Administrator's Guide

Veriato Cerebral

Administrator’s Guide

5/13/2019

Table of Contents Getting Started ...... 7 About This Guide ...... 7 About Veriato Recon/360 ...... 7 Veriato Server - Recorder communication ...... 9 Data and Disk Space Consumption ...... 11 Using the Management Console ...... 12 Logging in ...... 12 Activating Veriato Recon/360 ...... 12 Getting to know the Management Console ...... 13 Global Options ...... 15 Using a Restart Message ...... 18 Viewing the Management Console Log ...... 22 Deploying the Recorder ...... 23 Deployment Options ...... 23 Add Recorders Wizard ...... 26 Deploying via a Manual Setup ...... 32 Importing Devices ...... 34 Deploying to Android ...... 36 Updating the Veriato Recorder ...... 40 Managing Recorders ...... 41 About Recorders ...... 41 Managing Recorder Groups ...... 48 Adding Recon or 360 Capability ...... 49 Removing or Disabling Recon or 360 License Capability ...... 50 Changing an Assigned Recording Policy ...... 51 Automatic Check for Version Updates ...... 53 Updating the Recorder ...... 54 Uninstalling (Remove) Recorder ...... 55 About to Install/Update/Uninstall ...... 56 Cancelling all actions ...... 58 Managing Users ...... 59 Grouping Users ...... 61 Adding Users ...... 64 Using Active Directory to Add Users ...... 66 Adding One User at a Time ...... 68 Importing Users ...... 69 Viewing User Activity ...... 72

2 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. Setting Policy ...... 74 Alerts - Anomalies ...... 75 Anomaly Alerts ...... 75 Add Anomaly Alert – Alert Type ...... 76 Add Anomaly Alert - User Selection ...... 77 Add Anomaly Alert - Sensitivity ...... 81 Add Anomaly Alert - Action ...... 82 Alert Summary ...... 84 Baseline Anomalies ...... 86 Anomaly - Self-to-Self Comparison ...... 90 Anomaly – Self-to-Group Comparison ...... 92 Anomaly - Compromised Credentials ...... 93 Compromised Credentials Activities ...... 97 Compromised Credentials VPN Servers ...... 100 Email Activity Anomalies ...... 101 Document Activity Anomalies ...... 102 Language Analysis Anomalies ...... 103 Resource Usage Anomalies ...... 105 Sentiment Analysis Anomaly ...... 107 Alerts - Event ...... 109 Alert on 360 Events ...... 109 Add Event Alert – Alert Type ...... 111 Add Event – Users ...... 112 Add Event Alert - Conditions ...... 112 Advanced Query ...... 115 Add Event Alert - Action ...... 118 Add Event Alert - Summary ...... 120 Keyword Alerts ...... 121 Alert on Keywords...... 121 Keyword Alert Types ...... 122 Add Keyword Alert - Users ...... 125 Add Keyword Alert - Keywords ...... 126 Add Keyword Alert - Action ...... 127 Add Keyword Alert - Summary ...... 129 Keyword Alert Screenshots ...... 131 Keyword Alert Email Report ...... 132 Alert Email ...... 134 About Alert Email ...... 134 Email Configuration ...... 135 Alert Operators ...... 137

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 3 Defining an Alert Operator ...... 139 Recording Policy ...... 140 Recording Policies ...... 140 Assigning a Recording Policy ...... 141 Adding a Recording Policy ...... 143 Changing Policy Settings ...... 145 Record ...... 146 Screenshot Settings ...... 146 Chat/IM Settings ...... 151 Websites Visited Settings ...... 155 Email Activity Settings ...... 160 Email Filtering Rule ...... 163 Files Transferred Settings ...... 167 Keystrokes Typed Settings ...... 169 Program Activity Settings ...... 170 User Status Settings ...... 172 Document Tracking Settings...... 172 Network Activity Settings ...... 176 When to Record ...... 180 Who to Record ...... 182 Block ...... 184 Block Websites Visited ...... 184 Block Chat/IM Activity ...... 186 Block Internet Access ...... 189 Block Cloud Uploads ...... 192 When to Block Internet Access ...... 193 Who to Block ...... 194 General ...... 196 Recorder Security Settings...... 196 Recorder Data Files ...... 199 Application Settings ...... 201 Server Settings ...... 206 Client Options ...... 207 Selectively Record URLs ...... 211 Selectively Record Program Captions ...... 212 Android Policy ...... 216 Android Recording ...... 216 Android Location ...... 217 Android Device Options ...... 218

4 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. Geofencing Policy ...... 219 Geofencing ...... 219 Geofencing and Alerts ...... 222 Viewing Data ...... 224 Dashboards, Data Explorer, Reports ...... 224 Users ...... 227 Managing Categories ...... 231 Application Categories ...... 231 Device Categories ...... 233 Keyword Categories ...... 234 Defining a Keyword Category ...... 235 Time Categories ...... 237 Website Categories ...... 239 Configurations ...... 241 Licenses ...... 241 Activation ...... 241 Check for updates ...... 242 License Types ...... 243 Recorder Versions ...... 246 Recorder Versions and Updates ...... 246 Exporting to File Formats ...... 251 Exporting to SIEM ...... 253 Viewing Data with Other Tools ...... 265 Search Rules ...... 267 Online Search Rules ...... 267 Add or Edit Online Search Rules ...... 271 System Management ...... 273 Accounts ...... 273 Changing a Password ...... 273 Veriato Login Accounts ...... 274 Setting up Accounts ...... 278 Copying an Account Profile ...... 282 Backup & Restore ...... 284 Database Backups ...... 284 Restoring a Backup ...... 286 Data Retention ...... 290 Data Retention ...... 290 Deleting Event Data ...... 293 Server Settings ...... 295 Servers ...... 295

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 5 Data and Data Backup ...... 296 File Storage and Backup ...... 299 The Veriato Service ...... 300 Changing the Server Address ...... 302 System Health Alert...... 305 Appendices ...... 307 Event Alert Conditions ...... 307 Event Condition Operators ...... 307 Application Alert Conditions ...... 307 Chat/IM Alert Conditions ...... 309 Document Tracking Event Alert Conditions ...... 310 Email Event Alert Fields ...... 311 File Transfer Alert Conditions...... 313 Keystroke Event Alert Conditions ...... 314 Network Event Alert Fields ...... 315 Online Search Alert Fields ...... 317 User Status Alert ...... 319 Web Alert Conditions ...... 321 Viewing the Management Console Log ...... 323 Antivirus ...... 324 Preventing Antivirus Interference ...... 324 Exclude the Veriato Server Folders and Files ...... 325 Exclude Recorder Files from Scanning ...... 325 Recorder Status Messages ...... 326 Check antivirus settings ...... 326 Disk Space or System Requirements ...... 327 Firewall Blocking WMI Communication ...... 328 Port Is Blocked ...... 329 Recorder Not Responding...... 330 The Recorder Version Is Not Supported ...... 331 System Alerts & Other Issues ...... 333 Database Approaching Maximum Size ...... 333 Low Disk Space ...... 334 Missing Data ...... 335 Management Console Unable to Communicate with Server ...... 336 Activation Errors ...... 339 Contact & Copyright ...... 341 Contact Us ...... 341 Index ...... 343

Getting Started

About This Guide

The Veriato Recon/360 Administrator’s Guide covers the administrator role for this product, including configuring Recorders, maintaining, upgrading, and troubleshooting problems that arise at the server or at clients. The available guides are:

. Veriato Recon/360 Deployment Guide – Install the Veriato Server and deploy client Recorders.

. Veriato Recon/360 Administrator’s Guide – (This guide) Configure, maintain, and troubleshoot the system.

. Veriato Recon/360 Data and Data Views – Query, analyze, customize, categorize, visualize and report on recorded data.

About Veriato Recon/360

Veriato 360 and Veriato Recon

Veriato 360 provides unmatched visibility into the online and communications activity of employees, contractors, or anyone in the network. Monitor and investigate high risk employees with detailed, context-rich data and video playback. Measure productivity confidently and quickly implement changes based on your findings for measurable improvements. Veriato 360 includes:

. Detailed activity data for every user who logs in.

. Video playback (screenshots) of a user's screen.

. Dozens of charts, graphs, trends and reports to use as models.

. Event alerts that trigger on any condition you set, with predefined alert models.

. Keyword alerts that trigger on any defined phrase in a "Keyword Category."

Veriato Recon combines machine learning with advanced statistical analysis to locate possible data loss and insider threats. Returning only select metadata to the server for analysis, it alerts on:

. Behavioral anomalies in a user's file and email activity

. Changes in language and sentiment

. Unexpected, possibly unapproved, resource and network usage

. Remote logins that could indicate a breach via compromised credentials

Each admin account can have specific role permissions. A Veriato administrator may be responsible for:

. Monitoring, maintaining, and updating the SQL database, services, and application server(s).

. Managing and configuring recording and alerting policies.

. Deploying, updating, licensing and troubleshooting client Recorders.

. Organizing and populating Recorder and User groups.

Veriato components

. Veriato Database The database instance when hosted on SQL Server Standard (or another "full" edition) provides a 30 GB admin database and a 50 GB Reporting database, with growth by 15% as needed, and no maximum size. It scales as needed and communicates with the application server to receive and serve data.

. Veriato Application Server For fewer than 500 endpoint devices, a single, primary application server should suffice. To handle large numbers of Recorders, add secondary application servers to speed up performance and perform load balancing. One or more servers relay data uploaded by the Recorder to the database. A "load balancer" intercepts Recorder data and passes it to an application server, which in turn routes it to the database. The entire process, even for hundreds of thousands of endpoints, takes a few seconds.

8 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. . Veriato Management Console The Management Console provides dashboards, data views, configuration, and access to all components, as permitted by each user's login account. A Management Console (with a full-access Master Account) is installed with the primary application server. Following installation of the database and primary server, you can install Management Consoles and provided access-controlled accounts for additional admins and those who will be viewing the data.

. Veriato Endpoint Recorder Deploy the Recorder from the Management Console or use a manual setup file to deliver it to each endpoint device. Based on the Recording Policy and the Veriato 360 and/or Recon licensing included with the Recorder setup package, the Recorder captures and uploads the activity of every user who logs into the endpoint device.

Veriato Server - Recorder communication

The Veriato Server you install must be able to communicate with the Veriato Server (service) as if on a Local Area Network. Data is exchanged over secured connection to port 443 (TCP/HTTPS). The Veriato Recon/360 installation automatically sets Windows Firewall exceptions at the server as possible. Be sure to set exceptions for any other firewalls to allow incoming and outgoing traffic that may separate clients from the server.

Ports used

The following default ports can be adjusted if there are conflicts.

Component Port Protocol Purpose

RECORDER (sharing) 445* TCP File and printer sharing must be enabled at the client Recorder machine.

RECORDER (WMI) 135* TCP Windows Management Instrumentation (WMI) rule must be enabled

AT THE SERVER 443 TCP/HTTPS Veriato Services

AT THE SERVER 54709 TCP/HTTPS Management Console

AT THE SERVER 1434 UDP SQL Browser Service

AT THE SERVER 1433* TCP SQL Instance (check the SQL error log for the correct port number)

*Ports may vary, depending on the system.

This diagram shows network ports used by Veriato Recon/360 components. A simple installation would include a single Primary App Server with no Load Balancer.

Deployed Recorders look for server’s default, internal IP Address. To set up communication with remote Recorders, you can change the Veriato Server address to an external facing (WAN) address. Recorders inside and outside the network report in to the same address, so deploy all with the changed address.

Add Veriato Services to Group Policy

Veriato services are critical to communication. On installation, service accounts are added to the Local Security policy as "logon as service" accounts. You may need to add the services to Group Policy so that they can start. Replace "$VERIATO360" below with the name of your Veriato database instance.

. NT Service\MSSQL$VERIATO360 . NT Service\MSSQL$Veriato360 . NT Service\SQLAgent$Veriato360 . NT Service\SQLTelemetry$Veriato360 . VeriatoService

Recorded activity (data records) are stored by each user who logs in. The following rate is based on the "Initial Recording Policy" settings, with a user active for most of an 8-hour day. A policy recording in greater detail, or a user engaged in heavy activity would result in more data.

Average daily disk space per user

One user in one day (with both Recon and 360 recording active, capturing 1 screenshot every 30 seconds) on average uses:

.4 MB 1 MB 36 MB

Recon data storage 360 data storage 360 Screenshot File Storage

3-Month projection

Assuming 60 active days (a 5-day work week with 4 weeks in a month) the table below shows projected disk space usage. Additional scenarios are provided in the Deployment Guide.

Number of Users Recon Data 360 Data 360 Screenshots

5 120 MB .3 GB 10.8 GB

100 2.4 GB 6 GB 216 GB

500 12 GB 30 GB 1080 GB

1,000 24 GB 60 GB 2160 GB

10,000 240 GB 600 GB 2 TB

50,000 1.2 TB 3 TB 10 TB

In addition, database backups are run nightly (differential) and weekly (full backup). Backups accumulate by default on the database computer. File storage accumulates on the primary server computer. Be sure to set Data Retention and Space Management threshold limits at data and file storage locations.

Logging in

If you just installed, the Management Console should automatically open.

1. Login as - Enter your Master Account name or email address.

2. Password - Type the password for this account. If you forget your password, contact a Veriato administrator with access to login accounts. If you are the Master administrator, contact Veriato Technical Support.

3. Press Login - The Management Console opens.

Activating Veriato Recon/360

After installing Veriato Recon/360, you must activate it for use. You cannot deploy Recorders or receive data from deployed Recorders until you activate! When you activate, your Veriato Recon/360 installation contacts the Veriato licensing service, retrieves the licenses you have purchased, and downloads new Recorder versions.

1. Find your Product Key in the purchase confirmation email from Veriato.

2. If this form is not displayed, select Configurations | Licenses and click the Activate Product button.

3. Paste the entire product key in the first field.

4. Click Activate Now. Wait as the product activates.

Activation may take several minutes. If a message appears because it's taking too long, wait a little longer activation may still be successful. If an error message appears, close all dialog boxes and try the activate link again. Contact Veriato if you continue to see errors.

Getting to know the Management Console

The home/help page appears when you log in. Refer to Help from other locations in the Management Console by pressing the "I" symbol or "Learn More."

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 13 Your access to the Management Console sidebar and other features is granted by your login account. You may not be able to access all features in this guide.

The top bar

Find the symbol to access Global Options (with settings for Alerts, Recorders, and the Database) and Global Search in the top bar.

The sidebar

. Summary Dashboard - An overview of recent alerts and possible data exfiltration events (the Dashboard and Data View Guide).

. Recon Dashboard - Access to Anomaly Reports generated by Veriato Recon.

. 360 Dashboard - Access to dozens of provided and your custom charts generated from Veriato 360 data.

. Data Explorer - A detailed view into each activity type captured by the Recorder.

. Reports - Formatted, publishable reports to print or export from Veriato Recon/360 data.

. Filter Categories - Create groups of individual devices, programs, websites, and so on, to facilitate criteria selection for various activity views.

. Recorders - Where you deploy Recorders, create a Manual Setup file, and view the status of installed Recorders within each group you create.

. Users - Open a list of Users from a group and view their activities.

. Alerts & Policies - Define alerts and refine recording policy.

. Configurations - Manage licensing and Recorder versions and configure interfaces with third-party software.

. System Management - Where a Master Login manages the server and database: login accounts, data retention rules, backups, and restores.

The Management Console provides a set of global options that affect the entire installation. Click the “hamburger” symbol to open the Global Options dialog box.

Global Options - Alert Email Delivery

This setting determines how alert email gets delivered from your Veriato server to alert operators. The initial selection of an email server was made during the Veriato Server installation.

. Use Veriato secure email service - Veriato provides an email relay for alert delivery. This method is convenient, especially for evaluation, because it requires no configuration or knowledge of an email server. Email simply passes through the service without being saved, and no one at Veriato can read it. The terms governing use of this server are included in the Veriato End User License Agreement.

. Use another email server - Configure SMTP relay delivery using any email server you wish.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 15 . Configure Email Delivery - Active when "Use another email server" is selected. Provide server information and credentials for SMTP email delivery. When successfully configured, the Veriato Server automatically sends email via this server to the email operators. See Configuring Email Delivery.

Global Options - Keyword Alerts

. Return screenshots when triggered - Check this option to return screenshots of a user's activity when a keyword is detected. Screenshots for the alert time appear in Data Explorer and in User details when a user (under either Recon or 360) triggers a Keyword Alert.

. Every 'n' seconds (frequency) - Set Keyword Alert screenshot frequency in seconds (1-3000).

. for 'n' seconds (duration) - Screenshots begin at the Keyword Alert trigger and end after a certain number of seconds (1-3000). Be sure to set a larger number here than for the above frequency.

Note: Each screenshot has a cost in client and client server storage disk space. Taking a screenshot every second for five minutes (3000 seconds) uses about 11 MB per user in disk space. Keep in mind the client's Data Storage and server's File Storage limits.

Database Settings

. Bypass Criteria Dialog box - Check this option to bypass displaying the Criteria box when opening Reports, Data Explorer forms. and User Explorer forms. Either the existing criteria selections or the Global criteria selections will be used to display the data. You can always right-click on a report or form and select Criteria to call up different data. Clear this option to display the Criteria box.

. Database Query Time Out - (Default is 300 seconds) Any database query from the Management Console or Dashboard is set to time-out after 300 seconds have elapsed. Time-outs occur when the database cannot be found, extensive data has been requested, or many users are making requests and the query could not be completed in the given time. When you have a slow network or many users querying the database at the same time you may need to raise the time-out period.

. Display Logo on Reports (applies to all Reports) - (Default is ON) Displays a Veriato 360 logo on all report headers. Clear this option to remove the Veriato branding from the report.

. Use Codepage Conversions - (Default is OFF) Check this option to convert all characters displayed in the Management Console to the local codepage (table of values representing a character set). Important for viewing event data in non-western languages, this setting is not necessary when the computer is using codepage 1252 (Windows Western Codepage).

