM Qradar/Splunk allowing you

to:

• Search for all recorded user sessions and activity

• Search for all user behavior alerts

• View graphical summaries of the above data

• Search for specific user sessions and alerts by user, computer, application, time range, and so on

• View detailed summaries of user session activity – applications that were run, visited websites, files copied, printing, and so on

• Drill down to see alerts’ details

• Link from alerts to view full user sessions

• Link to full video playback


The following screenshots provide examples.

Figure 46 – ObserveIT SIEM Integration with IBM QRadar Native App

Figure 47 – ObserveIT SIEM Integration with Splunk Native App


10.2 SIEM System Integration Using Database API

Providing log data via ObserveIT’s database API enables SIEM systems and other third-party monitoring

software to programmatically integrate with ObserveIT in order to receive session data and recordings. When

using the API, access is provided to log data stored in ObserveIT’s database tables. Thus, third-party systems can

retrieve the exposed data directly from ObserveIT’s database.

ObserveIT’s API provides log data using “views”. Users with “role_api” read permissions can access the

API_OIT views. The ObserveIT database API provides the following views for each of the log file data types:

• API_OIT_User_Activity: Contains data about user activities on monitored endpoints, including captured screenshots and user activity log data (details about applications, registry settings, and files that the user accessed).

• API_OIT_Session_Activity: Contains data about sessions that occurred on monitored endpoints.

• API_ OIT_DBA_Activity: Contains data about SQL database queries that were performed during sessions.

• API_OIT_Alert_Activity: Contains data about activity alerts which were generated when suspicious login events or user activity occurred during a session. “Alert rules” define the conditions under which an alert is triggered.

• API_OIT_System_Events: Contains data about events that were triggered by the system (for example, when a user logs in, or during the health check monitoring of the Agent, Notification Service, Application Server or Web Console). Events are defined by their severity, source – for example, Notification Service – and category (Login, Health Check).

• API_ OIT_InApp_Elements – Contains data about specific elements (In-App Elements) within desktop and

web-based applications that were marked for tracking risky user behavior.

• API_OIT_Audit_Session – Contains data about all the sessions which were replayed by the user.

• API_OIT_Audit_Logins – Contains data about all successful and failed logins to the Web Console.

• API_OIT_Audit_Configuration – Contains data about configuration changes that were made while working in the Web Console (like when a server is unregistered or when changes were made in a recording policy configuration).

10.3 SIEM System Integration Using Monitor Log Data

ObserveIT Monitor Log data can be easily integrated into an organization’s existing SIEM system.

ObserveIT is currently certified to provide integration support with the HP ArcSight SIEM monitoring software.

Integration with HP ArcSight SIEM enables the export of ObserveIT log data to ArcSight Common Event Format

(CEF). All log files from ObserveIT user activities, DBA activity, activity alerts, system events, In-App Element

data, user logins, and audit sessions, logins, and configurations can be exported and integrated into the SIEM

monitoring software at timed intervals. The SIEM integration parses the ObserveIT log files, and create events,

triggers, and alerts based on text strings of information that appear inside the log file.

Integrated log data can be viewed and videos of recorded sessions can be replayed directly from within the

external SIEM dashboard or report environment.

This screenshot shows how ObserveIT user activity and alert data is incorporated within the HP ArcSight SIEM

monitoring software.


Figure 48 – ObserveIT User Activity and Alerts SIEM Integration


User Activity Log Integration Most SIEM platforms utilize “data collector” mechanism for importing log data. ObserveIT’s user activity logs fit

this model well. Any SIEM can access ObserveIT user activity logs via real-time log file polling. This method uses

direct access to the data source without the need to go via a Web service or API-call layer.

Figure 49 – Real-Time Log File Polling Data Collector Schematic

ObserveIT user activity logs can be added to a real-time log file by enabling this within the Integrated SIEM

configuration settings. The log file can then be integrated into any SIEM system, including native integration

such as HP ArcSight CEF file format.

Figure 50 – Real-Time Logging

Log file polling (Direct access, no AppServer interaction)Poll every x seconds

Your SIEM /

Log MgmtApplication

Log file polling results – Latest deltas Field Mapper

Po

ller

Your Database

OIT AppServer

Real-time Metadata

Log File


Video Replay Integration Unlike the user activity log data, the video replay data is typically maintained within the ObserveIT environment,

enabling enhanced custom playback functionality and reducing the amount of data that would otherwise be

continuously added to the SIEM.

Figure 51 – Video Replay Integration Schematic

The video replay is available as a single HTTP target even if the ObserveIT database is federated across multiple

local installations. The custom application does not need to be aware of the actual video storage location.

