Skip to content

Forensics

The forensics screens allow the administrators to view analysis screens of data collected by the File Access Manager services. The tables can be filtered to fit specific needs, and filters can be saved, and shared with others as well.

The File Access Manager website has the following forensics screens:

  • Activity forensics

  • Permissions forensics

  • Identities forensics

  • Data Classification forensics

Forensic queries can be used to answer questions such as:

  1. Who has accessed files classified as Credit Cards?

  2. Who can access folders classified as SSN?

  3. Are there users without a password in the system, or users who haven’t logged in for the past six months?

Creating and Editing a Forensics Query

A query is a collection of one or more filters that let you select from a list of parameters to select user types, permissions, user scenarios or permission scenarios to analyze.

Note

When creating a filter using Business Resource Name or Business Resource Full Path, those two fields only support Equals or Any of. This filter is not auto-complete capable.

  1. Select Clear All to clear the current filters, and clear the grid.

  2. Select + to add a filter to the query.

  3. Select a field to filter by from the Select Field dropdown menu, and the filter criteria, according to the filed type and parameters.

  4. Select Save to add the filter line to the query, or Cancel to start over.

  5. Add more filter lines by repeating these steps as required.

    For example:

    "Last login date older than 100 days

    and

    Password not required equals True”

  6. Select Apply to run the query.

Note

For Permission Forensics, the data retrieved depend on the user scope of the user running the query. The data returned will only be within the applications and resources within each application to which the user running the query has access.

Searching for Resources Using a Resource Tree

You can add resources for the filter by navigating down the resource tree and selecting the requested branch.

  1. Open a new filter line.

  2. Select Resource from the Select Field drop down list.

  3. Open the Select Resource drop down menu to view the resource tree.

Saving Queries

  1. To save a query, select Save. That will open a popup screen to enter the query name.

  2. Select Save or Cancel to continue.

A query can be deleted only by the user who created it.

Using Saved Queries

Note

If you select a saved query, the contents of your current query will be overwritten.

To retrieve a saved query:

  1. Select Saved Queries.

  2. Select a query from one of the saved query lists:

    • Recent - a list of your recently used queries. These queries are named and ordered by the timestamp.
    • Saved - a list of queries saved by the user.
    • Shared - a list of queries shared with the user.

Selecting on a query will load its filters and displayed columns. A Query object cannot be edited, and changes made after loading a query do not impact the loaded Query object. However, these changes can be saved in a new query.

Sharing Queries with Other Users

The forensics screens give you the option to share queries with other users.

Sharing a query will make the query available in the quarry list of other users in this forensics screen.

To share a forensics query:

  1. Create a query.

  2. Select Save.

  3. Type in a name for the query.

  4. Type in the name or part of a name of the user to share the query with.

  5. Select the user from the dropdown list.

  6. Select Save to save the query to your list and the assigned user’s query list.

The query will be stored in the other user’s list under Shared.

Generating Reports

To generate a report from the last run query:

  1. Run a query as described above, or by selecting a saved query from the query list.

  2. Select Global Options > Generate Report.

  3. The report will be available in My Reports.

To schedule and save a report template:

  1. Run a query as described above, or by selecting a saved query from the query list.

  2. Select Global Options > Generate Report.

  3. Name the schedule and fill in the scheduling parameters.