. Encrypt snapshots and email attachments – (Default is OFF) Encryption makes it impossible to open or view a graphic file or email attachments stored in the File Storage folder without using the Management Console or a Veriato Export Viewer. Check this option to turn on 3DES encryption for all future files stored in Veriato File Storage. When you change this option, you must restart the

Recorder

. Alert if no data is returned for - (Default is 5 days.) If no user logs into a computer, if a computer is offline, or if the Recorder is compromised, no data is uploaded to the server. This alert sends an automatic client health email to your system operator(s).

If the device appears to be online, check the client triggering the alert for antivirus interference or tampering.

. Computer restart message - (Default is No Message.) You can display No Message or the Default Message when a Recorder is about to be installed. The message allows active users to save their work before the computer suddenly restarts. Customize the message displayed to users by editing the "Default" message. Refer to Using the Restart Message.

. NOTE: The Restart message is not supported when the Recorder is deployed from SCCM Automatically check for updates - (Default is all ON) Enable to check for updates to licensing and to software components every night. Clear this option if you don't want the nightly check. If updates are available, popup notification appears on your desktop and on opening the Management Console. See Automatic Check for Updates. You can still manually Check for Updates. To apply updates to clients, see Updating the Recorder.

. Client Filenames Prefix - Specify a prefix to add to client filenames when the Recorder is installed. This applies to fixed or random filenames, and to random names generated with a custom seed (next option). Maximum prefix size is 15 characters.

. Seed to generate client filenames - If Use Fixed Filenames is not checked in the Recording Policy, you can use a seed to generate random client filenames consistent for your organization. The default seed is your product key, but you can enter any string you like. When you use the same seed, the same filenames will be created, allowing you to set antivirus exclusions for installed client Recorders. If you change the seed, a new set of filenames will be created.

Management Console

. Version - Find your Management Console version number in this section.

. View Log File - Click to view a log file of events at this Management Console; latest events are at the top. Recorder log files are available in Recorder group lists.

. Open User Guide - Click to open this guide.

. License Agreement - Click to open and view the Veriato license agreement you accepted on installation.

Click OK to save your changes in the Global Options and close the dialog box.

A Recorder installation, though completely stealthy, requires restarting the computer. Windows Recorders generally require a restart for updates as well. This can be a problem for actively working users. Although the reboot option in a Recording Policy (General Options | Client Options) lets you turn OFF the automatic restart, a Recorder will NOT be fully operational until the computer does restart, and you don't know when that will be.

To adequately warn users of the restart while fully installing the Recorder as soon as possible, request a computer restart message. You can choose any verbiage for the message, use a custom image, and refine the timing. The user can't cancel the restart but will have enough time to save work and prepare. (Do NOT use this option if you have disabled the automatic restart.)

NOTE: Because the Recorder requests the message from the server, you can change a message up until the actual deployment time.

The message appears at Recorder installation

When the restart message is enabled, it appears to the user at the scheduled installation time (or on execution of the manual setup file) and delays installation slightly, so that the user can prepare. Your modifications and additions to the message will reassure users that the restart has been initiated by your organization and is required.

Note that the window caption on the final message is always "Restart your computer."

Default text message with name added

The message counts down the number of minutes left.

. If the user is not at the computer, the computer restarts at the end of the count down time.

. If the user selects Restart Now, the computer restarts immediately.

. If the user selects Postpone, the restart is delayed by 20 minutes (or as set in the message).

By default, the Global Options panel is set for "No Message." Return the setting to No Message to turn off the Restart message for future deployments.

Using the default message

From the "Computer restart message" selection list, choose Default Message. The message will be applied to all future Recorder deployments. Scheduled installations in progress will not use the message.

Before deploying Recorders, be sure to edit the Default Message so that a user would recognize it as coming from your organization and not from another source (see below).

Creating a new message

From the "Computer restart message" selection list, choose Create New Message. The Client Install Restart Message panel appears.

1. Type the Message Name that appears in the Global Options restart message selection list.

2. Choose a Text or Image Message (see below). An illustration of the message shows approximately how the message will look.

3. When you are ready, click Save to save the message.

Editing a message

In Global Options, next to the "Computer restart message," select the message you want to change and click Edit. The Client Install Restart Message panel appears.

Type in the message box. The illustration below changes as you edit.

. Message Name - Do not change the name for "Default Message." If this is a NEW message, give the message a unique name. The name will not appear to the user.

. Text Message - Displays an icon, any paragraph of text you choose, and standard prompts to restart or postpone (if postpone is selected).

. Image Message - Displays any graphic you choose. Only the graphic will be displayed: no prompts, no option to postpone, and no restart button. It is possible to make the Default Message an image message (remember to leave the message name as is: "Default Message.")

. Delay time - This is the amount of time the Recorder installation and subsequent computer restart will be delayed AFTER the scheduled install time. Enter a value from 5 - 120 minutes (20 is default) When the message is displayed, this is the amount of time to "count down" before the Recorder begins to install and restart. This time also sets the amount of time to "postpone," if you choose to allow it.

. Allow the user to postpone once - Text messages only. Check this option to add a "Postpone" button. Postpone delays the restart by adding the delay time again. For example: Delay time is set to the default 20 minutes AND postpone is enabled (20 minutes). At 3 minutes left on initial countdown, the user presses Postpone.

. Restart now - Text messages only. This button automatically appears on the final client restart message, with or without Postpone. The user presses the button to initiate Recorder Install/Restart now, rather than waiting until the Delay/Postpone period has passed.

IMPORTANT: If the user restarts the computer using a method other than pressing the Restart now button, the Recorder installation could be compromised. Watch the Management Console for signs of successful installation. If the Recorder fails to install when expected, Cancel the pending install, or Uninstall the unfinished install, and try again.

Text message

You want users to know the message represents an approved, inhouse software update. You don't want them thinking it’s a virus or other threat.

. Message body - Type or type over the message in the large text entry area. Your text is displayed in the preview below. Note that the Default message text includes "." Be sure to type over this text with an actual person's name. The message text explaining timing/postpone cannot be changed, although the timing can be (see Delay time above).

. Message icon - A default image is provided. Click Change to replace the provided image with any .jpg or .png you upload. Your logo or another recognizable image helps users to recognize the message as part of an approved inhouse update. The image will be automatically resized to fit the message icon area.

Click Save to save your changes.

Image message

For fully customized message design, select an Image Message. Click Select file to replace the "Image Goes Here" image with the image you choose. Be careful to create and use an image that will be readable by users of all types of monitors. There are no text prompts, no count-down, and no buttons. When the delay time is up, the message simply closes and the computer restarts.

The image fills the message

Click Save to save your changes.

Viewing the Management Console Log

The Management Console log documents actions, their date and time and success (or lack of success). The log is useful troubleshooting problems or tracing incidents.

Accessing and reading the log

Select Global Options from the top bar. Click the View Log File button to open the log. Each log entry has the following columns:

. Application - Application where activity occurred.

. Type - Type of message logged: Information, Warning, or Error.

. When - Date and time activity was logged.

. Level - Level of severity.

. PID - Identifies the running process.

. Message - A description of the activity, warning, or error logged.

Using the log file menu

Select File | Open to open older log files.

Select File | Save As to save the log file. The default file name includes the application and the date.

Select Edit | Copy to copy selected rows to the Windows Clipboard.

Select options from the View menu to filter the type of data displayed.

. Errors - Display only errors that have occurred. Error messages appear in red typeface.

. Warnings and errors - Display only warnings (in blue) and errors (in red).

. Information, Warnings, and Errors - Display all messages in the log file.

Use the Window menu to switch to main another open window.

Use Refresh to update the information shown in the log.

Deploying the Recorder

Deployment Options

The following global or recording policy options provide deployment options.

Remote Deployment

Windows and Mac. The easiest, most efficient method of deployment is to use Deployment|Add Recorders from the Management Console. Simply select devices (from active directory, by importing a list, or by typing a name) and schedule deployment for a time when users are not at their computers.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 23 When the install package is delivered over the network and received by the endpoint device, the Recorder quietly installs itself and restarts the computer. The restart is necessary to complete Recorder installation (not necessary for simple updates).

Manual Setup File

Required for Android. To deploy to Android mobile devices or to deploy using SCCM or a Group Policy object, use Deployment | Create Manual Setup to create a file that installs the recorder. The file is OS-specific, so you'll need to create a separate file for Windows, Mac, and Android, as needed. Deliver and run the file to endpoint devices. Computers will restart following installation.

Restart message

Windows Only. To warn any active users of the computer restart (used for a "push" install or update), you can request a "Restart Message" in Global Options. The message is used for all remote and manual Windows deployments (but is ignored when using SCCM). Customize the message however you like to make the user feel comfortable with this "system update."

Option to not restart

A Recording Policy setting in General Options | Client Option allows you to turn off the automatic restart following Recorder Installation. However, be aware that the Recorder will not begin functioning until AFTER the user restarts the computer, completing the Recorder installation.

Install as stealthy or visible

By default, deployment of Recorders is "stealthy." There is no notification that a remote install package has been delivered, is executing, and has installed new software. The only sign is the computer restarting.

A visible installation may be helpful to engage the user or for managing a local, "manual install." General Options | Client Options lets you turn off "silent install" and select a series of dialog boxes to display during the installation.

Run as stealthy or visible

Normally, there is very little chance a user would ever discover the Recorder. If you prefer transparency, you can turn off stealth mode in the Recording Policy under General Options | Security. In "visible mode," the client appears as a service icon in the system tray and elsewhere. From Advanced Security Settings, you can reinforce acceptable use policy by displaying a message when the user logs on.

Windows and Mac. By default, the client installs using "fixed filenames" in a specific, hidden directory. Fixed filenames can easily be excluded from antivirus scanning. However, if you are concerned that more stealth should be used, there are Recording Policy and Global Options.

In the Recording Policy options:

. Install fixed or randomly named files. Because each installation will have use filenames, you won't be able to exclude the client from antivirus in a group policy,

. Change the hidden directory,

In the Global Options:

. Add a prefix to further disguise files.

. Create a set of unique filenames using a "seed" that can still be excluded from antivirus scanning.

NOTE: Make sure Mac Recording Policies use the default setting with STEALTH enabled.

Browser settings

Because Chrome and Firefox browsers update frequently, the Veriato Recorder is equipped with options that allow you to respond. Recorders may use legacy (stealthy) mode or operate as a browser extension. Legacy method sometimes stops working with a browser update. The browser extension sometime becomes visible to the user. Use Websites Recorded | System Settings to adjust settings to your preference.

If you have just installed Veriato Recon/360, the Management Console data views and lists are mostly empty. You'll need to add Recorders to begin capturing and viewing user activity. If you have upgraded, you may need to re-deploy.

NOTE: You won't add Android devices using this method. Instead, you will create a Manual Setup file and install a Veriato Recorder app on each device. Be sure to set antivirus exclusions for Windows clients before deploying the Recorder.

1. Select Recorders | Ungrouped. At first, the only Recorder group is "Ungrouped," which is always present in the sidebar and includes devices that don't belong to another group. If you have other groups, they are listed here.

2. Select Deployment | Add Recorder. The window flips around to the first panel of the wizard.

The first step in the Add Recorder wizard is finding and selecting devices where you want to add a Recorder. You’re building a “candidate list” for Recorder deployment.

1. Use one of the provided buttons to build a list.

. Active Directory - Click to open a view of your current domain. If necessary, enter network account credentials to access Active Directory on this or another domain. Select devices. Click Add Devices to add your selections the list. See Using Active Directory. . Import File - Select to import a list of devices in a .CSV formatted text file. Imported devices appear as "Unverified" and are automatically selected. See Importing a List. . Add One - Select to type in a single device name. When you use this method, the credentials entered for this device will be used for all devices in this candidate list. Added devices appear as either "Verified" or "Unverified" and are automatically selected. See Adding One.

2. Filter and sort – If the list is long or imported, use tools to find the devices you want to record. If you use “Select all” after filtering, only the visible devices will be selected.

. Show only– If you use multiple sources for your list (e.g., Active Directory plus Import) checkboxes let you filter the list by source. For example, uncheck "Discovered" and "Imported" to view only the devices you typed in using Add One.

. Search - Type a few letters of the device name, use a wildcard if necessary, and press Enter. The “Select” list is filtered to show only matches to your search. Use the X button to clear the search and return to the complete list. For example, typing tbp* filters a list immediately to:

NOTE: The wildcard applies only after typed characters.

. Sort by column - Click the sort toggle button next to a column header to choose it as the sort field, and to toggle between an ascending and descending sort.

3. Select devices from this list.

. Selected - A yellow badge appears above the list when a device is selected and keeps track of how many devices are currently selected. . Select all - Check the box next to "Device" in the list header to select or deselect ALL devices in your list. Selected devices will receive the Recorder installation. Be aware that a license is required to activate the Recorder at each device.

4. Click Next at the bottom of the page, activated as soon as you select at least one device, to continue.

NOTE: Do not attempt to add more than 3,000 devices at a time. Only devices without an installed Recorder can be added. Use Deployment | Update Recorder to update an installed Recorder.

The second step in the Add Recorder wizard is scheduling installation time and supplying credentials (unless you used Add One) for the devices you selected in the previous step.

1. Schedule Recorder installation - Now or later. Be aware that Recorder installation restarts the endpoint computer! The Recorder package is delivered as soon as you finish the wizard, but it won't be installed until the time you select. Take care to avoid interrupting user work.

. Now - Installs the Recorder as soon as possible. . At scheduled time - Installs the Recorder at the date and time you select. Click the clock icon and select date and time from a calendar and clock.

2. Set credentials - Enter a user name and password with administrator-user credentials allowing software installation at the target computers. If a domain name is not supplied, Veriato Recon/360 assumes the account is local to the Management Console machine.

The credentials will be applied when the installation is delivered. Problems with the credentials appear as Install Errors in the Recorders list following installation.

3. More options - Change the Recorder configuration. Otherwise, the Add Recorder wizard automatically uses the default Recording Policy and the latest Recorder Version.

4. Click Next to continue. The button at the bottom-right of the panel is activated a schedule is selected and credentials supplied.

The third step in the Add Recorder wizard is assigning a license to the selected devices. Check the license type or types you want to use on these devices.

The bars showing total licenses provide a general visualization without direct relationship to actual numeric amounts. The bar with the most licenses is longest. Gray represents "available" licenses, light blue represents "in use" licenses, and dark blue is what you are about to use.

. If you selected more devices than there are licenses available, you can backup and deselect devices. You will be able to continue without licenses every device.

. If no licenses are available, a link appears providing the opportunity to request more.

. If, by deployment time, there are not enough licenses, the Recorder will be installed without a license. You can add a license to selected devices from the Recorders list.

For more about licenses, see License Types.

The Next button in the lower right of the panel is activated as soon as you select a license type.

In the final step of the Add Recorder wizard, review your selections, return to them if needed, and then press Install when you are ready to deploy.

Go back, if necessary

To double-check devices, the install schedule, credentials, or licensing, click a link on the Summary panel, or press the Previous button at bottom left. You can make changes until you press Install.

Messages

. Warning - Computers will be restarted at the scheduled installation time. Always appears. If the Recorder Policy reboot setting is disabled, installation is not complete until the user reboots the computer.

. Note - One or more devices could not be verified. Appears when you have imported a list of devices. If the device name is correct, it will be correctly added, and if the credentials are good, the Recorder will be installed. You can make corrections later.

Press Install

The Install button submits your list of devices for Recorder deployment and returns you to the Recorders list. An installation package is sent to each device. At the scheduled installation time, you can view installation progress on each device. If the devices were designated for another Recorder

Deploying via a Manual Setup

Instead of deploying remotely from the Management Console, you can create an executable Recorder setup file to deliver to and run on endpoint devices. Use the same manual setup file on multiple devices with the same OS. All devices receive the licenses and recording policy selected for the manual setup file.

NOTE: You cannot create a setup file until you have activated the product.

When to use a manual setup

. To deploy using SCCM or another network tool

. To deploy Android devices

. To deploy to devices off the Veriato server network

. To deploy to devices in a Windows Workgroup

. To deploy to Mac devices where shared access cannot be enabled

Creating the setup file

1. Select a group from Recorders and Deployment | Create Manual Setup from the top bar.

2. Select an OS - Select an operating system. Each setup file applies to one OS.

3. Assign one or two licenses - Once installed, the Recorder will request the license(s). If there are no licenses available when a Recorder makes the request, the device appears in the Management Console with a warning icon noting the lack of license. As soon as it receives a license, the Recorder begins recording. Note that Android can ONLY be assigned a Veriato 360 license.

4. Assign a group - Designate the group this Recorder report in to following installation.

32 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. 5. Change configuration – OPTIONAL. The Manual Setup file uses the default Recording Policy for the OS and the latest Recorder Version unless you specify differently. Click the Change configuration drop-down to select a specify policy and version for the selected OS.

6. Create File - Click the Create File button when activated to create the Manual Setup file. Save the file to any location. Each OS selection creates a different type of file. If you were to create a setup file for each OS, you would have:

Deploying a manual setup file

Follow the links below for information on deploying the setup file. If you did not request a Restart message, the installation runs and immediately restarts the computer.

. Deploying with SCCM - An experienced administrator can deploy a Manual Setup file from SCCM as a custom application package via System Account and a few specific settings. (You can't use the Restart message with this method.)

. Deploying to Android - Install or re-install the Veriato app directly on the device.

. Deploying to Windows - Double-click the .bat file to run it. If applicable, remove the installer file from the device following installation.

. Deploying to Mac - Drag the script file to the Terminal and press Return. Be sure to remove the installer file following installation.

Unless you have changed the Recording Policy settings, Recorder deployment automatically restarts Windows computers.

NOTE: A request for the Restart message will be ignored on deployment from SCCM.

Running a manual setup file on Windows

1. Log in as administrator user at the endpoint computer.

2. Access and double-click the .bat file. The installation runs silently unless you have selected a restart message or disabled stealth.

3. When the computer restarts, the Recorder is installed and begins recording.

4. Remove evidence of the setup file and installation from the device.

5. The installed Recorder reports into the server and appears in the specified Group.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 33 NOTE: To change Recon/360 license capability or the recording policy, select the device after it appears in its Recorder group and use top bar Recording selections.

