Enhance your SIEM with User Activity Video Logs

Versions and Pricing
ObserveIT Xpress
Free, with no time-out.
Limited config & features.
Free Download
ObserveIT Enterprise
15-day trial for POC.
All enterprise features.
Download Trial
Get Prices
What's right for you?
Comparison Table

ObserveIT dramatically enhances any SIEM or log management application by incorporating video playback of user sessions directly into the SIEM console. This combination provides a number of important benefits:

ObserveIT Connector for Splunk
  • Add user session data to SIEM dashboards and reports – including lists of every application run, pie charts showing active users/servers and even detailed listings of specific user actions, all linked directly to video recordings of user sessions
  • Correlate system log data with user activity data – with detailed user activity drill-down and one-click access to the relevant portion of any recorded session video, for a much better understanding of what was done by any user on any server in any application
  • Fill in SIEM logging gaps – for applications without any built-in logging (including legacy, bespoke, commercial and cloud applications), plus all system areas, on Windows, UNIX and Linux machines accessed via any connection method (direct console, SSH, Telnet, Remote Desktop, etc.)
  • Improve regulation compliance and reduce security auditing costs – without the need for complex research and correlation projects, by instantly finding any user action and playing back relevant portions of recorded session videos

Instant Video Replay of Any User Action

Imagine this: Your SIEM dashboard alerts you to a potential security incident. Instead of trying to piece together what the user did by drilling down into system logs, you can simply click the Play Video button and see exactly what the user did!

Open Integration Architecture

Read on to learn about how ObserveIT's open architecture allows for a straightforward integration with SIEM systems and log analysis tool such as:

  • Splunk
  • CA User Activity Reporting Module (UARM)
  • HP ArcSight
  • RSA enVision
  • Qradar
  • LogLogic
  • LogRhythm

Splunk with User Activity Logs

Event details are dashboarded across a standard Splunk timeline, with event listings showing exactly what applications, URLs, files and system calls the user touched. A video replay icon is available for each specific user action, allowing you to launch the video replay at the exact moment in time that the user did that action. Download a trial version of the ObserveIT Connector for Splunk.

Zoom
ObserveIT Connector for Splunk: Dashboard
Zoom
ObserveIT Connector for Splunk: Session Browser

ArcSight with User Activity Logs

The ArcSight Console shows detailed listings of every user action, including apps run, files touched, titles of windows opened and more. Right-clicking on any action launces a video replay at that action.

Zoom
ObserveIT events in ArcSight
Zoom
Sample ObserveIT dashboard in ArcSight

CA UARM with User Activity Logs

ObserveIT's video and text logs have been integrated tightly with CA's Access Control platform, with ties into many CA products. With UARM, full ObserveIT dashboard integration provides text log details, breakdown pie charts and one-click video replay at the moment of any action of interest. The CA integration is available directly from CA as a CA line-item product.

Zoom
ObserveIT text logs and video replay from within CA UARM

RSA enVision with User Activity Logs

All ObserveIT session activity logs are viewable within RSA enVision, including filtering and search based on detailed user activity logging. Each log item can be tied to its video replay. For more information on integrating ObserveIT with envision, refer to EMC's RSA enVision Ready Implementation Guide.

Zoom
Audit log details within enVision, filtered according to detailed metadata

Integration Architecture

Integrating ObserveIT with a SIEM typically involves integration on two levels: textual activity log (metadata) integration and session video replay integration.

Activity Log Integration

Use your data collector mechanism for importing log data from ObserveIT. ObserveIT's user activity metadata logs can be accessed in one of two ways: either via direct SQL access or via real-time log file polling. Each of these methods directly access the data source, without Web service or API calls.

  • SQL Integration
Zoom
  • Log File Integration
Zoom

Video Replay Integration

Unlike the activity log metadata, the video data is typically stored within ObserveIT's own server, both because of the custom playback functionality ObserveIT provides and because the data load is considered too heavy to continuously add to the SIEM database.

Zoom

The video replay is available as a single HTTP target even if the ObserveIT database is federated across multiple local installations. The calling application does not need to be aware of actual video storage location.

Zoom

ObserveIT-SIEM Integration Webinar

Watch the following webinar for more detail about integrating ObserveIT's unique user activity logging and session recording into your SIEM system:

Webinar: Make your SIEM sing with User Activity Logs

Next Steps

close