Forensics - All Activity

The All Activity page helps you understand the actions performed on entities in the Workload Security environment.

Examining All Activity Data

Click Forensics > Activity Forensics and click the All Activity tab to access the All Activity page.
This page provides an overview of activities in your environment, highlighting the following information:

  • A graph showing Activity History (accessed per minute/per 5 minutes/per 10 minutes based on selected global time range)

    You can zoom the graph by dragging out a rectangle in the graph. The entire page will be loaded to display the zoomed time range. When zoomed in, a button is displayed that lets the user zoom out.

  • A chart of Activity Types. To obtain activity history data by activity type, click on corresponding x-axis label link.

  • A chart of Activity on Entity Types. To obtain activity history data by entity type, click on corresponding x-axis label link.

  • A list of the All Activity data

The *All Activity* table shows the following information. Note that not all of these columns are displayed by default. You can select columns to display by clicking on the "gear" icon gear icon.

  • The time an entity was accessed including the year, month, day, and time of the last access.

  • The user that accessed the entity with a link to the User information.

  • The activity the user performed. Supported types are:

    • Change Group Ownership - Group Ownership is of file or folder is changed. For more details about group ownership please see this link.

    • Change Owner - Ownership of file or folder is changed to another user.

    • Change Permission - File or folder permission is changed.

    • Create - Create file or folder.

    • Delete - Delete file or folder. If a folder is deleted, delete events are obtained for all the files in that folder and subfolders.

    • Read - File is read.

    • Read Metadata - Only on enabling folder monitoring option. Will be generated on opening a folder on Windows or Running “ls” inside a folder in Linux.

    • Rename - Rename file or folder.

    • Write - Data is written to a file.

    • Write Metadata - File metadata is written, for example, permission changed.

    • Other Change - Any other event which are not described above. All unmapped events are mapped to “Other Change” activity type. Applicable to files and folders.

  • The Path to the entity with a link to the Entity Detail Data

  • The Entity Type, including entity (i.e. file) extension (.doc, .docx, .tmp, etc.)

  • The Device where the entities reside

  • The Protocol used to fetch events.

  • The Original Path used for rename events when the original file was renamed. This column is not visible in the table by default. Use the column selector to add this column to the table.

  • The Volume where the entities reside. This column is not visible in the table by default. Use the column selector to add this column to the table.

Filtering Forensic Activity History Data

There are two methods you can use to filter data.

  1. Hover over the field in the table and click the filter icon that appears. The value is added to the appropriate filters in the top Filter By list.

  2. Filter data by typing in the Filter By field:

    Select the appropriate filter from the top ‘Filter By’ widget by clicking the [+] button:

    Entity Filer

    Enter the search text

    Press Enter or click outside of the filter box to apply the filter.

You can filter Forensic Activity data by the following fields:

  • The Activity type.

  • Source IP from which the entity was accessed. You must provide a valid source IP address in double quotes, for example “10.1.1.1.”. Incomplete IPs such as “10.1.1.”, “10.1..*”, etc. will not work.

  • Protocol to fetch protocol-specific activities.

  • Username of the user performing the activity. You need to provide the exact Username to filter. Search with partial username, or partial username prefixed or suffixed with ‘*’ will not work.

  • Noise Reduction to filter files which are created in the last 2 hours by the user. It is also used to filter temporary files (for example, .tmp files) accessed by the user.

The following fields are subject to special filtering rules:

  • Entity Type, using entity (file) extension

  • Path of the entity

  • User performing the activity

  • Device (SVM) where entities reside

  • Volume where entities reside

  • The Original Path used for rename events when the original file was renamed.

The preceding fields are subject to the following when filtering:

  • Exact value should be within quotes: Example: "searchtext"

  • Wildcard strings must contain no quotes: Example: searchtext, *searchtext*, will filter for any strings containing ‘searchtext’.

  • String with a prefix, Example: searchtext* , will search any strings which start with ‘searchtext’.