Importing Devices It's possible to Add Recorders by importing a list. This is convenient if you already maintain a list or lists of devices for your organization. The list must be a .csv (comma- separated values) formatted text file that includes device and domain names, as known to the network. The imported computers will be added to the current Recorders group.

Importing into the "Add" wizard

. License selection (upcoming in the wizard) will be applied to ALL selected devices. A license will be "used" for each device. To give devices different licensing (e.g., Recon, Recon+360, or 360 only), import devices in separate Add Recorder sequences.

. Imported devices are not verified, so be sure to check each Recorder group for errors following deployment.

. Only the first 3,000 devices will be visible in the "Select" list. See below.

. Following the file import, you can augment the "Select" list using Active Directory, Import File, or Add One.

Preparing a CSV file

Use a spreadsheet, word processor, or other program to create a plain text file with the suffix .csv. The file should list one Device per line. The header row must be:

DeviceName,DomainName, OS, NetworkType

. DeviceName - REQUIRED. The name of the device as known to the network.

. DomainName - REQUIRED. The Windows domain the computer belongs to. If not on a domain, repeat the device name.

. OS - REQUIRED. Operating system of the computer: "Windows" or "Mac" or the OS with the version, "Windows 10."

. NetworkType - REQUIRED. Either "network" or "local" (if not on a domain).

For a spreadsheet list, use Save As and save as file type .CSV (comma delimited). Do NOT use commas or other punctuation within the fields.

DeviceName,DomainName,OS,NetworkTYpe MARLIN,CHICAGO,WINDOWS,NETWORK DOLPHIN,DOLPHIN,WINDOWS,LOCAL SMITH-MACSTATION,CHICAGO.EAST, WINDOWS 8,NETWORK

Importing the file

1. Select Recorders and "Ungrouped" (or the group you wish to add to). From the top bar, select Deployment | Add Recorder.

2. On the Select panel, click the Import File button.

3. Click Select a CSV File to navigate to and select the file you wish to import. Click Open.

4. If the file is valid and contains new devices, the "Select" list is populated. Each imported device is checked.

5. Uncheck devices where you don't want to install a Recorder or click the X at the end of the row to remove it.

If you have successfully imported more than 3,000 devices, only the first 3,000 are shown in the list. The rest have been imported but are hidden. Checking the Device "Select All" checkbox does select the entire list. The yellow selection label reads "3,010 devices selected (10 hidden)."

. To find and select specific devices: Uncheck the Devices "select all" checkbox. Filter the list by entering the first characters of a device name and *. Select the device or devices you wish to import.

. To select and deploy to all: Leave the Devices "select all" checkbox checked. Continue the wizard by clicking Next at the bottom of the panel.

Select devices and click Next

Once you select devices to record, you can continue. Click Next at the bottom of the panel to go on to Prepare.

Deploying to Android

Deploy the Veriato Android Recorder by installing an app directly on the mobile device. In addition to a Recorder, you will install Chromium to provide a mobile web browser that allows Veriato monitoring. The basic steps are:

Create a manual setup file

Start at the Veriato Management Console on your computer. One setup file can install the Recorder on any supported Android mobile device.

1. Go to Recorders and open a sidebar group, such as Ungrouped.

2. From the top bar, select Deployment | Create Manual Setup. See Creating a Manual Setup File.

3. In the Create a Setup File panel, select Android and the Veriato 360 license type.

4. Select the group the Android devices belong to.

5. If you want to change the Recording Policy or Recorder Version, select Change Android Configuration.

7. Save the compressed VeriatoAndroid setup package to your computer. You can rename the file, but do not change its file extension.

8. Unzip (extract) the VeriatoAndroid setup folder. It contains 3 files:

9. Next, assemble Android devices and follow the instructions below for each.

Name the device for organized monitoring

Start by verifying that the device meets OS requirements and has a unique name that can be associated with the device user. If mobile devices are not being formally managed and do not have specific names, data uploaded from multiple devices may become corrupted, and the user activity unreadable. Use each mobile device's Settings to check or set the device name.

NOTE: Menu options on mobile devices differ, depending on the OS version, carrier, and manufacturer. If you are unable to follow the general steps below, consult the device's help or website to learn more.

1. Access Settings | About Device | Device Name.

2. Enter (or verify) the name for this device and press Done.

Set the device to allow apps from unknown sources

Because you will install the Recorder app directly from your computer and not from a "store," you need to temporarily allow app installation from "Unknown sources." If you don't do this, an "Install blocked" message will prevent Recorder installation.

1. Navigate to the phone's Settings area and find Security. Look for it under a section called "Device Administration."

2. Enable (check) installation from Unknown sources. Choose to trust both trusted and unknown sources.

Copy the setup files to the device

1. From the computer, copy the 3 unzipped files (Ctrl+C).

2. Navigate to the mobile device's Download directory. Paste (Ctrl+V) or drag the files to this directory.

Install the Veriato Recorder

From the mobile device, find and install the Veriato app.

1. Navigate to the mobile device's Download directory and tap the Veriato.apk file. The installation process begins. Click Next.

2. Click Install.

3. Wait for the app to install. Click Done.

4. When prompted to "activate device administrator," tap ACTIVATE.

Install Chromium

1. Tap the Chromium.apk file in the Android Download directory. The Chromium installation process begins. Click Next and Install.

2. Wait for the app to install and click Done.

3. The Chrome browser opens at the end of the installation.

4. The Android device is now fully set up. If you wish, you can return to Settings | Security and disable installation of apps from unknown sources.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 39 5. Check the Management Console. Within minutes, the device should appear in the Recorders group that you selected for this manual setup.

Uninstalling the Veriato Recorder

1. Navigate to the phone's Settings.

2. Find the Security area within the settings application.

3. Locate the Device Administrators area. This is sometimes found under "Other security settings."

4. Disable the Veriato Administrator.

5. Return to the settings home page and navigate to the Applications area.

6. Locate the Veriato application and access its Settings.

7. Select Uninstall and Confirm.

Updating the Veriato Recorder

Recorder updates are essential for keeping pace with changes to the OS and other recorded apps. Install an Update as you did initially, using a Manual Setup file and installing directly on the device.

1. From Recorders, select Deployment | Create Manual Setup from the top bar.

2. Select the operating system and the latest Recorder Version in configuration.

3. Select the Group the recorded devices belong to.

4. Click Create File.

5. Deploy the file as instructed above.

About Recorders

The Recorder is invisible to the user and operates silently (by default), recording activity as it occurs and uploading data every4 minutes (an Android Recorder uploads immediately). If data cannot be uploaded, it is retained at the endpoint device up to a maximum time or disk space threshold.

When activity begins, the Recorder…

. Records each event immediately as it occurs, often in multiple event types.

. Takes a screenshot (by default) every 30 seconds (5 minutes for Android). You can request additional or accelerated screenshots when an Event or Keyword Alert is triggered.

. Uploads data on check-in, every 4 minutes (Android uploads immediately, if possible), or as permitted by data throttling at the server.

. Uploads as much data as possible within a (default) 30 second period. Any remaining data is sent after (the default) 240 seconds.

. If data cannot be delivered, data is retained at the local device for (the default) 30 days or until it reaches the (default)maximum size of 1 GB.

. At the data storage threshold, the Recorder begins deleting the oldest data.

What You Can Do

from the Management Console MAC WIN AND

Add devices and deploy Recorders from the Management Console X X

Create a Manual Setup file to install the Recorder at endpoints X X X

View and respond to device status/errors X X X

Assign, disable and enable Veriato Recon and 360 capabilities X X X

Create and assign recording policies X X X

Assign alerting policies to all users or select groups X X X

Display aggregated user activity X X X

Recording MAC WIN AND

Screenshots of user's display X X X

Chat and messaging (see Chat/IM Support) X X X*

Keystrokes X X

Website activity X X X*

Application activity X X

Limit recording of window captions selectively by program X

Limit recording selectively by URL X

Block websites, chat, Internet access X X

Manage Installed Client Recorder Software MAC WIN AND

Can be made "visible" to users X X

Manage local data as requested X X X

Rename files and direct data storage X

The "Initial" recording policy

The "initial" or default recording policies are designed for optimal data capture without stressing data size limits (at the Recorder or at the Server).

Records Initially Recon Changes take effect Default Recording Uses when*

Chat/IM ON Open programs/processes Records communication by all parties restart (as supported).

Document ON YES Open documents restart Records actions on files at network

Tracking and removable devices, as well as documents sent to a printer.

Email ON YES Open email Records email sent and received (as programs/process restart supported). Capture of attachments is NOT enabled.

Files ON YES Open transfer Records all Peer-to-Peer, FTP, and

Transferred programs/processes HTTP file transactions. restart

Keystroke ON Open programs/processes Records typed keystrokes, visible or restart not. Extended keystroke capture NOT enabled.

Network OFF Open programs/processes All communication with other

Activity restart computers on the network (intranet or internet).

Online ON Open programs/processes Searches entered, and hits received

Searches restart from search engines.

Programs ON YES Open programs/processes Every program opened and the restart duration of activity within it. Inactivity time out is 3 minutes.

Screenshots ON Immediately One grayscale screenshot every 30 seconds while user is active.

User Status ON YES Immediately Captures login and log out times and periods of activity and inactivity at the computer.

Websites ON YES Open programs/processes All domains and URLs visited (in

Visited restart supported browsers).

Block OFF Open programs/processes Blocking by the Recorder is off until restart defined

* Changes to Android mobile device recording policies take effect when the Recorder is updated on the device.

Important to keep in mind

. Recon anomaly detection does depend on activity recording being enabled.

. Document Tracking enabled at the C: local drive results excess data with unnecessary "noise." If you are recording file activity on the local drive, use filters.

. Screenshots occur every 30 seconds (unless Keyword or Event Alert settings accelerate them). If enabled in color, at a higher resolution, or at a greater frequency than the default have a high disk cost at your File Storage location.

. Email Attachments can be very large and have a high File Storage disk cost.

. Non-English characters - multi-key character keystrokes must be enabled and are NOT captured by default.

Changing install and data file settings requires reinstalling the Recorder software (a "push" update).

General Options Setting

Reboot computer after Recorder installation ON

Install in quiet (stealth) mode ON

Installed filenames Fixed Filenames

Install in the default subdirectory ON

Client runs in stealth mode ON

Warning message at user logon OFF

Data files are hidden ON

Data throttling ON

Data upload interval Every 4 minutes for 30 seconds

Upload mobile data when connected to wireless or network ON

If mobile devices cannot connect, remove data after 30 days

If computers cannot connect to server, remove data after 30 days

Maximum data size at computer client 1000 MB

Inactivity timeout stops recording at 3 minutes

Enable log file ON ("Info" level)

When Recorders are successfully deployed, they "check in" to the Veriato Server. The Recorder status appears in the Recorders section, and as user activity occurs, data is uploaded for analysis and/or viewing.

Sidebar groups

If you have not set up Recorder Groups, deployed Recorders will appear in "Ungrouped." Otherwise, they appear in the sidebar group where you added them or as assigned in the Manual Setup file.

Device status

The list shows a one-line summary for each device. Sort the list by clicking on the Device or Status column header. Use the drop-down symbol at the right end of the line to open complete device details.

. Device - Name of the device. When details are opened, includes the device domain (or local status), OS platform and version (as available)

. Status - Current state of the device. No entry - Indicates normal recording status. Yellow triangle - Warning or pending action (e.g., waiting for install). Red circle - Installation or recording error has occurred.

. Recorder Detail - Clarifies a warning or error and provides license/user status.

Recorder detail

Click the device name or the down arrow at the right end of the row to view complete details, including the device's domain, operating system, Recorder group, Recorder version, time of last data exchange, and the assigned recording policy.

If the device is not yet installed or there is an Install error, details may not be available. The cause of a problem is identified, if known. For most Install Errors, you can re-install or remove the device directly from the details. Click the "i" symbol for help on a specific status.

Searching

Use the Search entry box at the top of the group list to filter the list to a specific device or devices. The search looks for matches to Device names (as displayed in each row). You can use an asterisk (*) before and/or after an entry, or simply type a fragment.

Press Enter to find matches. Press X in the Search box to clear the list and return to the full list.

For example, the following search entry:

Filters the list to:

. Partial match - Type a partial name and press Enter. For example: The search john finds

. Wildcard before - Type a * wildcard before your entry to include any preceding characters in the results. The search *john would find: Stuart John Louise Upjohn dev.xyz\lupjohn

. Wildcard after - Type a * wildcard after your entry to include any following characters. For example, the search John* would find: John Smith John Thomas johnscomputer\jsmith

. Wildcard before and after - Type a * wildcard before and after an entry to include any (or no) surrounding characters. The search *john* finds ALL above results plus: Arnold Johnson dev.xyz\john.smith dev.xyz\xjohnson

Selecting devices

Select at least one device to activate and execute the Deployment and Recording options at the top of the window. Use the checkbox on the heading row to select ALL devices in the group.

Deployment options

The Deployment menu includes:

. Add Recorder - Starts the add wizard.

. Update Recorder - Updates the version on selected devices. Only devices with an earlier Recorder Version will be updated.

. Cancel Scheduled Actions - Cancels in-progress installations, updates, or other current processes. Only works on devices not yet in a success or error state.

. Uninstall Recorder - Uninstalls and removes the selected devices from this list.

. Create Manual Setup - Displays the Manual Setup configuration panel.

Recording options

The Recording menu includes:

. Remove/Disable License - Removes a floating license or disables an assigned license on selected devices.

. Change Policy - Changes the Recording Policy assigned to selected devices.

Grouping

The Grouping button allows you to manage Recorder groups (under Recorders in the sidebar) from any list. See Recorder Groups.

Managing Recorder Groups

Recorder groups appear in the sidebar under the Recorders button. Groups simplify Recorder installation, updates, and . Initially, the only available group is "Ungrouped." "Ungrouped" collects all Recorders that do not belong to another group. Set up your own groups before, during, or after adding Recorders.

About Recorder groups

. Only deployed devices are grouped. Recorder groups contain only devices where a Recorder has been deployed (or where deployment was attempted or planned).

. A group contains any OS or domain. A Recorder group can contain Recorders from any OS platform and from any domain.

. A recorded device belongs to one group only. Each device belongs to only ONE Recorder group. Use Device Categories when you need a device to belong to multiple groupings for criteria, alert, and other selection purposes.

. You can move a Recorder from one group to another. After adding Recorders to Ungrouped or another group, you can select devices from the list and move them to another Recorder group.

. Execute commands on multiple Recorders in a group: Update Recorder - Update the Recorder version. Uninstall Recorder - Uninstall and remove the device. Cancel Actions - Stop Install, Update, Uninstall. or a configuration change. Add/Enable License - Add a license or enable a disabled license. Remove/Disable License - Remove a floating license or disable Veriato 360 or Veriato Recon. Change Policy - Assign a new Recording Policy to devices. Move to Group - Move selected devices to the selected group.

48 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. NOTE: When using the "Select All" checkbox in a large group list, commands will take time to execute on all devices and update the device status. You may need to refresh the list.

Add a group

1. From "Ungrouped" or any other Recorder group, select Grouping | Add a Group.

2. A name entry field appears in the menu. Type a name and press Enter to add the group to the sidebar.

Move to Group

Moves selected devices to the group you select in the submenu.

Edit Group Name

Renames the currently open group. An entry field appears in the menu. Type a group name and press Enter. The new name appears at the top of the group panel.

Remove a group

Removes the currently open group (if it is NOT "Ungrouped"). Devices in the group return to "Ungrouped." Open a group you want to remove and select Grouping | Remove Group. The group disappears from the sidebar.

Adding Recon or 360 Capability

To enable Veriato 360 or Veriato Recon capability, add the license to selected devices using Recording | Add/Enable License. Switch the license capability at any time. The Recorder requests changes to its configuration every 5 minutes, so changes to licensing should take no longer than 5 minutes.

For example, if you have Veriato Recon on all devices, but need to investigate 5 users, select the devices in their group list and add a Veriato 360 license. Recorded activity that has been "locked" at these devices is uploaded, and you can view detailed Veriato 360 screenshots and data. The command affects each selected device:

. The requested license is added to (used) if the device doesn't have it.

. The license is enabled if it is assigned but disabled at the device.

. The request is ignored if the license is already assigned and enabled at the device.

. If there are fewer licenses than unlicensed, selected devices, some devices will not receive the assignment.

To disable license capability, see Remove/Disable Capability on Devices.

Add a license

1. Open a Recorders group.

2. Check the device or devices where you want to change license capability.

3. Select Recording | Add/Enable License.

4. In the panel that appears, select the type of license you want to add (only the license types you have purchased will appear). The panel shows number of licenses in use and available. Adding new licenses to devices changes the numbers but enabling disabled licenses does not.

Veriato 360 Floating - Add or enables detailed data capture and return.

Veriato 360 - Add or enables detailed data capture and return.

Veriato Recon - Add or enables Recon behavioral analysis.

5. Click Confirm to execute the command or x to cancel. Status of devices in the Recorder group is updated to show new or newly enabled licenses.

Removing or Disabling Recon or 360 License Capability

Remove a Veriato 360 Floating license to release it and return the device to its previous state. Disable other license types to remove the license capability. Switch the license capability at any time. The

For example, you have 5 devices with both Veriato 360 and Veriato Recon licenses, and you are ready to return them to Recon privacy. Simply disable the license (or remove floating licenses). Recording at the computer does not stop; if you enable the license again, recorded activity would be uploaded.

Removing a Veriato 360 Floating license from a device that has no other license leaves the device without a license, and a warning status appears in the Recorders list.

1. Open a Recorders group.

2. Check to select one or more devices where you want to change license status.

3. Select Recording | Remove/Disable License from the top bar.

A "Remove or disable" panel appears. A drop-down list shows only the license types assigned to the selected device(s).

The panel shows number of licenses in use and available. Removing a floating license changes the numbers but disabling other licenses does not.

4. Select the type of license you want to remove or disable. If any selected device does not have the license type you choose, it will be ignored.

Veriato 360 Floating (remove) - Removes the license and returns it to “Available" status. The license is no longer assigned to the device.

Veriato 360 (disable) - Disables return of detailed activity data. The license is still assigned to the device and can be enabled.

