Managing Audited Sessions

You can right-click any session to view an indexed list of the commands captured, export the session activity to another format for sharing or further analysis, update the review status for the session, or delete the session.

Using Command Summaries

You can view a list of the commands the user executed in a selected session by right-clicking the session, then selecting Indexed Command List. This option provides a summary of user activity so that you can quickly scan for events of interest or for suspicious activity without replaying activity. You can then start the session player from a specific command in the list by selecting the command and clicking Replay.

Exporting Sessions

You can export session activity to several different formats to enable you to share information for review and analysis. After selecting a session, you can right-click to export the session to the following formats:

  • As a plain text (TXT) file that includes the time of each input and output event that occurred during the session.
  • As a comma separated values (CSV) file where each row represents a single command input or output line from the terminal window.
  • As a Microsoft Windows Media Video (WMV) file can be played by using any media player that supports the WMV format. This option enables you to share the video capture of activity with auditors or other users who don’t have access to Audit Analyzer. You should note, however, that WMV files do not include all of the information available in the session player. For example, exporting a session to a WMV files does not preserve information such as the session summary that includes the user name, computer, start and end time for the session and the summary of events.
  • As a uniform resource identifier (URI) by selecting Copy Session URI. This option enables you to share the session with auditors or other users who don’t have access to Audit Analyzer. Once copied to the clipboard, you can paste the URI into a browser to open the session for replay.

Viewing and Editing Session Properties

If you select a session, right-click, then select Properties you can view detailed information about the session, including the type of session, the session start and end times, the zone where the session took place, the audit store where the session is stored, details about the user whose activity was recorded and computer where the session ran, and the current status of the session. From the properties section, you can also view the current review status for the session, when the review status was last modified, and who made the change to the review status. You can also click on the Reviewers tab in Properties to see the list of users that are authorized to review the session, change the status of the session, and add comments to the session. By clicking the Comments tab, you can also view and add comments to the session. For example, you might want to use the Comments tab to add details about what to look for in a session to assist a reviewer or to provide additional information when you change the review status of a session.

Updating Review Status for a Session

You can use the Update Review Status for a session to distinguish sessions that warrant attention and to mark their progress through your review cycle. For example, if you find a session that warrants analysis, you might right-click to select Update Review Status, then select To be Reviewed. After you select a new status, you are prompted to add comments and the session is added to the appropriate predefined query in the left pane. For example, if you selected To be Reviewed status, the session to the Sessions to be Reviewed list.

After you review the session and you determine it needs further action, you might select the Pending for Action review status. Selecting this status removes the session from Sessions to be Reviewed list and adds it to Sessions Pending for Action list.

Deleting Sessions

You can select a session, right-click, then select Delete to delete a session after you have finished reviewing activity and taken appropriate action or when it is no longer needed. Selecting this option deletes the session from all predefined and custom query lists. For example, if you delete the session from the results for the Today predefined query, the session might also be deleted from the results for the predefined Sessions to be Reviewed query or any shared or private queries where it was previously listed.