Figure 52 – Video Replay Integration with Federated Databases

Your Custom App

OIT Web Console

HTTP Port 4884

Video Player HTML

WrapperVideo

Database

• Single sign-on: Custom app uses uid/pwd of OIT web console• Passwords are not transferred: Token-based authentication with TTL limits

Your Custom App

OIT Centralized Web Console

HTTP Port 4884

• Single sign-on: Custom app uses uid/pwd of centralized OIT console

• Passwords are not transferred: Token-based authentication with TTL limits

• Same SSO / pwd / token / TTL process for communication with each local install

Config data for centralized

console

OIT Local Install 1

Single URL for on-the-fly video replay

VideoDatabase

OIT Local Install 2

VideoDatabase

OIT Local Install 3

VideoDatabase

Video Player HTML

Wrapper

Config data for each local OIT deployment


11 Integrating ObserveIT Data into Network Management (Alerting)

Systems

The same data integration highlighted above for SIEM integration can be used to implement a custom alerting

method within any common Network Management Platform.

12 Integrating ObserveIT with a Service Desk System

The integration of ObserveIT’s user activity monitoring solution with an IT Service Desk system provides

additional layers of security and monitoring to your organization.

The main benefits of service desk system integration are:

1. You can require specific administrators and/or remote vendors to enter a valid ticket number from the

service desk system before being able to log into specific endpoints. By linking every login to a specific

ticket, unnecessary and unauthorized logins are reduced and there is greater enforcement of segregation of

duties.

2. Once a ticket number is provided as part of the server login process, ObserveIT automatically augments the

ticket data with key details about the login session which are only available to ObserveIT. For example, the

ticket will include the actual user name used to access the server (based on a secondary identification login

which goes beyond generic system admin login accounts), the specific server which was accessed, and the

exact date/time that the session occurred.

3. The ticket record will include a direct link to the video recording of the specific session in which the

administrator or remote vendor addressed the ticket. This provides the unique ability to visually review

exactly how the user addressed the ticket. Linking a video recording of their actions addressing a ticket from

within the ticket itself allows faster and easier auditing of the exact actions performed by administrators and

remote vendors.

When an administrator or remote vendor attempts to log in to a monitored endpoint, a message is displayed

requesting the user to enter a valid ticket number from a service desk system before they can log on to the

endpoint.

Figure 53 – Ticket Window


The ticket number entered is validated against the service desk system database before the user is granted

access to the system. The ticket associated with the session is linked to a video recording of the session. In

addition, specific information about the login session is automatically saved by ObserveIT and included in the

service desk system.

Within the service desk system itself, a direct link to the video recording of the specific session in which the

administrator or remote vendor addressed the ticket provides faster and easier auditing of the exact actions

performed by administrators and remote vendors.

ObserveIT offers built-in integration with ServiceNow that works out of the box. Integration with most other ticketing systems (such as ServiceDesk, Remedy, Track-It!, HEAT, and Kayako) may be implemented by customers according to their own requirements. ObserveIT provides API guidance to help customers build a Web Service that will enable them to integrate ObserveIT with their own ticketing system. For details, see the ObserveIT Service Desk Integration Guide.

For further details about integrating ObserveIT's session recording system with an IT service desk system, refer

to http://documentation.observeit.com/7.1/#service_desk_integration.htm.

http://files.observeit.com/docs/ObserveIT-Service-Desk-Integration.pdf

http://documentation.observeit.com/7.1/#service_desk_integration.htm


13 Agent API for Process-Oriented Integration

ObserveIT’s Agent API enables external applications to build custom logic for what and when to record. The

Agent API exposes a set of classes that enable:

• Start, Stop, Pause, Resume, and End a recorded session

• Custom logic for when to start recording (based on process ID, process name, computer name, user, URL, and more)

• System health check

• Viewing recorded sessions

Recording additional processes can be tied to existing sessions or to a new session, thus creating a separate

session for each recorded process. The API is built in to the Agent but not enabled by default. It can be enabled

from the ObserveIT Web Console.

Figure 54 – Agent API Schematic

Your Custom Code

JavaScript

.NET

VBScript

OIT DLL(API)

• Custom code & OIT DLL are tightly coupled

Controller Machine

• One instance of agent process per login session• Listener & Agents are tightly coupled

Monitored Machine

TCP Port 5050

Agent Process

• Controller Machine & Monitored Machine are loosely coupled.Can be (but does not need to be) same machine.

Agent Process

Agent Process

ListenerService


This can be utilized in many ways. One example of API implementation is as an ActiveX trigger.

Figure 55 – Sample API Implementation Using ActiveX

observeit technical solution overviewfiles.observeit.com/docs/observeit-technical-solution... ·...

Documents