Veriato Recon (disable) - Disables Recon analysis of activity (any Recon license type, 30, 60 or 90- day). The license is still assigned to the device and can be enabled.

5. Click Confirm to execute the command or x to cancel. Status of devices in the Recorder group is updated to show any license still recording, or "No recording."

NOTE: If you deploy a Recorder to a device that has NEVER been recorded, and there is an Install Error, selecting the detail action option to Remove the device also releases the assigned license.

Changing an Assigned Recording Policy

A recording policy (usually the "default" policy") is assigned to each Recorder when it is deployed. Switch the policy on a device at any time. A policy change is received by the Recorder when

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 51 it checks in (every 5 minutes). However, the new policy may have settings that won't go into effect until the user closes and re-opens active applications or restarts the device. See Changing Recording Policy Settings.

For example, you may reserve an "Investigation" policy that takes frequent screenshots and captures detailed document activity for devices where improper behavior is suspected.

1. Open Recorders and the group listing device(s) where you want policy changes.

2. Select the devices.

3. Select Recording | Change Policy from the top bar.

4. Select the recording policy you want to use. If you have selected devices of more than one OS, policy selections will be available for each OS.

5. Press Submit. Status of devices in the Recorders list is updated to show the correct policy.

It's important to keep Recorders up-to-date because the Internet browsers and chat and email clients are constantly being updated. It doesn't do any good to use an old Recorder Version when Chrome has moved on and the old version can't capture activity in it. New Recorder versions ensure proper recording and stealth capability and may provide new options. Automatic updates alert you to the latest versions.

1. From the Management Console top bar, select Global Options.

2. In the Recorder section, check Automatically Check for updates.

Automatic update setting

The option to automatically update is ON by default and requires Internet connection for the nightly update request. To turn off the automatic setting and only check for updates at your convenience, go to Tools | Options and deselect "Automatically check for updates."

IMPORTANT: With Automatically Check for Updates checked, and Automatically Update Recorders enabled, the Recorders Version will be installed as scheduled. Make sure you have set an update time when users will not be at their computers.

What's in an update

. Recorder versions - Updates for the client Recorder software are usually available monthly. If a version for an OS newer than your latest version is available, it appears in your updates list. Follow the directions in Updating the Recorder to apply it to clients.

. Veriato Recon/360 Server release - Updates to the Veriato Recon/360 server are usually available every 6-12 months. If a new server release is available, it appears in your Veriato Recon/360 Updates list. Link to the Veriato download site to download the setup package.

NOTE: Secure and encrypted communication involves only licensing and version status information. No other data is exchanged.

New Recorder versions keep pace with the latest browser, chat, and email releases. Skipping a version update may mean lost data! Before updating Recorders, check for updates to see if you have the latest software for each operating system.

About updates

Each Recorder checks in for configuration changes every few minutes. If an update is required for "Now" (as soon as possible), or at a scheduled time, the update is pulled from the server.

. Before updating, check for updates to see if you have the latest software.

. New Recorder versions may require updating antivirus exclusions.

. An update is only applied if the selected version is newer than the currently installed version.

. A "pull" update is applied if the currently installed version can be updated in this manner. A new version may require a “push” (reinstallation) update.

. If an update cannot be applied, the Recorder remains (recording or not recording) under the current version.

. An update applied to a device with a disabled license does not enable the license.

. To "roll back" a Recorder version, you must Uninstall the Recorder and use Add Recorder again.

Applying updates from a manual setup file

Running a manual installation on devices where the Recorder is already installed will update the Recorder version if the installing version is newer. This is a re-installation of the software and will restart computers. Always Update Android with a manual setup file.

Applying updates from the Management Console

Apply updates from the Recorder group lists using Deployment | Update Recorder.

1. Open a Recorders group.

2. Select individual devices or use the select all checkbox to select all Recorders on the current page or in the current group.

3. Select Deployment | Update Recorder from the top bar.

54 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. 4. If you wish, select versions for operating systems: If more than one OS platform is in the current selection, you can choose a version for each. Note that the default selection is the latest version downloaded. If you select a version earlier than a device's current version, the device will NOT be updated.

5. Schedule the update for Now (as soon as possible after you submit the command) or At a scheduled time. For a scheduled time, select a date from the calendar and a time. Time format is based on your system clock, and time is your current zone.

6. Click Submit.

7. The update request completes and provides status. Click OK to dismiss the message.

In the group list, devices being updated now show the status "About to update" or "Waiting for scheduled update time." When the update begins, a progress bar appears. Any update errors appear in the Recorder details for a device.

Uninstalling (Remove) Recorder

Uninstalling removes the Recorder software from a device AND removes the device from the Recorder group list.

1. Open the Recorders group listing the device(s) you want to remove.

2. Select one or more devices.

3. Select Deployment | Uninstall Recorder from the top bar.

4. Choose whether to execute the uninstall Now (as soon as possible) or at a scheduled time.

5. Click Submit and wait as the removal request is sent to the client computer(s).

The uninstall executes at the client at the requested time (or as near as possible) and restarts the computer on completion. The Recorder is not fully removed until the restart. The device disappears from the Recorder group list, but any previously recorded data collected from the device remains in the database.

NOTE: Uninstalling a Recorder does NOT release its license unless a Recorder has NEVER been successfully installed or activated on the device. Be sure to remove (reclaim) any Veriato 360 Floating licenses before you uninstall.

Following an Add Recorders, Update or Uninstall command, devices in a group list go into an "About to" or "Waiting for scheduled time" state, displaying a yellow attention status.

The message is normal

When an install, update, or uninstall was requested for "Now," you see an "About to..." message until the action executes. If the install was requested for a future, scheduled time, the "About to" message becomes "Waiting for Scheduled Time." These messages are normal, and simply inform you of the current state of the device.

The action can be cancelled while waiting.

Too late to cancel the action:

If the device remains in this state too long

If a device REMAINS in the "About to" or "Waiting for" state for an extended period beyond the expected time, and you know the device is on the network, an error may have occurred. In this case, you can cancel the action and then try again after exploring possible issues.

Cancelling an install

Before an "Install" executes, cancelling the action removes the device from the group list, since a Recorder has not yet been installed. The device will be available for adding again, with no license used.

Cancelling an update

Cancelling an "Update" returns the device to its previous state without updating the Recorder software. If you choose to cancel, a second option appears allowing you to cancel updates with the same status within the current Recorders group.

56 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. NOTE: If an Update fails for devices that have been decommissioned and are no longer on the network, you can cancel the action and request an Uninstall. The Uninstall "About to" status provides an option to remove the device.

Cancelling an uninstall

Cancelling an "Uninstall" action simply returns the device to its previous state without removing the Recorder software.

Cancelling an uninstall and removing the device

A second option for cancelling an Uninstall cancels the action AND removes the device. IMPORTANT: Do NOT use this option unless you have been unable to complete a normal Recorder Uninstall. There is a possibility of ending up with an "orphaned" client. Be sure to check communication issues in Recorder Not Responding.

If the "About to uninstall" status remains because the device has been decommissioned and is no longer on the network, this option allows you to "clean up" the Recorder group list by removing it. The command does NOT change the status of a used license or remove existing Recorder software.

Contact Veriato if you have questions.

Apply to all devices with this status

When you select a Cancel option, you have the option to apply it to all devices with the SAME STATUS in the group.

. Devices about to Install will be removed.

. Devices about to Update will be returned to their previous status.

. Devices about to Uninstall will be returned to their previous status or removed.

You can cancel ALL Install, Update, or Uninstall actions either about to take place or scheduled for a future time. This action does not apply to Androids or other Manual Setup installations.

1. Select devices (or all devices) where you want to stop a command from completing.

2. Select Deployment | Cancel Actions from the top bar.

3. On the message that appears, select Submit to go ahead with the cancellation. If an Install, Update, or Uninstall was set for a scheduled time that has not passed, it is cancelled.

After deploying the Recorder, recorded users begin to appear in each group.

About the list

The list shows a one-line summary for each device. Sort the list by Display Name, User Name, or Status. Use the drop-down symbol at the right end of a user row to open complete status details.

. Display Name - "Friendly" name of the user as it appears on charts, reports, and grids. If not previously provided, appears the same as the User Name. Open the user details to display additional information and edit the display name.

. User Name - Account used to log in. Open the user details to see domain and device.

. Status - Open details to view recorded data for this user.

Searching

Use the Search entry box at the top of the list to find users in large groups. You can search for any text in the main user row (Display Name, User Name, Status). The search is not case sensitive.

Type a search word or phrase and press Enter to filter to resulting matches. Click the X in the search box to clear your entry and return to the full group list.

. Exact match - Type a complete name and press Enter. For example: The search john finds nothing, but john smith finds John Smith

. Wildcard before - Type a * wildcard before your entry to include any preceding characters in the results. For example: The search *john would find: Stuart John Louise Upjohn dev.xyz\lupjohn

. Wildcard after - Type a * wildcard after your entry to include any following characters. For example: The search John* would find: John Smith John Thomas johnscomputer\jsmith.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 59 . Wildcard before and after - Type a * wildcard before and after an entry to include any (or no) surrounding characters. For example: The search *john* finds ALL of the above results plus: Arnold Johnson dev.xyz\john.smith dev.xyz\xjohnson

Displaying user details

Hover over a row and click the double-arrow that appears to expand user details.

Details include:

. Email - User's email address, if any was provided.

. Last Used Device- If the user has been recorded, the last device that reported data.

. User Recordings - If the user has been recorded, a badge for each type of recorded event appears. Click any one of these to view activity. A badge ONLY appears if the user has been active. User Status appears for ANY activity. Screenshots appears for any activity recorded by Veriato 360. A user recorded by Veriato 360, who has been active on Websites, Email, and Applications, would have these badges:

Editing a user's display name and email

Once you add a user, you can modify the only the Display Name ("friendly" name) and Email address.

. The Display Name appears on charts, reports, and grids.

. The Email address is optional and for your convenience. Edit these fields at any time.

When recorded activity or alerts start coming in for a user, blue badges show up in Recorder details. Click any one of these to open recorded events for the user. A badge only appears if the user has been active. User Status appears for ANY activity. Screenshots appears for any activity recorded by Veriato 360. A user recorded by Veriato 360, who has been active on Websites, Email, and Applications, would have these badges:

A user where recording is not active, or who hasn't been active on the recorded device, shows no blue badges.

Grouping Users

User groups appear in the sidebar under the Users button. Initially, only an "Ungrouped" group appears. Setting up User Groups - by department, geographic location, level of investigation, or mirroring Active Directory - makes criteria selection and creating alerts easier.

Newly recorded users are automatically added

As Recorders report in with data, any new users are automatically added to the

"Ungrouped" list under Users. For a large organization, this could result in many users in one "Ungrouped" list.

You may want to add users to appropriate groups before recording begins. When a user with a matching username and domain (or computer for a local login) is already in a group, new data is added to the user in that group, rather than adding a new user.

IMPORTANT: You cannot remove users once they are added to the database. You can Delete Data for specific users in Data Retention.

Adding a user group

1. From any Users group, select Grouping | Add a Group from the top bar. The New User Group window appears. All users in your Veriato database appear in the "Available" column. If there are no available users, you can create an empty group (see Adding Users to add

2. Type a Group Name.

3. Type a group Description.

4. Select the Group Type.

Specific Users: Lists all users in the "available" column allowing you to select individual users for the group.

All Users from Specific Domains: Lists all domains in the "available" column, allowing you to select ALL users in one or more domains.

NOTE: If no users or domains are available, exit the window and try importing users from Active Directory or from a list. If you have been using Recon, you can capture Behavioral Groups from a Behavioral Group chart.

5. Select a user or domain from the left column list. Use the Shift and Control keys to select multiple users.

6. Click > (or double-click) to send a highlighted user to the right-hand "selected" list. Use >> to move all users into the group. Use < to move a selected user back to the available list. Use << to move all selected users back to the available list.

62 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. 7. When all desired users are in the "selected" list, click Save and Close on the toolbar. The window closes, and the new user group appears in the list of groups in the right pane.

Modifying a group

Select Grouping | Modify Group to open the user selection box for the current group.

. Change the name or description by selecting and typing over the current field contents.

. Remove users by selecting them the "Selected Users" list and then clicking < to send them back to the "Available Users" list.

Deleting a group

Does not apply to "Ungrouped." Delete a user group by selecting Grouping | Remove Group from the top bar. Any users in the group are returned to "Ungrouped."

About user groups

. Users can be recorded or unrecorded. You can add any user to a group. Users do not have to be "verified." However, to make sure incoming data matches up to the user you add, be sure the domain (or local machine) and user name (as known to the network) are correct!

. A user can belong to more than one category. You can add a user to more than one User Group.

. Use Modify to move users from one group to another. Select Grouping | Modify Group and remove users from this group or add them to this group. Go to or Add another group and do the same.

. Data migrated from previous versions includes only "recorded" users. If you have upgraded, your former "Dashboard" User Groups should appear in the sidebar under Users. Users who were never recorded and had no data in the database, however, will not appear in groups.

. User groups can be used for Global or General criteria selection. When you are creating charts, reports or Data Explorer views, rather than hunting through a long list of users and making individual selections, you can select a user group or a custom category, such as "HR Dept" (all people in the Human Resources) or "HR Dept NEW" (just the new hires in HR). Groups can also be used to set Account user access privileges.

. User groups are used in alerts. Both 360 Event Alerts and Recon Alerts are assigned either to "All Users" or specific user

Adding Users If you add and organize users in Veriato User Groups before actual user data comes in, you'll be able to set up data views and alerting. Plus, you'll know where to find users and their activity when data starts coming in. See User Groups. From any User Group, select

Add User from the top bar. The page flips to the Add User wizard.

NOTE: It's important to add users by the correct user account name, as known to the network, in order to associate the correct incoming data with the person you added.

Creating a list

If there is "nothing to display," click a button above the list area. Automatic discovery, if in progress, will stop. It's possible to use any combination of the following methods to create a selection list.

64 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. . Active Directory - Browse and select users from Active Directory. You'll need to provide credentials first. Select individual users or bring in entire Organizational Units (OUs). Click Add Users in the upper right corner to add your selections to the list.

. Import File - Select this option to import a list of users in a .CSV formatted text file. Imported users do not have to be "verified" on the network and are automatically selected when added to the list.

. Add One - Select to type in a username. Added users do not have to be "verified" on the network and are automatically selected.

NOTE: You cannot remove users once they are added to the database.

Search to filter

If the Select list is long, you can filter it to focus in on a subset. Type characters from a user account or display name in the search box. Use wildcards to find multiple matches. The list immediately filters to show only the matches. When you select all users now, only the visible users are selected. Use the X button to clear the search and return to the complete list.

For example, the following entry:

Filters the list immediately to:

Sort by column

Click the sort toggle button next to a column header to choose it as the sort field, and to toggle between an ascending and descending sort.

The Add button is the lower center of the panel and is activated as soon as you select at least one user. The users are processed, the page flips back to the Users list.

Using Active Directory to Add Users

Users are automatically added to the Management Console as they are recorded. You may want to add them sooner to set up focused alerting policies. There's no "deployment"; you are simply listing the people you plan to monitor in "groups" as you wish.

Adding users

1. Select Users and a user group. You will add to the group you are in. Select "Ungrouped" if it is the only group. You can organize users into groups later for easier management. You will be importing ONLY user accounts as known to AD, NOT AD group or organizational unit names.

2. Click Add Users. Use the button on the blue top bar to start the Add User wizard.

3. Choose Active Directory. On the Add Users panel, click the Active Directory button.

4. Access Active Directory. If necessary, set credentials to access Active Directory.

Domain name - Type the name of a domain on your local network managed by AD.

Account Name - Type the username for a network account on the domain.

Password - Type the password for the account and click Submit.

If the account is verified, the Select User tab is activated. If the account is not verified, correct your entries and submit again. The previous credentials (if any) remain in place until new credentials are verified.

5. Select users and/or groups from Active Directory. The tree in on the left represents your current Activity Directory structure for users. Checking a group (organizational unit) selects all users in that group. Checking an individual selects that user. (Nothing you do in Veriato Cerebral will affect your AD settings.)

Browse the tree view, opening ( + ) or closing ( - ) branches to find Active Directory sub- groups and/or individual users.

If you select a folder (OU), you automatically select all items within the folder. Selections are checked and highlighted, and a count is tracked on the right side of the panel. Click a selection again to clear it.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 67 6. Click the Add Users button when you are ready. The button at the top right of the panel closes the Active Directory panel and adds your selections to the "Add User" candidate list.

NOTE: If you select a large number of users from Active Directory, only the first 3,000 will be visible in the Add Users list, but all will be added when you finishing by clicking Add at the bottom of the wizard.

Refine your selections and add the users

Your Active Directory selections populate the candidate list as pre-selected. Use the checkbox at the top of the list to select or deselect ALL items. You can return to the

Active Directory panel as you like to add more items before pressing Add at the bottom of the panel.

When you click Add, you return to the user group list.

NOTE: Your selections are not synced to Active Directory.

Adding One User at a Time

You can type in names of users one at a time. Open a Users group, select Management | Add User , and on the Select panel, click the Add One button.

1. User Name - Type the user account name. If the username you add is not the same as the username used by the network, this user will collect no data.

2. Logs in to - Type the domain or (if not logging into a network) the name of the device the user normally logs in to.

3. Display Name - This name appears on charts, reports, and data grids. It can be the users full name or simply a repeat of the account name. You cannot use the same display name twice! Be prepared to have a system for distinguishing users who have the same name.

4. Email - If available add the email. This is useful for Scheduled Reports that go directly to the user.

5. Press Add. The user is added to the selection list. User names are not verified. Be sure your entries are correct. If the user's activity comes in under another user specification, you can simply remove this entry.

Importing Users If you do not add them, users will appear in the Management Console when recorded activity or triggered alerts return to the server. However, for the ability to select Users and User Groups in alerting policy and data views and reporting, you can add them immediately. One method is to import a list of users in a .CSV or .XML file. Follow the instructions below to create a file, and re-import as many times as needed to fill in missing users.

