Forensics - All Activity
The All Activity page helps you understand the actions performed on entities in the Workload Security environment.
Examining All Activity Data
Click Forensics > Activity Forensics and click the All Activity tab to access the All Activity page.
This page provides an overview of activities in your environment, highlighting the following information:
-
A graph showing Activity History (accessed per minute/per 5 minutes/per 10 minutes based on selected global time range)
You can zoom the graph by dragging out a rectangle in the graph. The entire page will be loaded to display the zoomed time range. When zoomed in, a button is displayed that lets the user zoom out.
-
A chart of Activity Types. To obtain activity history data by activity type, click on corresponding x-axis label link.
-
A chart of Activity on Entity Types. To obtain activity history data by entity type, click on corresponding x-axis label link.
-
A list of the All Activity data
The *All Activity* table shows the following information. Note that not all of these columns are displayed by default. You can select columns to display by clicking on the "gear" icon .
-
The time an entity was accessed including the year, month, day, and time of the last access.
-
The user that accessed the entity with a link to the User information.
-
The activity the user performed. Supported types are:
-
Change Group Ownership - Group Ownership is of file or folder is changed. For more details about group ownership please see this link.
-
Change Owner - Ownership of file or folder is changed to another user.
-
Change Permission - File or folder permission is changed.
-
Create - Create file or folder.
-
Delete - Delete file or folder. If a folder is deleted, delete events are obtained for all the files in that folder and subfolders.
-
Read - File is read.
-
Read Metadata - Only on enabling folder monitoring option. Will be generated on opening a folder on Windows or Running “ls” inside a folder in Linux.
-
Rename - Rename file or folder.
-
Write - Data is written to a file.
-
Write Metadata - File metadata is written, for example, permission changed.
-
Other Change - Any other event which are not described above. All unmapped events are mapped to “Other Change” activity type. Applicable to files and folders.
-
-
The Path to the entity with a link to the Entity Detail Data
-
The Entity Type, including entity (i.e. file) extension (.doc, .docx, .tmp, etc.)
-
The Device where the entities reside
-
The Protocol used to fetch events.
-
The Original Path used for rename events when the original file was renamed. This column is not visible in the table by default. Use the column selector to add this column to the table.
-
The Volume where the entities reside. This column is not visible in the table by default. Use the column selector to add this column to the table.
Filtering Forensic Activity History Data
There are two methods you can use to filter data.
-
Hover over the field in the table and click the filter icon that appears. The value is added to the appropriate filters in the top Filter By list.
-
Filter data by typing in the Filter By field:
Select the appropriate filter from the top ‘Filter By’ widget by clicking the [+] button:
Enter the search text
Press Enter or click outside of the filter box to apply the filter.
You can filter Forensic Activity data by the following fields:
-
The Activity type.
-
Source IP from which the entity was accessed. You must provide a valid source IP address in double quotes, for example “10.1.1.1.”. Incomplete IPs such as “10.1.1.”, “10.1..*”, etc. will not work.
-
Protocol to fetch protocol-specific activities.
-
Username of the user performing the activity. You need to provide the exact Username to filter. Search with partial username, or partial username prefixed or suffixed with ‘*’ will not work.
-
Noise Reduction to filter files which are created in the last 2 hours by the user. It is also used to filter temporary files (for example, .tmp files) accessed by the user.
The following fields are subject to special filtering rules:
-
Entity Type, using entity (file) extension
-
Path of the entity
-
User performing the activity
-
Device (SVM) where entities reside
-
Volume where entities reside
-
The Original Path used for rename events when the original file was renamed.
The preceding fields are subject to the following when filtering:
-
Exact value should be within quotes: Example: "searchtext"
-
Wildcard strings must contain no quotes: Example: searchtext, *searchtext*, will filter for any strings containing ‘searchtext’.
-
String with a prefix, Example: searchtext* , will search any strings which start with ‘searchtext’.
Sorting Forensic Activity History Data
You can sort activity history data by Time, User, Source IP, Activity, Path and Entity Type. By default, the table is sorted by descending Time order, meaning the latest data will be displayed first. Sorting is disabled for Device and Protocol fields.
Exporting All Activity
You can export the activity history to a .CSV file by clicking the Export button above the Activity History table. Note that only the top 100,000 records are exported. Depending on the amount of data, it may take from a few seconds to several minutes for the export to finish.
Column Selection for All Activity
The All activity table shows select columns by default. To add, remove, or change the columns, click the gear icon on the right of the table and select from the list of available columns.
Activity History Retention
Activity history is retained for 13 months for active Workload Security environments.
Applicability of Filters in Forensics Page
Filter |
What it does |
Example |
Applicable in Which Filters? |
Not applicable for which filters |
Result |
* (Asterisk) |
enables you to search for everything |
Auto*03172022 |
User, PATH, Entity Type, Device Type, Volume, Original Path |
returns all resources that start with “Auto" and end with “03172022” |
|
? (question mark) |
enables you to search for a specific number of characters |
AutoSabotageUser1_03172022? |
User, Entity Type, Device, Volume |
returns AutoSabotageUser1_03172022A, AutoSabotageUser1_03172022AB, AutoSabotageUser1_031720225, and so on |
|
OR |
enables you to specify multiple entities |
AutoSabotageUser1_03172022 OR AutoRansomUser4_03162022 |
User, Domain, Username, PATH, Entity Type, Device, Original Path |
returns any of AutoSabotageUser1_03172022 OR AutoRansomUser4_03162022 |
|
NOT |
allows you to exclude text from the search results |
NOT AutoRansomUser4_03162022 |
User, Domain, Username, PATH, Entity Type, Original PATH, Volume |
Device |
returns everything that does not start with"AutoRansomUser4_03162022” |
None |
searches for NULL values in all fields |
None |
Domain |
returns results where the target field is empty |
Path / Original path Search
Search results with and without / will be different
/AutoDir1/AutoFile |
Works |
AutoDir1/AutoFile |
Doesn’t work |
/AutoDir1/AutoFile (Dir1) |
Dir1 Partial substring doesn’t work |
"/AutoDir1/AutoFile03242022" |
Exact search works |
Auto*03242022 |
Doesn’t work |
AutoSabotageUser1_03172022? |
Doesn’t work |
/AutoDir1/AutoFile03242022 OR /AutoDir1/AutoFile03242022 |
Works |
NOT /AutoDir1/AutoFile03242022 |
Works |
NOT /AutoDir1 |
Works |
NOT /AutoFile03242022 |
Doesn’t work |
* |
Shows all the entries |
Troubleshooting
Problem |
Try This |
In the “All Activities” table, under the ‘User’ column, the user name is shown as: |
Possible reasons could be: |
Some NFS events are not seen in UI. |
Check the following: |