User Behavior Analytics
Analyzing User Activity
ObserveIT automatically and continuously profiles the behavior of every user. ObserveIT analytics detect out of policy, malicious or negligent behavior
A hacker who logins with stolen credentials will appear very differently than the real business or IT user who's account was hacked. Users who suddenly start accessing new resources, or running unusually large reports are also behaviors which warrant investigation. There are numerous types of behavior anomalies that trigger detection. Examples include:
- running unusual applications
- accessing unusual systems, files or others resources
- performing unusual types of operations or running rarely-used commands
- generating larger-than-usual reports
- executing a larger number of actions than usual within a given time frame
- accessing systems from unusual client machines
- logging in outside normal/expected hours of the day or days of the week
Rule-based analytics identify predefined instances of abnormal, suspicious, out-of-policy or malicious user activity in real time. Administrators can configure flexible, fully-customizable rules which define the conditions in which user actions will cause alerts to be generated – based on robust combinations of Who, Did What, On Which Computer, When, and From Which Client. Alerts are integrated throughout the system (including in user activity logs, activity search results, and the session video player) and can be easily integrated into an organization's existing SIEM system.
High-priority alerts can be sent to administrators in real time, while lower-severity incidents, such as non-critical out-of-policy behaviors, can be reviewed later via session transcripts and/or videos.
Examples of scenarios that can be detected by ObserveIT's Rule-based Analytics include:
- Users accessing sensitive customer/patient records
- A user accessing a file in a financial statements folder, or any irregular access during non-working hours
- A non-administrator user opening a sensitive system file (for example, the hosts file)
- A Unix user running a program or executing a command which grants the user additional permissions (for example, via the su or sudo commands)
- A DBA executing a DROP TABLE or DROP INDEX command on a production database.
- External vendors logging in to database servers during non-working days
- Users browsing sensitive websites from work, or uploading company data to cloud storage