Import rules

When you import computers, the following rules apply:

. Required Fields - If a REQUIRED field is missing, the record is skipped. Other, valid records will be imported.

. User Name - The account name a user logs in with must be paired with the correct domain or device (if not on a domain). If a domain\username or computer\username combination already exists in the database, the user will not be imported.

. Display Name - The Display Name ("friendly" names) must be unique for each user. If the Display Name (DisplayName) already exists in the database, the user record will not be imported.

. CSV - A Comma Separated File must be formatted as shown below.

IMPORTANT When importing users in a file, make sure you have each account name and domain (or device, if not on a domain) listed correctly. You want each fully qualified user name to match what Veriato Cerebral returns to the database when users are recorded in the future. Following import, only the first 3,000 users will be displayed in the "Select" candidate list, although all will be added.

Import users from a CSV file

A CSV file is a text file saved with the .csv suffix (i.e., "names.csv"). In the text file, fields are separated by commas or tabs. The file can be created from an Excel spreadsheet or other application and takes the following format.

UserName,DisplayName,LoginType,DomainDevice,Email,Group

The import expects the fields in this order:

. UserName - REQUIRED. The account name the user logs in with.

. DisplayName - REQUIRED. The display name identifies users in charts, reports and data views.

. LoginType - REQUIRED. Either Local or Network.

. DomainDevice - REQUIRED. If the LoginType is Local, the name of the device the user logs into. If the LoginType is Network, the name of domain the user logs into.

. Email - OPTIONAL. The user's email address. Appears in the User Details and can be used to send the user reports.

. Group - OPTIONAL. The organizational group or Veriato group the user belongs to. If it doesn't exist, the group is created. When you Add the users, they are added to their specified group.

XML File

An XML file is a text file with XML markup, saved under a name with the .xml suffix (name.xml). Be careful not to include spaces in the field names. The example below shows the required format and fields (same as for CSV above).

The import uses the following XML elements:

. Root: The tags contain all the file contents. XML requires this top-level tag.

. Users: The tags enclose all the user definitions. Users can be in any "group" and do not have to be organized with other users from the same group.

. User: Each tag specifies a complete user record with the fields, as described for .CSV above.

As soon as a Recorder is installed on a device, it begins returning recorded activity (or Recon metadata) to the Veriato Server. The database stores all data by user. Use the group lists in Users to review a user's activity.

NOTE: Recording Policy settings must be turned on for the type activity you want to view.

Available activity

Select Users and open a User group. Click on a user row to view details. If there has been any recorded activity, blue badges appear in the Status area. Press a blue badge to open a view of the user's activity.

Select general criteria

For most activity types, a general Criteria selection window appears, allowing you to widen or narrow the time period covered in the Event window. Just press OK to use the default time range and open the Event window.

The User Explorer event window

The User Events window is like a Data Explorer Events window, except it covers just one user. Select from the Navigate and Summary panes as you wish and be sure to click Load Events to see the details in the Events pane.

A policy outlines the boundaries of appropriate use and handling of your organization's assets: devices, network access and intellectual property. It may address workflow, communication standards, industry compliance, and security protocols.

Alerting Policy

Alerting policy keeps track of unusual activities veering out of the acceptable range. Predefined alerts are available.

. Anomaly Alert policies process Veriato Recon metadata to establish "normal" patterns of behavior for individuals or groups and alert on significant changes. You decide what is important to watch: unusual email attachments, file uploads, printing, resource usage, or remote logons.

. Event Alert policies scan 360 activity in the database for threshold conditions, such as count, size, file names, time of day, and so on, depending on the event type.

. Keyword Alert policies trigger instant alerts on keywords and phrases at any Veriato client, providing near real-time notification.

. Email Operators are the people receiving and monitoring triggered alert email. The Veriato Master Account owner is automatically defined as the System Email Operator for system health alerts. Define other operators simply by entering an email and assigning the operator to an alert.

Recording Policy

Recording policy determines what is captured at the endpoint device. Veriato provides recording policies with optimal coverage for normal monitoring. You may need to customize or turn on some settings, but for the most part you can "go" with the initial policies.

Once the Recorder is deployed, changes to a policy made from the Management Console are automatically relayed to the Recorders using that policy. In a few cases, policy changes require a "push" install and restarting the computer. Updating or assigning a new policy will NOT remove data currently stored on the device. Changes simply set a new direction for capture of future data.

NOTE: Recording ON/OFF settings affect both 360 and Recon. Recording of activity must be on for Recon to perform behavioral analysis even though actual activity is not captured and stored.

Anomaly Alerts

Veriato Recon provides predictive ability by scanning activity, analyzing behavior, and detecting unusual patterns. If behavior changes, you may be able to forecast a threat or spot one in progress. These policies set parameters for detecting anomalies that may indicate further investigation.

How it works

The Recorder watches the activity of users under the Anomaly Alert policy at the client without returning data. If a change in behavior triggers an active alert, data about the changed activity is sent to the server and logged, and the alert actions are taken. To learn more, read:

Baseline Anomalies Self-to-Self Comparison Anomalies - Self to Group Comparison

Before you begin

Being able to predict fraud, data breaches, IP theft, and other threats requires some modeling. What are the possible threats to your organization? Who are the actors most likely involved and how would they do it? Answer these questions based on your experience and what you can predict. We recommend communicating with key people in your organization to come up with a clear understanding of the who, what, and why focus of your monitoring.

Some of the information you can gather:

. Your current policies - Existing acceptable use, security, and industry compliance policies and procedures.

. Intellectual Property - Filenames and locations of intellectual property you need to protect.

. Privacy - Areas of the network where confidential data is stored.

. Thresholds - What kind of activity and how much of it is inappropriate, based on a user's department or role.

. Scenarios - What constitutes a threat in your environment.

. Outsiders - Competitors, former employees, hackers, etc.

. Insiders - Who are privileged users with access to sensitive areas of the network.

. What happened before - A map of what happened for past incidents or violations, as best you can trace it.

The Add Alert wizard for Recon allows you to define select the type of alert you are defining. Once an alert definition is saved, you can't change the type.

Name

You must provide a name to continue. Enter 1 - 256 characters. The alert name will appear as a header your alert email reports and as a "Description" field in Alert Event details. You can type further description for the alert in the second box. The description appears in your list of alerts.

Triggers on

The Alert Type you choose determines the next pages in the alert wizard.

. Anomalies – Self-to-Self Comparison

. Anomalies – Self-to-Group Comparison

. Compromised Credentials

Add Anomaly Alert - User Selection

The Users panel allows you to specify which users are covered by the alert policy.

All users

The default option is to watch for alert conditions among All users. If you are configuring a Veriato Recon alert, all users under Veriato Recon monitoring will be watched. The alert will apply to all users being recorded.

Selected user groups

To limit an alert's scope, choose Selected user groups, which are your Veriato Recon/360 User Groups, as defined in Users or in User Categories. If there is only the "Ungrouped" Users list, a message appears. You may need to add users and create user groups that aren't in the database yet.

When groups are available, Selected user groups lists them. Select one or more groups by checking them. If you want to watch a few users, you would create a user group for those users. Keep in mind that a Recon alert applies ONLY to those users in the group logging into a device with Veriato Recon monitoring. A 360 alert will apply only to users under Veriato Recon/360 monitoring.

To view users in the group, click the far-right symbol.

NOTE: It is possible that a user belongs to more than one Veriato Recon/360 group. If the user triggers an alert, the user will be called out in the alert email for each of the groups he/she belongs to.

For Recon alerts, an option on the Users panel allows you to Import a Behavioral Group. A behavioral group comparison will highlight anomalies in a group where everyone has similar work patterns. See also Behavioral Group Anomaly.

1. Choose "Selected user groups" and click Import a Behavioral Group.

2. The "Selected user groups" list is replaced by the most recent "Behavioral Groups." Click the down arrow to view group members.

4. Select the groups you want to use. Click Import at the top of the table.

5. The checked behavioral groups now provided the selected users. Press Next to continue through the Recon alert wizard.

Add Anomaly Alert - Sensitivity

Two factors affect an anomaly alert: (1) what is established as "normal" behavior and (2) how much deviation is allowed before an alert is triggered. An alert’s “sensitivity” setting by default is "Medium High," which has a standard deviation of 2.

Setting sensitivity

Click on and drag the blue slider to raise or lower sensitivity.

. To receive fewer alerts, slide the threshold down to Medium Low or Low. A looser threshold results in fewer alerts.

. To receive more alerts, slide the threshold up to Medium High or High. This tightens the allowed deviation and results in more alerts.

The slider illustration

A yellow line shows the moving average (what is normal), a yellow threshold area (allowed deviation), and red marks that indicate outlying data where an alert would be triggered.

You can see by moving the slider that a higher alert threshold (narrower yellow area) generates more alerts and a lower threshold (wider yellow area) generates fewer alerts.

Default trigger values

An anomaly alert is triggered when a value is detected above or below a standard deviation from the user's own moving average (self-self) or compared to the group's daily average (self-group). The default Medium setting uses a standard deviation of 3 to trigger alerts.

Sensitivity: STD

High 1

Medium High 2

Medium 3

Medium Low 4

Low 5

Add Anomaly Alert - Action

Any alert triggered is automatically logged at the Veriato server. To know that it was triggered, you must set up email notification. An email report lists each user who triggered the alert and what the user was doing. The Action panel allows you to select who will receive alert email and when. Note that available actions and email rates depend on the type of alert you are configuring.

Process this alert

Choose how often anomalies will be processed and action taken for this alert (if triggered).

. Daily - (Default) Triggered alerts are processed once a day.

. Hourly – Triggered alerts are processed every hour (if not the same user and conditions)

. Every Alert – Triggered alerts are processed as soon as an anomaly has been detected.

NOTE: Some alert conditions are processed only daily, or only daily or immediately.

Send email to

Alert email delivers a report on users who triggered the alert. Email requires one or more selected email operators. Each operator receives the same email report.

. Delivery of email (configured on installation) can be changed. See Configuring Alert Email Delivery.

. To select or create operators, click Add (see below).

. Operators already selected for this alert are listed below the Add button.

Creating a new operator adds the operator to Alert Operators management. However, adding and removing operators from an alert policy has no effect on the managed list of operators. A removed operator can be selected again, if necessary.

Set the email rate

Choose when to receive the alert email. Note that if the alert is not triggered, no email will be sent. Each report itemizes users and cause of each trigger.

. Daily - (Default) Triggered alerts are processed once a day.

. Hourly – Triggered alerts are processed every hour (if not the same user and conditions)

. Every Alert – Triggered alerts are processed as soon as an anomaly has been detected.

NOTE: Some alert conditions are processed daily, or only daily or immediately. These are noted in the Add Alert wizard.

Alert Summary The final step in the alert definition wizard is the Summary. Check your settings and click the link to return to a panel and make corrections as needed.

. Name - Change the name as you wish.

. Type - For a NEW alert, you can change the type. Be aware that this changes the focus of the alert. Once the alert has been saved, you cannot change the Alert Type.

. Processes - (Action Panel) Change the alert processing frequency as you wish, but some options may not be available at the rate you choose. Check each panel.

. Activity/Sensitivity - For an Anomaly alert, change event selections or the event type as you wish. You may also want to change the alert name. Change Sensitivity as needed.

. Users - Change as you wish. If you chose Selected User Groups but did not choose a group, the alert is disabled.

. Action - If you selected no action, there will be no notification. If no action was selected, the processing rate you chose may not be saved.

84 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. Click Save at the bottom of the panel to save the Alert and return to the alert list. If you need to change the alert, click on it in the alert list to enter the wizard and make changes.

Baseline Anomalies

Anomaly or outlier detection, identifies events that do not conform to an established pattern. Studies have shown that insider attacks can be predicted by comparing levels of activity, such as printing or uploading files, with the normal patterns for each organizational role. The "insiders" 84% of the time had behavior that differed from the norm.

Why it's important

Anomalies in the activity of a user or group on your network often are visible only historically, after the fact. To catch anomalies as they occur, you need to know what to look for, usually based on what you already know. Veriato Recon does this automatically for you.

Recon anomalies

Veriato Recon takes advantage of the data captured by the Recorder to establish patterns and automatically highlight anomalous events as they occur. It helps you predict and highlight potential insider threats without compromising user privacy. The Recorder sends back event counts (or some value), such as count of emails. Veriato Recon then uses statistical analysis to define a pattern of behavior by applying a moving average or standard deviation over the last 20 days. When a count lies outside the pattern, the alert is triggered. Veriato Recon logs the alert event, and an email is sent from the server to the email operator(s).

Self-to-self anomalies require calibration time

Anomalies where each user's behavior is compared to their own past patterns (including Sentiment anomalies) take up to 30 days to calibrate. Although Veriato Recon goes to work immediately, at least 20 days of activity (would not include non-working weekends) are required to determine a user's normal patterns, so you may not see results for about a month. Once a pattern is established, an anomaly can be detected.

Self-to-group anomalies are daily

For self-to-group comparisons, the pattern established as normal is based on the daily average for the group (the Veriato Recon/360 group the user belongs to). The alert will watch "All users" or each user in the groups that you select and compare them to the group they belong to, or to all users, if they do not belong to a group.

An anomaly alert is based on one activity type, but can focus on sub-activities, such as printing in documents or attachments in email. You may select several sub-activities in Email or Document activity. For example, the alert may instruct the Recorder to track daily totals of sent email, including count of emails, count of attachments, and count of BCC. The email report will itemize the activities that triggered the alert for each user.

By default, Recon triggers alerts on anomalies significantly different from normal patterns (Medium sensitivity). Read more about Anomaly Alert Sensitivity. The following graphs clarify how anomaly detection works. Daily totals for an activity (green line) are shown with the 30-day moving average (orange Line).

Using the same data, vertical error bars can be used to illustrate deviations from the moving average, as shown below. Any value outside the range - the green line spiking above or below the vertical bars - is considered an outlier.

The graph below illustrates how alerts (red squares) would be generated on the outliers.

If sensitivity is decreased (as shown by longer vertical bars), fewer outliers occur, and fewer alerts are generated.

The lowest sensitivity setting would alert only on extreme outliers.

If the alert sensitivity is increased (illustrated by shorter vertical bars), there are more outliers, and more alerts are generated.

When an alert is triggered

When an anomaly is detected, action is taken. If you have configured SMTP mail delivery from the Veriato Recon/360 server, and added an "operator" to the Recon alert definition (under the Action tab), an email is delivered to that operator. In addition, the alert is logged in the database.

Aanomaly alert email

Anomalous behavior occurs when someone's life takes a turn, and it may have nothing to do with work or an inside threat. But you will be able to discern the context and make this decision with the Veriato Recon/360 360 view email events and other communications.

How to respond

To ensure user privacy, Veriato Recon reports the anomaly trigger without context. Limited information is returned:

. Name of the alert that was triggered

. Reporting period

. The triggering user's name and group

. The activity that triggered the alert

. The number (count, file size, etc.) that triggered the alert

. The number that represents "normal" for the individual (self-self) or the group (self-group)

Anomaly - Self-to-Self Comparison

A self-to-self anomaly alert is triggered when a change is detected in an individual's activity. A user suddenly changing email or document patterns could indicate a vulnerability for data loss or policy violation. Veriato Recon establishes a user's pattern of normal behavior and sets the threshold of change that triggers the alert (sensitivity).

Establishing normal behavior

"Normal" is established from data recorded at the user's computer (a moving average over a 20-day period) when the user has been working more than 3 hours. Weekends or vacation days, when the user is not working, are not included. Be aware that it takes time for "normal" to be established. The anomaly alert will be adequately calibrated after 20 days have passed.

For example, suppose anomaly alerting starts on 3/15/18. Bob sends 2 emails that day and continues to send 2-10 emails each work day until 4/15/18. If Veriato Recon/360 detects he is active on his computer more than 3 hours on any day (i.e., Monday - Friday), the email activity is counted. As Bob's email numbers go up or down over the next months, the parameters for "normal" are adjusted.

Each user's individual parameters

A self-to-self anomaly is triggered when a user's behavior changes by a certain amount below or above normal. Veriato Recon maintains a moving average and applies a standard deviation threshold. See Anomaly Sensitivity to learn how to adjust sensitivity to receive fewer or more alerts. Note that each user is being compared to a different average: his or her own.

A self-to-group anomaly alert compares the behavior of each user to that of the entire group. The alert is triggered when user status spikes outside the established patterns for the group.

This comparison works best when there is uniformity within the group or within the activity watched by the alert; everyone has similar work patterns. As in self-to-self anomalies, two factors affect the alert: (1) what is normal behavior for the group, and (2) the alert sensitivity - how much deviation from normal it takes to trigger an alert.

NOTE: If a user belongs to more than one group selected for the alert, the user is compared to each group.

Select a Self-Group anomaly alert in the first Recon definition panel.

What is normal

"Normal" is established from daily averages for the group and comparisons can be made daily. Each user is then compared to the group. For example, number of emails sent by a user is compared to the average number sent by the group.

Two group members with completely different behaviors will influence the group average. For example, if Ryan sends about 4-10 email messages and Sarah (in the same group) sends 20-25 email messages, the "normal" range is wider. An alert would not be generated if Ryan sends 20 messages.

A self-group anomaly triggers when a user's behavior moves beyond the standard deviation for the group average.

How to respond

To ensure user privacy, Veriato Recon uses numbers without content from actual events for these calculations. Limited information is returned:

. The user's name

. The group used for comparison

. Reporting period

. The type of activity and count (or other measurement) that triggered the alert

. Name of the alert that was triggered

Many factors can contribute to anomalies: time of year, events going on in a department, changes in the group. If you feel an alert merits investigation, you can apply a Veriato 360 or Floating license to the user's computer and gain immediate access to that user's status over the last 30 days. The context will become immediately clear.

Anomaly - Compromised Credentials

A Compromised Credentials alerting policy detects network logon activity that could indicate misused credentials, privilege escalation, or breach. It differs from other anomaly alerts in that it watches remote access via VPN connections, rather than focusing on specific devices. Behavioral patterns are used for some of the alert triggers, but not for others.

Triggering this alert requires

. A Veriato Recon license for the user triggering the alert. Whether it was the user him/herself using the account, the user needs Veriato Recon on at least one device he/she uses. Make sure all users you select for monitoring are covered.