Sorting Forensic Activity History Data

You can sort activity history data by Time, User, Source IP, Activity, Path and Entity Type. By default, the table is sorted by descending Time order, meaning the latest data will be displayed first. Sorting is disabled for Device and Protocol fields.

Exporting All Activity

You can export the activity history to a .CSV file by clicking the Export button above the Activity History table. Note that only the top 100,000 records are exported. Depending on the amount of data, it may take from a few seconds to several minutes for the export to finish.

Column Selection for All Activity

The All activity table shows select columns by default. To add, remove, or change the columns, click the gear icon on the right of the table and select from the list of available columns.

Activity Selector

Activity History Retention

Activity history is retained for 13 months for active Workload Security environments.

Applicability of Filters in Forensics Page

Filter

What it does

Example

Applicable in Which Filters?

Not applicable for which filters

Result

* (Asterisk)

enables you to search for everything

Auto*03172022

User, PATH, Entity Type, Device Type, Volume, Original Path

returns all resources that start with “Auto" and end with “03172022”

? (question mark)

enables you to search for a specific number of characters

AutoSabotageUser1_03172022?

User, Entity Type, Device, Volume

returns AutoSabotageUser1_03172022A, AutoSabotageUser1_03172022AB, AutoSabotageUser1_031720225, and so on

OR

enables you to specify multiple entities

AutoSabotageUser1_03172022 OR AutoRansomUser4_03162022

User, Domain, Username, PATH, Entity Type, Device, Original Path

returns any of AutoSabotageUser1_03172022 OR AutoRansomUser4_03162022

NOT

allows you to exclude text from the search results

NOT AutoRansomUser4_03162022

User, Domain, Username, PATH, Entity Type, Original PATH, Volume

Device

returns everything that does not start with"AutoRansomUser4_03162022”

None

searches for NULL values in all fields

None

Domain

returns results where the target field is empty

Search results with and without / will be different

/AutoDir1/AutoFile

Works

AutoDir1/AutoFile

Doesn’t work

/AutoDir1/AutoFile (Dir1)

Dir1 Partial substring doesn’t work

"/AutoDir1/AutoFile03242022"

Exact search works

Auto*03242022

Doesn’t work

AutoSabotageUser1_03172022?

Doesn’t work

/AutoDir1/AutoFile03242022 OR /AutoDir1/AutoFile03242022

Works

NOT /AutoDir1/AutoFile03242022

Works

NOT /AutoDir1

Works

NOT /AutoFile03242022

Doesn’t work

*

Shows all the entries

Troubleshooting

Problem

Try This

In the “All Activities” table, under the ‘User’ column, the user name is shown as:
“ldap:HQ.COMPANYNAME.COM:S-1-5-21-3577637-1906459482-1437260136-1831817”
or
"ldap:default:80038003”

Possible reasons could be:
1. No User Directory Collectors have been configured yet. To add one, go to Admin > Data Collectors > User Directory Collectors and click on +User Directory Collector. Choose Active Directory or LDAP Directory Server.
2. A User Directory Collector has been configured, however it has stopped or is in error state. Please go to Admin > Data Collectors > User Directory Collectors and check the status. Refer to the User Directory Collector troubleshooting section of the documentation for troubleshooting tips.
After configuring properly, the name will get automatically resolved within 24 hours.
If it still does not get resolved, check if you have added the correct User Data Collector. Make sure that the user is indeed part of the added Active Directory/LDAP Directory Server.

Some NFS events are not seen in UI.

Check the following:
1. A user directory collector for AD server with POSIX attributes set should be running with the unixid attribute enabled from UI.
2. Any user doing NFS access should be seen when searched in the user page from UI
3. Raw events (Events for whom the user is not yet discovered) are not supported for NFS
4. Anonymous access to the NFS export will not be monitored.
5. Make sure NFS version used in lesser than NFS4.1.