. MS Routing and Remote Access Service (RRAS) VPN. RRAS is a Microsoft API and server software used in applications that configure a device (server) to work as a VPN network router.

. Account credentials to access RRAS at a server. You need to give Veriato Recon access to at least one VPN server to trigger any alerts. Do this on the Compromised Credentials Activity page. See below.

Why it's important

A successful VPN connection is a direct line into your network. Someone from outside your organization who hijacked an account, or an insider who obtained credentials with elevated permission will likely make the breach from outside the office. While it doesn't stop breaches, this alert can flag activity that might involve compromised credentials.

"Normal" VPN usage is established from data captured from the VPN server for each user. The anomaly alert will be adequately calibrated after 20 days have passed.

For example, you set up an alert with access to a new VPN server on 3/15/17. Bob logs into the network via VPN on every workday at 9 AM. Veriato Recon begins to establish that Bob is a VPN user, his normal logon time is at the beginning of the day, and the usual geographic location(s) from which he usually remotes in. By 4/13/17, Veriato Recon has a reliable calibration. As Bob's VPN behavior changes over the next months, the parameters for his "normal" and "unusual" activity are adjusted.

Alert options

After selecting All or Selected Groups of Users, select one or more types of remote login. The alert will trigger on ANY of your selections. See Credential Activities for information about the alert options.

Sensitivity

Sensitivity affects each selected alert option slightly differently (as described in Credential Activities), but the same sensitivity level is applied to all options for one alert. See Alert Sensitivity.

Action

Add email operators to this alert on the Action panel. These are the people who receive email when the alert is triggered. Any new operators you create are added to the general Alert Operators list.

Select how often you want an email report:

. Daily - One email report covers all alerts detected in a 24-hour period.

. Hourly - Every hour an email report is sent, only if an alert is triggered.

. Every Alert - Every time an alert is

Review your selections and click Done.

Select the conditions that will trigger this Compromised Credentials alert. Every alert triggered and will appear with a user name and date and time in the Email Report.

Unusual access

Alerts on a user who normally doesn't log in remotely has done so. Each user's behavior is calibrated for VPN usage. Someone who logs in to VPN every day and continues to do so won't trigger the alert. Someone who has never used VPN and then logs in one day will trigger it.

A high Sensitivity setting tightens the VPN login threshold, so that anyone changing their login pattern slightly will trigger the alert (more alerts). A low Sensitivity setting loosens the VPN login threshold, so that only extreme changes, such as going from "never" to multiple times in a day, will trigger the alert (fewer alerts).

Unusual time

Alerts on a user who logged in remotely at a time outside the user's normal pattern. Each user's behavior is calibrated for VPN usage at a time of day. If someone always logs in at night, a daytime login will trigger the alert. Behavior is generally outlined by working days. If Bob, who normally logs in at 9 AM, happens to lose connection and logs again around noon, it won't be considered anomalous behavior.

A high Sensitivity setting tightens the VPN login threshold, so that slight changes to patterns will trigger the alert (more alerts). A low Sensitivity setting loosens the VPN login threshold, so that only extreme changes will trigger the alert (fewer alerts).

Alerts on a user who logged in remotely from any geographically distant location. This immediate alert does not require calibration. If you have no office or servers in California, any login that appears to be from California will trigger the alert. Use this alert on people who don't normally don’t travel far from a known office location. Note that the alert may be subject to accuracy problems if locations cannot be properly detected. High sensitivity tightens the boundaries of what is considered "distant," and Low sensitivity expands it.

A high Sensitivity setting tightens the VPN login threshold, so that slight changes in location A Low Sensitivity setting loosens the VPN login threshold, so that only extreme changes will trigger the alert (fewer alerts).

Unusual location

A user logged in from a location geographically distant from any of that user's expected locations. Each user's VPN usage is calibrated for login location, as it can be detected. An account for a user who travels frequently to California and Hawaii will trigger an alert when the login originates in what appears to China. Note that the alert may be subject to accuracy problems if locations cannot be properly detected. High sensitivity tightens the definition of unusual for a user, and low sensitivity expands it.

Privileged account

Someone logged in remotely using an account from the Active Directory enterprise level or domain admin group. Users in these groups have privileged access and any outside login using one of these accounts may merit further investigation.

Watching VPN at these servers

Permission to connect to at least one VPN server is required. Continue reading Adding VPN Servers.

Alert report

When the alert is triggered, an email containing the alert name, activities, and the data that triggered the alert is sent to specified operators.

Access to connect to at least one VPN server is required. This alert will scan the logs from all servers listed. At the bottom of the Compromised Credentials Activities panel, click the Add VPN Server button. The UNC path and administrative share credentials to access an RRAS VPN server log are required to proceed.

1. Enter the path to the VPN server log. The VPN server should be in the same geographic area as the Veriato Server (required for distance anomalies).

2. Enter the user name for an account that has access to the logs location. The VPN server requires FQDN user logins (needed for Veriato user correlation).

3. Enter the password for the account.

4. Click Submit. The server is added to a list of servers below the Add VPN Server button.

You can add up to 10 servers for one alert. To remove a server, click the "X" next to it. VPN servers are not managed in Veriato, so you will need to set up a server for each Compromised Credentials alert that you create.

Outgoing email has the potential to breach security, data loss and compliance policies. Sent Email anomalies provide some intelligence as to where this might be happening. You will receive alerts for each selected anomaly. Each anomaly selected is calculated separately: count of email OR count of attachments OR count of BCC is unusual.

Note that the Recording Profile must have email recording ON to detect any of the following anomalies.

Count

Watches the number of messages sent. Someone sending substantially more or fewer email messages than usual would trigger this alert.

Attachments

Watches the number of email attachments in outgoing mail. This anomaly can alert you to intellectual property being sent outside the company or inappropriately shared. Note that if you want to see the actual file attachment when you request Veriato 360 licensing, you need to enable capture of Email Attachments.

BCC Count

Watches the number of email messages copied to "blind" or secret email addresses. BCC is an unusual feature to use in normal inhouse situations and could be very disturbing when the BCC target is outside the company. Veriato Recon detects BCC addresses and will provide all the names and details when Veriato 360 data uploading is requested.

Overall size

Watches the size of email being sent. If someone is suddenly packing a lot of information into outgoing email, it might indicate a breach of policy.

Language

Watches for changes in the use of singular vs. plural pronouns, complex usage and other language changes that are known indicators of insider threat. People working together over time establish a standard vocabulary and don't often deviate from it. A shift in vocabulary in outgoing email may point out a change worth looking into. See Language Analysis.

Watches for patterns in negative/positive language and provides a security alert when the pattern changes. Disengagement, frustration, and disgruntlement can predict employee flight, IP theft, fraud or other problems. If you know someone is unhappy, you can take steps to address the problem and protect your assets. The email alert shows risk at a glance. See Sentiment Analysis.

Email alert notification

Each email activity you select for an alert definition has its own line in the alert notification email (if triggered). To show what each line looks like, suppose an alert had ALL email activity options selected and ONE user triggered them all with increasing usage/risk. The user's entry on the email would look like this:

Document Activity Anomalies

Sensitive documents should be on your network watch list, but if you don't know who and what to watch, start with Recon document anomalies. Watching changes in file activity may point out violations in policy. Each activity selected is treated as an anomaly and calculated separately. A single alert may watch for count of files handled OR uploads to cloud OR sent email attachments.

Note that the recording policy must have Document Tracking, Files Transferred, and Email recording ON to detect these anomalies.

Count

Watches the number of files touched (edited, copied, or moved). This includes files located on local, network, removable, and cloud storage drives. Keep in mind this anomaly requires a deviation from the average for all these activities. Depending on user habits you may not get the specific alerts you want (see Outbound Transfers below for alternatives), but you may get some useful productivity information.

Watches for unusual sizes of files edited, copied, or moved. For someone who normally deals with documents 9-500 KB in size, activity in substantially larger documents would be an anomaly. Are they working outside their approved access area? What is this document?

Printing

Watches for changes in the number of documents printed and/or number of pages sent to a printer. Someone who normally doesn't print a lot of documents who starts printing dozens of files or hundreds of pages from a long document may be your next point of vulnerability. Be sure you are tracking printing of sensitive files!

Outbound Transfers

Watches for changes in the count of documents leaving the network. These include:

. FTP Uploads - Increased uploads of company documents via File Transfer Protocol to outside hosts may violate policy.

. To Cloud Storage - An increase in moving or copying documents from local or network locations to cloud storage folders may indicate a risk. These alerts watch cloud storage folders installed on the user's local drive. If cloud blocking is enabled, no alerting is possible.

. Email Attachments - An increase in the number of file attachments in email leaving the local domain may indicate IP theft.

. Documents copied from local to removable or network drives - A change in the number of documents downloaded to removable drive or uploaded to a different location may merit more observation.

Language Analysis Anomalies

Stopping insider threats before they happen requires the ability to identify legitimate but suspicious behavior. Short of relying on whistle-blowers among coworkers or catching someone red-handed, how would you know? Veriato Recon offers language analysis for email activity that can alert you to potential threats.

Why it's important

Studies of linguistic behavior have shown that people contemplating (or committing) covert, malicious actions change the way they talk and write. The results are consistent. Regardless of motivation, people

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 103 engaged in inappropriate behavior tend to certain language constructions. If these subtle, but very specific, changes begin to occur, detecting them early could help you head off an inside threat.

Recon coverage

When Recon Language analysis is active, email content captured by the Recorder is automatically analyzed and interpreted. Recon sets a baseline for normal language usage (by users and groups) and then tracks changes using the general predictors outlined below. Simply enable the email "Language change" option in a Recon Anomaly alert. When the alert is triggered, you receive notice that someone's email language has changed enough to meet the criteria.

Language predictors take time to calibrate

Anomalies where each user's behavior is compared to their own past patterns take up to 30 days to calibrate. At least 20 days of activity (would not include non-working weekends) are required to analyze a user's normal patterns, so you may not see results for about a month. Once a pattern is established, language anomalies can be detected. If a user has been under Veriato Recon monitoring with email recording active, language anomalies can be detected within a day.

Pronoun usage predictor

Studies show that people contemplating an inside threat typically distance themselves from coworkers and "the group." As this occurs, the person's language becomes self-focused and defensive (me vs. you). The community-oriented use of first person plural (we, our, ours) decreases, and use of singular person pronouns (I, me, mine) and second person pronouns (you, yours) increases as the "insider" seeks separation and a safe distance.

Frustration predictor

Motivation for insider attack is often frustration with the organization. A frustrated person exhibits outbursts and confrontational behavior, using generally negative language. Veriato Recon tracks an increase in negative emotion words (failure, awkward) and words related to feelings (fragile, pressed) as part of its language alerting.

Duplicity predictor

The insider managing two worlds - normal work plus the insider attack - loses clarity and engages in increasingly complex language (infer, guess) with the ongoing struggle to cover up and deflect (perhaps, kind of). Studies show that liars use more tentative words than truth tellers, avoiding the

104 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. concrete version and preferring the shades of gray. Recon detects and measures complex constructions associated with avoiding the truth.

Decreased language matching predictor

People in a group mimic each other's language. Dialogue between speakers in a good relationship (at work or at home) matches in style, patterns, and cues. In email communication, language pattern matching indicates positive social dynamics. Decreasing matching indicates loss of interest in coordinating with or accommodating the group. Recon performs language style matching as a marker of those who may be drawing apart and contemplating malicious activity.

Resource Usage Anomalies

A Resource Usage alert is based on self-to-self comparison and compiles work-based anomalies gathered throughout the day into a daily email report. The alert automatically watches for application usage and network share access.

NOTE: If a computer is off the network for a period, the analysis will be performed for today's data in comparison with an ongoing and moving baseline.

A change in the applications a user accesses and the time spent using them could be normal work or might be the beginning of abuse of access. For example, a sales rep. who suddenly starts using a network admin tool might be worthy of investigation. Veriato Recon calibrates a baseline for active time spent in applications. When a "normal" work pattern is established (after the first 20 full days of activity), anomalies can be detected for unusual usage. Sensitivity settings control how much more (or less) activity in an application constitutes an anomaly.

Changes in application usage appear in the alert report

Network access

Changes from normal (again, 20 days are required to assess) in accessing network shares could indicate suspicious activity. For example, a new employee trying out access on various network drives might be worthy of investigation. Sensitivity settings control how much more (or less) activity in a share constitutes an anomaly.

Changes in network access appear in the alert report

The alert has an "override," which changes it from a "learned" anomaly to a matching anomaly. The override lists all approved applications and network shares. If a user accesses an app or network location NOT on the list, it is considered "unapproved" access, and an alert is immediately generated. Because it is an immediate alert based on matching, the alert is no longer affected by sensitivity.

Resource Usage override

It's possible to override the machine learning that establishes anomalies and trigger an alert any time an "unauthorized" program or network location is accessed, regardless of normal user behavior. The override names acceptable applications and locations and the specific Resource Usage alert. Because it is immediate and based on matching, it has no Sensitivity.

106 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. For an override Resource Usage alert, ANY usage of an application or network share not listed in the override xml file triggers the alert. The override file must list all acceptable programs and network locations.

When the override is used, all items in the email report for the alert are "unauthorized" use

Sentiment Analysis Anomaly

Sentiment monitoring is available as an email anomaly alert option. Research has shown a direct correlation between negative sentiment in communication to disengagement and disgruntlement, the top predictors of insider threat. What is negative sentiment? It's the person complaining about work, finding blame, not caring, or feeling sorry for him/herself, who is ultimately "disengaged" or "disgruntled."

On the other hand, some studies also show a spike in positive sentiment when an individual has made the decision to commit an extreme act. In both cases, you need to be watching.

NOTE: Only users monitored by Veriato Recon are included in Sentiment Alerts. Only English language is analyzed at this point for sentiment scoring.

Why it's important

Sentiment is difficult to observe walking by offices and cubicles or even talking directly to employees. Veriato Recon looks inside employee email communication and uses language style matching algorithms to infer the indicators of an individual’s psycholinguistic posture. Monitoring any changes to this posture and alerting on thresholds offers the opportunity to respond before something happens.

How it works

Veriato Recon sentiment analysis calculates a daily sentiment "score" based on each user’s communication style. Some are normally more negative, and some are more positive. Over time a baseline is established, and an individual’s score can be compared to his/her own patterns or to group patterns.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 107 A self-to-self anomaly alert is triggered by a significant change in sentiment score. A self-to-group anomaly is triggered by marked deviation from the group baseline. The alert report marks a user as either more “positive” or more “negative” than usual or than the group.

Sentiment takes time to calibrate

Sentiment baselines require at least 20 days of activity to calibrate. You may see no sentiment reports for about a month. Once a pattern is established, sentiment anomalies can be detected. If a user has been under Veriato Recon monitoring with email recording active, sentiment can be calibrated within a day.

Alert on 360 Events

An Event Alert applies to users under Veriato 360 monitoring. Rather than watching behavior baselines, it scans recorded data coming into the database for specific conditions. The conditions can be as simple as "printing more than a certain number of pages in a day" or as detailed as "printing pages of an Excel document where characters in the name include 'budget'." Several predefined Event Alerts are provided. All you need to do is provide your email address to start receiving notification.

How it works

Each alert specifies conditions for one event type. The Veriato 360 Recorder captures all user activity and returns data to the server every few minutes. As the information arrives in the database, it is evaluated and compared to the alert conditions.

If a match is found, the alert is triggered, and an alert event is logged. You receive email notification, if configured, and can respond to the activity in a timely fashion. Triggered alert data appears in your 360 Dashboard views, Reports, Data Explorer, and User data.

Why it's important

360 Event Alerts allow you to set thresholds that matter to you and find out who crosses them without having to watch changes in the data.

Editing alerts

If a yellow symbol appears next to an alert, it needs users, an activity, or an email operator (Action) for completion.

1. Click the alert's title, trigger or operators.

2. Navigate to any panel by clicking on the chevron markers at the top of the panel. Change any panel except Alert Type. Once the alert has been saved, you can't change this selection.

3. To save your changes, click Summary at the top of the panel and Done at the bottom of the Summary panel.

To exit without saving click the X in the upper right corner of the wizard window.

The following table lists the pre-defined Event Alerts. Keep in mind that no alerts will send email until you set up email delivery and enable an operator within the Alert Policy.

Alert Name Event Type Description

Social Networking Website Visits to social networking web sites, based on the URL name Sites

Webmail Messages Email Sending or receiving webmail messages

Clock Change User Status Attempts to change the computer's clock settings, based User Status events

Copying Files Document Instances of files being copied to removable media based on Document Tracking events

Downloading File .EXE or .ZIP files downloaded from the Internet based on File Dangerous Files Transfer events

Downloading Files Website Any files being downloaded from a web site, based on URL type

Excessive Network Network Users with more than 100,000 total MB per day of network Use bandwidth

Excessive Printing Document Users with more than 50 printing events in one day, based on Document Tracking

Improper Email Email Email messages that contain (possibly) improper topics for Messages work, based on a keyword*

Inappropriate Chat Chat/IM Chat and Instant Message conversations on (possibly) inappropriate topics, based on a keyword*

Non-Work Searches Online Search Internet searches (possibly) not related to work topics

Off-Hours Logins User Status Network logins during non-office hours. Monday- Friday. 5:00 PM-9:00 AM. Anytime on weekends

Too Few Hours User Status Users with fewer than 6 hours on the computer in an 8-hour work day

Too Few Keystrokes Keystroke Users with fewer than 2,000 keystrokes in one day

Too Much Chat Chat/IM More than 10 chat sessions in one day, based on a count of Chat/IM Events

Too Much Web Website Users with more than two hours usage of the Internet, based on Surfing Web Sites Visited

Excessive Print Document Users printing too many pages at one time, based on document Pages tracking

*Keywords are defined within Keyword Categories

The Add Alert wizard for 360 Events allows you to define alert parameters for one event type.

Name

Trigger on a type of activity

Select one type of activity to watch. The Event Type (record type) you choose determines which conditions (fields) will be available. Click Next when you have a name and the desired activity selected. The Activity types include all events recorded by Veriato 360. Recording of the event type must be ON in the Recording Policy. You can see complete event data in Users, for a recorded user, and in Data Explorer, under the event type. Click here to read about event types.

All users

The default option is to watch for alert conditions among All users. Leave this selected to apply the alert globally to all users.

Selected user groups

Check Selected user groups to list each group (if available). Check one or more for the alert.

Disabling the alert

If you want to disable an alert, choose Selected groups and uncheck each group. Save the alert. The alert profile is available, but with no users selected, it cannot be triggered.

Add Event Alert - Conditions

To define what triggers the alert within the activity type you chose, set conditions. Conditions are based on time and by matching data details (fields) recorded for the event.

During this time

Event alerts can be set to watch for alert conditions at certain times of day. Provided time categories are:

. All Times – Alert when conditions are at any time of day.

. Non-Office Hours - Alert when conditions are met only during non-working hours. Modify this category in Categories | Time Categories. Initial Non-Office Hours are:

12:00 AM - 9:00 AM Monday through Friday 5:00 PM - 11:59 PM Monday through Friday All day Saturday or Sunday

. Office Hours - A provided time category. The alert triggers only on data recorded during normal working hours. Modify the category in Categories | Time Categories. Initial Office Hours are: 9:00 AM - 5:00 PM Monday through Friday

. New Time Category - Opens a window where you can create a new time category. Enter a name and click and drag over the filter schedule. The green period shows times the alert will trigger. Click Save and Close on the window's toolbar when you are ready. See Defining a Time Category for complete details.

NOTE: The time filter you select is based on your current global criteria Time Zone setting. By default, times will be as recorded at the endpoint computer.

The available fields for the alert type you selected appear as blue buttons. Click a blue button to select a data field. Each blue button you click adds a green item to the "Set conditions" list. You can click a blue field more than once, but you cannot add more than "J" - or 10 - green items to your "Set conditions" list.

Field operators may be:

Field Operator Definition

> Greater than value entered

>= Great than or equal to value

< Less than value

<= Less than or equal to value

= Equal to value

!= Not equal to value

contains Includes the value entered or selected

does not contain Does not include the value

in group Includes any of the words from selected Keyword Categories. You can create custom groups to select the words you need.

not in group Does not include the words from selected Keyword Categories

Set conditions

Fill in "Set conditions" by clicking blue buttons. Conditions populate 5 columns:

. A, B, etc. – Each condition is represented by a letter A, B, C, and so on.

. AND/OR – After A, each condition is automatically prefixed with AND (to join the conditions). Use the drop-down if you want to change the operator to OR.

. Field operator – A set of available operators for the field is offered in the 4th column. Use the drop- down to select an operator.

. Value – You can select or enter a value to match (using the field operator) in the 5th column.

A Email Contents match a keyword in category "Sensitive Documents" or "Sensitive File Paths". This condition requires finding a match to ANY entry in the keyword categories "Sensitive Documents" or "Sensitive File Paths." AND

B Email Program Name field does not contain "Exchange". This condition excludes the expected email program used for valid work purposes. AND

C Email From field does not contain "mycompany.com". This condition excludes a portion of an expected work email address.

The simple data query is summarized below your selections: A AND B AND C

Switch an operator before a condition to change the query (does not contain Exchange or does not contain “company.com”): A AND B OR C

A few restrictions apply to conditions and operators. See Query Restrictions.

Advanced Query

To compose an advanced query, such as (A AND B) OR (C AND D), first set up the conditions (A, B, etc.):

1. Select blue-button conditions to represent A, B, C, etc., in the lower portion of the panel.

2. Next to each green button, select an operator and value to create the condition.

3. Set 1 to 10 conditions, ignoring the AND/OR operator in front of each.

4. Click Advanced.

5. Type your query in the Advanced entry box using the condition letters you have set up, parentheses, and the AND/OR operators as you wish.

Each operator must appear between 2 lettered conditions: A AND (B or C) (A AND B) OR (A AND D) A AND (B OR C) AND D

Your advanced query overrides the simple query as implied in "Set conditions."

If you go back and change the simple query by selecting a different AND/OR operator next to a green condition, you will clear the advanced query.

6. Click Verify. If the query is formatted incorrectly or breaks one of the restrictions it is Unverified, and an error message appears. See Query Restrictions.

If the query is Verified, you can press Next and continue creating the alert.

Use an operator or parenthesis between letters

An operator or a parenthesis must appear between each letter. Parentheses group conditions for different results.

Examples: (A AND B) OR (C AND D) A AND (B OR C) AND D A AND B OR (C AND D)

Your operator usage in the advanced query overrides the AND/OR operators used in the condition setup list.

A "Count of Events" condition can NOT be combined with a "Sum of" condition using the OR operator.

For example, the query A OR B below is meaningless: (If the Count of applications opened < 2) OR (the Sum of Active Time in applications < 240 seconds)

A more meaningful query would be: (If the Count of applications opened < 2) AND (the Sum of Active Time in applications < 240 seconds)

Restriction: Cannot use "Sum of [Value]" OR "Sum of [Value]"

These conditions cannot be combined because they rely on data that is aggregated across users. If you try to combine a condition that relies on an aggregate value, such as "Sum of Total Time" with another aggregate, this error appears.

For example, the following A AND B query does not make sense: (If the Sum of Active Time > 240000 seconds) AND (the Sum of Total Time > 240000)

An OR operator works better: (If the Sum of Active Time > 240000 seconds) OR (the Sum of Total Time > 240000)

Restriction: Cannot use "Count of events" OR [match] "string"

A "Count of Events" condition cannot be combined with a “string" condition using the OR operator.

For example, for an Application Activity alert, if you enter this A OR B query: Count of applications opened < 20 OR the Program Name contains "MyProgram"

The parser will not be able to return meaningful data. Instead, enter: Count of applications opened < 20 AND the program name contains "MyProgram"

Restriction: "Sum of" and "Count" numbers combined for same field

. A "Sum of" condition cannot be combined with a "Count of Events."

. Sum of a Numeric Field cannot be combined with itself using an "OR" conditional.

. A "Sum of" condition cannot be combined with itself using the OR operator.

. Sum of a Numeric Field cannot be combined with Field matches using an "OR" conditional.

. A "Sum of" condition cannot be combined with a "= matches" condition using the OR operator.

. Keywords cannot be combined with a Sum of a Numeric Field.

. Keywords cannot be combined with a "Sum of" condition.

. Keywords cannot be combined with Count of Events.

. Keywords cannot be combined with a "Count of Events".

Add Event Alert - Action

When an alert is triggered, an event is automatically logged for data viewing, reporting and export. The Action panel allows you to request other actions to take. Available actions and email rates depend on the type of alert you are configuring.

Action for an Event Alert

Process this alert

Set the alert to scan the database either once a day or once an hour for matches to alert conditions.

. Daily - (Default) Scans data in the database at the end of the day. This option is required to request "Accelerate screenshots." If the alert is triggered, at the end of the day, it logs alert events, sends an email report and retrieves the range of screenshots for each event (as requested).

118 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. If a device has been off the network and has just checked in, its uploaded data will be processed for alerts during the next daily interval. All unreported alerts triggered at the device during the time it was offline will be logged and included in the next daily email report.

. Hourly - Scans data in the database every hour. If the alert is triggered, it logs all alert events for that hour, and sends an email report.

Accelerate screenshots

When event conditions are detected, and you have selected the Hourly alert processing rate, you can request additional screenshots before and after the event that triggered the alert.

. Select a time to start acceleration BEFORE the recorded event.

. Select a time to continue acceleration AFTER the event. The total acceleration time is the before selection plus the after selection. Screenshot recording returns to its normal rate (set in the recording policy) when the time is up.

When accelerated screenshots are enabled, the setting appears as ON for the alert in the Event Alerts list.

NOTE: Before enabling this feature, carefully check the conditions and users for the alert. If the alert is triggered frequently by many users, you will get a lot of screenshots, which have a cost in both client data storage and server disk space.

Accelerate screenshots and the recording policy

Accelerated Screenshots are taken in 4-bit grayscale every 30 seconds and are not affected by recording policy settings. However, if you are capturing and returning screenshots to the database, be aware that enabling accelerated screenshots results in two sets of screenshots being returned to the database during the alert's acceleration period.

Screenshot retention at the client

The Recorder always captures screenshots at the rate specified in the Recording Policy, holds them, and then discards them at the data size or date limit set in the Recording Policy.

NOTE: If a device is off the network for too long, you may lose some or all alert-related screenshots, depending on retention settings.

Alert email delivers a report on users who triggered the alert. Email requires one or more selected email operators. Each operator receives the same email report.

. Select an existing alert operator from the drop-down menu

. Creating a new operator by clicking Add.

. Remove an operator from this alert by clicking the x button to the right of the email address.

The Alert email rate is set by the process rate above.

Add Event Alert - Summary

The final step in the alert definition wizard is the Summary. Check your settings and click the link to return to a panel and make corrections as needed. If you selected no action, there will be no notification and the processing rate you chose may not be saved.

Click Save at the bottom of the panel to return to the alert list. To edit an alert, click on it in the list.

Alert on Keywords

The most immediate alerting available in Veriato Recon/360 is Policies | Alerts - Keyword. Define keyword alerts to track file names, file paths, or any key phrases collected in your Keyword Categories. Keyword alerts apply to all users selected in the policy, under either Veriato Recon or Veriato 360 recording.

How it works

When keyword alerts are active, the Veriato Recorder scans communication, application, and document activity as it occurs at the client. When a match is detected, an alert is triggered. The alert is uploaded and logged in the database (visible in Keyword data views), and the requested action is taken.

The keyword alert reports tell you who triggered the alert, when it was triggered, and what activity was taking place.

Develop a keyword strategy

Meaningful keyword alerts require keywords targeting something specific. Create Keyword Categories that you can select for alerts in the Categories section of the Management Console. A few categories are provided to get you started. Modify or remove these as you wish.

1. What do you need to protect? Locate intellectual property and confidential data that might be a concern.

2. Study past violations and breaches of security. What activity was involved, what would have been clues that it was happening, what sequence of events took place?

3. Create keyword categories specific for your needs. Review and modify the provided Keyword Categories. Different categories might contain:

Filenames, file types, and locations of sensitive documents Domains or websites you need to watch Names of people, places, projects or passwords

When adding keywords to a category, be sure to avoid small words or commonly used strings and be as specific as possible with folder and file names. See Keyword Activities.

Two provided Recon Keyword alerts apply to all users and cover all activity. You need to provide an email operator to receive notification of these alerts.

. "Example Fraud Alert" detects words and phrases in the provided Fraud, Threat, and Violence keyword categories. Someone involved in a phase of the "Fraud Triangle" might use these phrases.

. "Example Unauthorized Program Use Alert" detects words and phrases in the provided Malicious Program keyword category.

How to respond

Not every alert will be an incident requiring attention, but you will gain insight and better enforce policies that outline acceptable use of assets, security requirements, and industry compliance procedures.

If you suspect a violation or vulnerability, use Veriato 360 license capability to gain immediate access to the user's activity over the last 30 days. The context in which the keyword was used will become immediately clear when you review the user's activity and screenshots from that time period.

Keyword Alert Types

Choose one or more activity for a Veriato Recon alert. For example, if you are watching for sensitive file names, you could select all activities, just in case people are opening, talking about, moving, attaching, or transferring those files. If you are interested in watching employee communications for bullying or harassment, select only Chat and Email activities. If you de-select ALL activities, the alert will be disabled.

To detect keywords in an activity, the appropriate event recording must be ON. Check the recording policy you use for your Recon clients in the Policies | Policies - Recording section to make sure recording is on.

Activity: Finds matches in: Match is: Recording used:

Applications Program names and window captions Partial Program Activity

Chat Content of a user's chat or instant messaging Exact Chat/IM conversations

Email Content of email sent and received Exact Email

Keystrokes Words typed in any application Partial Keystroke

Documents Names of files, folders, domains, and Partial Document locations of documents being edited, printed, Tracking, Files deleted, or moved to network, removable, Transferred cloud, or remote destinations

Web URL Any part of a URL - host, domain, folder, file, Partial Websites Visited and so on.

Case is ignored

Upper and lowercase is ignored for all keyword matches. "Private files" finds private files.

Partial match

A partial match finds the keyword or phrase within surrounding characters. The word "mail.my" finds mail.mydomain and received mail.my schedule, "Athena" finds projectathena-rev2, "myfile" finds myfile.doc and myfile.xls and so on.

Partial matches are used to watch for keywords in Applications, Keystrokes, Documents and Web URLs. Be careful using small words such as "con" (finds conflict and contract) or "sex" (finds Essex and Sussex) when watching these activities.

NOTE: We strongly recommend creating your own custom keyword categories based on names of files, folders, and locations you need to protect. See Categories | Keyword Categories.

Exact match

An exact match finds the keyword or phrase exactly as it appears. "John Smith" matches john smith but not jsmith or Smith. The phrase "auditors will catch" matches only auditors will catch.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 123 Exact Matches are used to watch for keywords in Chat/IM and Email messages. Be careful using small or common words on their own for these activities, such as "project" or “quit." It is more effective to create a series of phrases to return best results, such as "Athena project" and "project Athena," or "I quit" and "is quitting."

Window caption match

For application and document activities, the Recorder scans the string displayed at the top of the window for matches. In the activity below, the keyword "status" would trigger an alert for application activity (Excel) or document activity (Dev-status.xlsx).

Web URL match

A URL is a web site or web file address. These matches are only found when an Internet browser is used for website activity. The Recorder scans the string for partial matches. In the browser activity below, "mail" or "google" would be found as a Web URL match, but "Schedule" would be found as an Application match.

The Users panel allows you to specify which users an alert will watch.

All users

The default option is to watch for alert conditions among All users. Leave this selected to apply the alert globally to all users.

Selected user groups

To apply the alert to a specific group, choose Selected user groups.

Disabling the alert

Choose Selected groups and uncheck each user group to disable the alert. The alert profile will be available, but with no users selected, it cannot be triggered.

After selecting the users and their activities to watch, select groups of keywords. Check at least one group to watch for in this alert. If you do not select any keyword groups, the alert will be disabled. Several keyword groups are provided in Keyword Categories. These are available for selection in your Recon alert.

Viewing keywords

To view keywords, click the click the symbol at the right end of the category row.

Editing and creating keyword groups

You can change words in a Keyword Group or create your own groups in the Categories | Keyword Categories section of the Management Console. Double-click an existing group to view, add to, or remove its keywords. Click New on the toolbar and enter your own keyword group. An option to import and export keyword lists is provided. See Keyword Categories.

Keyword tips

The most effective alerts use very specific keywords. Small and common words will create "noise" and potentially fill up your email inbox. Create lists of words that are specific to the incidents you want to be warned about - the name a former employee, the name of a competitor company, the names of files containing confidential information.

Action for a Keyword Alert

Process this alert

The client uploads alerts at its upload schedule and the server processes and reports at the interval you select. (Report itemize each user, time, and cause of trigger.)

. Daily - (Default) Recommended for end of day review. Reports once a day (less email). Users in a different time zone are reported as soon as possible within the server's daily interval. If a device has been off the network for several days and just reported in, all alerts not yet reported will be included.

. Hourly - The server processes alerts and reports every hour.

. Every Alert - Action is taken as soon as alerts are uploaded from the client. The same word for the same user will not be triggered again. However, this option may still result in too much email.

Because a keyword is detected directly at the client, an action for these alerts is private notification at the user's own device. This may remind people of compliance and company policies by viewing their own possible violations.

As soon as a keyword match occurs, notification appears on the client device:

On Windows

On Mac

The user clicks on the popup notification to view a list of keywords and the activities in which they were detected. If the user ignores the notification, popups continue to appear, and any additional alerts are added to the list.

Once the user opens and closes the list, both the popup notification and the document are removed and won't be seen again. The next alert triggered creates new popup notification and a new document.

If enabled in Global Options, when a keyword is detected, you can receive screenshots from the user’s desktop. See Keyword Screenshots.

Even when only Veriato Recon is recording, the screenshots will be returned. Keyword Alert data in Data Explorer and User data will have links to related screenshots.

Send email to

Alert email delivers a report on users who triggered the alert. Email requires one or more selected email operators. Each operator receives the same email report.

. Select an existing alert operator from the drop-down menu.

. Remove an operator by clicking the x button to the right of the email address.

. To add an alert email operator, click Add.

. Email rate is set by the processing interval.

Add Keyword Alert - Summary

The final step in the alert definition wizard is the Summary. Check your settings and click the link to return to a panel and make corrections as needed.

. Detect Keywords in - For a Keyword alert, limit or expand activity coverage

. Keywords – Change Keyword Category selections as you wish. Modify the categories in the Categories section.

. Action - If you selected no action, there will be no notification. If no action was selected, the processing rate you chose may not be saved.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 129 . Click Save at the bottom of the panel to save the Alert and return to the alert list. If you need to change the alert, click on it in the alert list to enter the wizard and make changes.

Keyword alerting gives you the option to return screenshots of the user's desktop during the time the alert was triggered. Enable this feature for ALL keyword alert policies in Global Options.

Enable screenshots in Global Options

1. Access Global Options from the top of the Management Console.

2. Set a screenshot frequency in seconds (1-3000 seconds).

3. Set the number of seconds (greater than the frequency setting) to continue taking screenshots at this rate.

4. Click OK on the panel.

When the option is enabled, the setting appears as ON for each alert in the Keyword Alert list, and the frequency and duration appears in each alert's Action panel. When the option is disabled, it is disabled (minus sign) for all Keyword Alerts and in each Action panel.

NOTE: Before enabling this feature, carefully check the words and phrases in your Keyword Alerts. Words that are too common will trigger too many alerts, and screenshots have a cost in both client data storage and server disk space.

How it works with the recording policy

If a user is under Veriato Recon recording, screenshots returned start at the alert trigger time and continue until the end time. You can view the screenshots in User details and in Data Explorer. No additional screenshots are sent. However, if you switch recording to Veriato 360, 30 days of screenshots (at the recording policy rate) are immediately uploaded for viewing and will continue to be uploaded at the policy rate.

If a user is under Veriato 360 recording, and screenshots are enabled in the recording policy, the frequency of screenshots will change to the Global Options setting until the number of seconds requested pass. Screenshots then return to the recording policy frequency (default is every 30 seconds).

Screenshot retention at the client

The Recorder always captures screenshots at the rate specified in the Recording Policy, holds them, and then discards them, either after the Recon limit of 30 (or 60 or 90) days, or at the 360 size or date limit set in the Recording Policy.

NOTE: If a device is off the network for too long, you may lose some or all the alert-related screenshots, depending on retention settings.

Keyword Alert Email Report

Email operators selected on a Keyword Alert's Action panel will receive an email with contents like the one below. If you are using Veriato Email Relay service, the email is from Veriato. If you have defined a custom SMTP relay, the email is from either the Master email address or a "friendly" name you set in Global Options.

. The report header ("Fraud Keywords") provides the alert policy name and report date with reporting frequency (Daily, Hourly, or Every Alert).

. Selected keyword categories ("Fraud," etc.) are listed at the beginning of the report.

. The report identifies users and activities where keywords were detected. The user's Veriato or Active Directory group ("Marketing") appears first. A Daily or Hourly alert compiles all users and keyword detections in their activity during the email rate period. A report for Every Alert shows detection of a keyword for a single user.

See also: About Alert Email.

About Alert Email

Alert email is sent when conditions meet the alert policy criteria. Email also requires:

. Email is configured for delivery from the Veriato Server.

. The policy has assigned users.

. The alert policy has an assigned email operator.

Too much email

If you are getting too much alert email, it means one or more alerts need to be refined. This topic explains how to troubleshoot alerts so that you don't get spammed by alert email.

. Email rate - For more alert data in a single email, change the email rate in the alert policy. Setting the rate to Immediate or Hourly alert may overload your inbox. By setting the rate to Daily, you receive all alerts (for a single policy) in one email.

. Lower anomaly sensitivity - For Recon anomaly alerts, lowering sensitivity generates fewer alerts. With relaxed "normal" parameters (Medium Low or Low), the alert is less likely to be triggered. For example, you may not care that a user who normally sends 2-3 emails a day has sent 6 emails, but you may care that someone who sends 2-3 emails has sent 20.

. Refine keywords - If keywords are generating too many alerts, remove or revise them in Keyword Categories. Change small words such as "con" into several phrases ("con job," "con the man" or "con the boss"). You may have to revise several times to get the level of results you need to see.

. Tighten alert conditions - Reduce activities and specify exact conditions. For example, you're interested in tracking when "myfile" (a keyword) is printed or transferred. The file being opened in its usual application is not interesting to you. In a Recon keyword alert, you can deselect Applications and keep Documents activity to generate fewer alerts. In a Data event alert, you can add logical operators (AND, OR) that look for "myfile" (keyword) printed, or moved to the cloud, or copied to a thumb drive.

. Send email only to appropriate operators - Maybe one person doesn't need to receive all email. Consider delegating different types of alerts. Employee language in chat and email may be an HR concern. Productivity anomalies may belong to a Manager. Security alerts may belong to the Security Officer, and System Health alerts to the System Admin.

. Remove or disable unnecessary alerts - Use as few alerts as possible for the results you need. The more alerts enabled, the more alert email you will receive.

To send email notification when a Veriato alert is triggered, you need to specify how the email will be sent from the Veriato server (the database computer). This is the "Sending" email configuration. You will specify the receiving "Alert Operators" within individual alert definitions. There are two ways to set up delivery: use the Veriato email service or set up relay SMTP service using another email server.

The method of email delivery is initially set during installation. The default choice is "Secure Veriato Email Service." To change to the method of email delivery following installation, select Global Options from the top bar. Email delivery method is the first choice on the options panel.

Management Console Top Bar

Secure Veriato email delivery

The default choice during first-time installation, this option requires no configuration and gets you up and running almost immediately. Veriato email service routes email through an Veriato email server, which is private and secure and for registered users only. No emails are saved, and nothing can be read - much like any number of online services. We recommend this option for Evaluations.

Relay SMTP email delivery

To use your own email server, or any other server you designate, select the "Use Another Email Service" option during installation or from Global Options.

1. Click Email Configuration on the toolbar.

2. Provide information in the Email Configuration dialog box.

. From Email Address: The email address from which alert notification will be sent.

. From Friendly Name: Any name to identify the email alert source.

. SMTP server: Enter the name of the computer, the domain, or the IP address of a mail server accessible from the Veriato Recon/360 Database computer. For example, the SMTP Server might be a computer named SERVER1 or the domain mail.mywebsite.com. An IP Address would have the format 11.22.33.44.

. Send Timeout: Length of time in seconds to continue attempting to send the email before timing out. The default is 300 seconds.

. Port Number: The port from which to send the Alert notification email. The default is 25, a standard outgoing SMTP port.

. Use SSL: Check this box to use Secure Socket Layer encryption for security of the email, if supported by your mail server.

. Logon Type: How the email server will be accessed.

Windows Credentials - Select to use the current Windows login and password (at this computer), which will access Windows Task Scheduler to send the email.

Google 2-step verification

If you have 2-step verification set up on a Google account, you may experience difficulty using Gmail credentials for that account for Veriato Recon/360 email delivery. Either turn off the 2-step verification

136 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. on the Google account and enable SSL or set up a "dummy" Gmail account that no one else uses. Use the dummy account (without 2-step verification) for email delivery.

Test email delivery

Click the Test button to send a trial email. Enter any valid email address in the To Email Address box that appears and click OK.

A message tells you if the email was sent successfully.

If an error message appears, check the email server name (or IP address) and login credentials. Be aware of firewall issues.

Alert Operators

Alert Operators are the people who receive email notification when an alert condition is detected. Alert Operators are used by Recon, 360 Behavioral, 360 Event, and System Health alerts. Add operators as you define an alert or define operators in the Alert Operators section to make them available for selection for any alert.

To view the list of alert operators

Select the Alerts & Policies | Alert Operators. Operators are listed in the right pane.

. Name - A name that identifies the operator.

. Description - A description of this operator.

. Enabled - Yes means the operator is enabled for receiving alert notification; No means the operator is disabled and will not receive alert notification messages until enabled.

To manage alert operators

. Create a new alert operator: You can create a new operator while configuring an alert or by clicking New in this view or Add an Alert Operator on an alert action panel. A new operator receives no email until he/she is assigned in an alert definition.

. Edit a defined alert operator: Double-click (right-click and Modify) to change the operator's name, description, email address.

. Disable or enable an operator: You may wish to disable an operator when the person is out of the office. Double-click the operator and clear the Enabled checkbox to disable or check it to enable the operator.

. Show or hide disabled operators: To view only enabled operators, in the Event Profiles list, double-click a profile in the list. Under the General tab, select Hide Disabled Alert Operators.

Alert Operators receive email notification when Veriato Recon or Veriato Recon/360 detects a keyword. You can add or edit an operator from Policies | Alert Operators. Click Add Operator from the top bar to add a new operator. Double-click or right-click and select Modify to edit an operator.

. Alert Operator Name - Enter an identification or name for the recipient.

. Description - Type a description of the recipient or the type of alerts being sent to the recipient.

. Email - A valid destination for the email. Enter an email ([email protected]) or text message ([email protected]) address. Use only one address per Alert Operator.

. Enabled - Check this box to enable the Alert Operator recipient. If this box is not checked, no email will be sent to this person, even if he or she is designated as a recipient for an active Alert Profile.

Click OK to save the recipient and the name to the Alert Operators list.

Recording Policies

Every monitored device is assigned a policy specifying who, what, when, and how much is recorded. Changes to a policy apply to all Recorders using the policy. As each Recorder checks in with the Veriato Server it receives and applies updates. Select Alerts & Policies | Recording Policies to view available Recording Policies.

NOTE: Recording must be ON to receive alerts or view data.

Reasons to change policies

An "Initial Policy" is provided as the default for each device operating system. You can edit the policy, add new policies, or duplicate a policy to base one policy on another. Reasons for additional policies are:

. Investigations - For high surveillance, take frequent screenshots and gather more activity.

. Space management – Record less document, attachment, or other activity to save disk space.

. Ports recorded - Capture additional ports used by proxy servers or for communication in Chat/IM, Email and Website activity.

. Legal requirements – Omit capture of webmail and personal communications.

. Protect privacy - Selectively exclude URLs (e.g., banking) or applications from recording.

. Set up blocking – Block access (when on or off the network) to inappropriate sites.

. Add Android screenshots and geofences - These are not on by default; you need to edit the policy (and set up geofencing policies) to enable them.

. Capture Published Applications – For a Citrix or Terminal Services environment, set the Recording Policy to capture any Published Applications used on the network.

Viewing recording policies

Information appears in these columns:

. Default - A green check appears next to the default policy for each OS platform. This policy is used to install the Recorder if no other is selected.

. Platform - Each policy applies to a single operating system.

. Policy Name - Name of the policy.

. Description - A description of the policy.

Select the drop-down menu for a policy and choose Modify, Duplicate, Set as Default or Remove. (You cannot remove an Initial Policy.)

NOTE: A new Recorder version may introduce new settings. Select the latest version when modifying a policy to see which settings might have changed.

Assigning a Recording Policy

A recording policy is installed with each Recorder. You may need to assign a new policy to investigate a user or change the level of data capture. Changes to policy assignment are received by the Recorder when it "checks in" with the Veriato Server.

Many policy changes take effect immediately, some when the user relaunches the program, and some changes to system-level recording require restarting the device. (See Changing Policy Settings).

To assign policy

1. In the Recorders section, open a group and select one or more devices to receive the new policy.

2. From the top bar, select Recording | Change Policy.

3. Policy assignment choices appears for each OS in your device selection. Select the policy you wish to assign to each. Android devices are ignored, because changing the policy requires reinstalling the app (see below.)

Only Windows devices were selected

Devices with two different operating systems were selected

4. Click Submit.

5. If the settings in the policy require restarting any computer, you can schedule when the restart occurs. The default option is to wait until the user or normal IT procedure reboots the device.

Policies selected require restarting 8 computers

To be sure recording changes go into effect by a certain time, clear the check box and select:

Now - Restarts the computer as soon as it receives the policy change.

At scheduled time. - Restarts the computer on the date and as close to the time you select as possible.

NOTE: If you are concerned that users may be logged in when the device reboots, see Using a Restart Message.

To assign policy from a Manual Setup

1. In the Recorders section, open any group.

2. From the top bar, select Deployment | Create Manual Setup.

3. Select an operating system for the setup file.

4. Click to open "Change [OS] configuration."

5. Select the Recording Policy to assign.

142 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. 6. Click Create File and save the file to a location where you can access it and execute the file. See also: Deploying to Android Deploying with SCCM

NOTE: Running a manual setup automatically restarts computers.

Adding a Recording Policy

Multiple recording policies make it possible to apply different levels of surveillance to different devices and their users. Use Alerts & Policies | Policies - Recording to create and manage your policies.

Note: Each policy must have a unique name. A repeated name will not be accepted, even for a different OS platform.

Adding a policy

1. Click Add Policy on the top bar and select the OS Platform from the menu.

2. Give the new policy a UNIQUE name. The name appears in selection lists and should describe the policy, up to 72 characters. Type an optional Description, up to 256 characters, to appear in the Recording Policies list.

For a computer, click OK to proceed to the settings. If there are multiple Recorder Versions, a prompt asks you to select one for this policy (if not, the prompt does not appear).

3. Change the settings as you wish and then click OK or Save.

A duplicate policy repeats all settings of the current policy except the name. A copy allows you to use the same detailed configurations in multiple policies. You can then adjust and apply each to different Recorders or Recorder groups.

1. Click the Policy Name drop-down and select Duplicate. The Copy Recording Policy box appears.

For Android, click the Policy Name to expand its settings, and then click Duplicate at the bottom of the settings panel.

2. Give the policy a unique name and description. For computers, check “Open this Policy" to go directly to the Client Recorder Settings panel settings after clicking OK. Clear the option to add the policy without making further changes.

3. Make changes to the copied policy and save it.

Changes to policy settings are received by the Recorder when it "checks in" with the Veriato Server.

1. Click the Policy Name drop-down and select Modify. The Client Recorder Settings panel opens.

2. Find and change settings as you wish. Click Save or OK.

The Recorder checks in for configuration changes (every 5 minutes) and receives the changes in settings. Changing an Android policy requires updating the app on the mobile device. In the table below, "Immediately" is as soon as the Recorder checks in (or is updated), "Program relaunch" is when an application must restart, and "Requires Restart" means no change until reboot.

Setting Immediately Program relaunch Requires Restart

Screenshots X

User Status X

Program Activity X

Document Tracking X

Network Activity X

Chat/IM Activity X

Block Chat/IM X

Block Websites X

Websites Visited X

Email Activity X

Keystrokes Typed X

Block Internet X

Block Cloud X

Log level change X

Stealth / Visible X

Hotkeys X

Server Send Interval & Throttling X

Screenshot Settings

The Recorder takes full-screen Screenshots of each monitored computer, very much like a surveillance camera. You can playback a detailed visual history of the user's activity from the Management Console. To turn Screenshots off or change how they are taken, open the policy and select Record | Screenshots.

NOTE: Turning OFF Screenshots does not affect other recording.

To record screenshots:

. Click the ON button in the left list of settings to toggle it to OFF. Click the OFF button in the left list of settings to toggle it to ON. -OR- Select OFF or ON in the right-side panel.

146 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. . System Settings - If screenshots recording is ON, click this button to set the snapshot format, special options, triggers, and timing.

. Click OK at the bottom of the panel to save your changes or Cancel to remove them. The window closes.

Screenshot System Settings

System settings allow you to change the format and frequency of screenshots at the client. In Record | Screenshots click the System Settings button. New settings take effect on restart.

Screenshot format

The Recorder takes color, grayscale, or black-and-white snapshots. Increasing the color depth requires more disk space, and you may have to increase the snapshot data storage limits so that snapshots are not deleted right away. Click the Snapshot Format drop-down list and select from the following formats:

. 1 Bit Monochrome: black-and-white; smallest file . 4 Bit Grayscale: efficient and readable; recommended . 4 Bit Color: graphic is indexed and reduced to 16 colors . 8 Bit Color: graphic is indexed and stored in 256 colors . 16 Bit Color: hi-color graphic stored in 65536 colors . 24 Bit Color: true-color graphic stored in 16+ million colors

NOTE: You can easily read a 4-bit grayscale snapshot of a computer display set to a much higher resolution. However, there is no point in attempting a higher level of capture (e.g., 16-bit color) than the screen resolution (e.g., 256 colors).

Screenshot options

Check options to turn them on; uncheck to turn off:

. Include Secondary Monitors - Check to capture activity on multiple monitors when they are connected to the computer. Clear to capture activity only on the primary monitor.

. Capture Entire Screen Contents at Once - Windows Profiles Only. Check this option only if snapshots are displaying screens in transition. By default, the Recorder does not capture the entire screen at once, because it is usually not necessary and may slow down some computers.

. Capture Layered Windows - Windows Profiles Only. Check this option if you are missing snapshots because Window transparency (or translucency) is turned on. If you are not having problems, leave

this option cleared.

. Check for Blank Screenshots - Check this option if you want to remove "blank" snapshots where there is no visible desktop, windows, or commands. Clear this option to keep all snapshots,

regardless of what they show.

NOTE: Screenshots have built-in efficiency. The Recorder stores only the parts of the picture that have changed since the previous screenshot. Compression is applied to keep the file size as small as possible.

Configure Screenshot Recording (triggers)

To focus on meaningful snapshots or conserve disk space, you may want to choose the events that trigger screenshots and how often they are taken. In the Recorder Profile, select Record | Screenshots | System Settings and click the Configure Snapshot Recording button. Click OK to save your changes on this panel.

NOTE: If the user is inactive (not typing or using the mouse) for 3 minutes, screenshots until activity begins again. Change the "inactivity timeout" setting in General Options | Application settings.

Take a screenshot when an event occurs. Checked options are ON:

. Website Page is loaded - A web page loads in a browser (a user clicks a link).

. Website form is submitted - Windows only. An online form - login, money-transfer, registration, e- commerce order, etc. – is submitted.

. Program is loaded - An application is opened. Provides a picture of programs launched in a day.

. Window Title changes - Windows only. The window title bar (caption) changes - a document is opened, "Save As" saves a file to a new name, a new web page is loaded, etc. (has redundancy with "Website Page is loaded").

. Window Contents are scrolled - Windows only. The user scrolls the contents of any window in any application. Only one line of scrolling is needed to trigger the snapshot. This setting is useful when you need to see everything on a window the user is viewing.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 149 . Left mouse button is clicked - The user depresses the primary mouse button (usually the left button) while clicking a hyperlink, placing the cursor to type, selecting a menu and menu item.

. Left mouse button is double-clicked - Windows only. The user clicks the primary button twice in rapid succession to launch an application or act within an application.

. Right mouse button is clicked - The user clicks the secondary mouse button to take an action.

. Enter key is pressed - The user presses Enter to submit a form, add a paragraph break in a document, or execute a selected item.

IMPORTANT: Consider carefully which triggers to use. Heavy computer usage with all triggers activated could result in large amounts of recorded data.

Take a screenshot on keypress: Windows Only You can cause single keystrokes to trigger a snapshot. For example, you may want to take a snapshot when the user presses the Ctrl key, as part of a Save (Ctrl+S) or Print (Ctrl+P) operation.

1. Click the Add button. A message tells you the next key you press will be used as a snapshot trigger.

2. While the message is displayed, press a key on the keyboard. The box closes, and the single key is added under "Key Name."

Repeat for each key. To remove a key from the list, highlight it and click Delete.

Set screenshot frequency

Turn on the frequency option and set the time interval.

. Take Snapshot Every - Check to turn on timed snapshots. Clear to turn OFF timed snapshots.

. [30] Seconds - Use the arrows or type a number from 1 - 600 to set the seconds between snapshots.

Every 30 seconds (default) provides a compromise between detail of information and use of disk space. Increasing the time (for example, raising the interval to 90 seconds) causes fewer snapshots to be taken.

Decreasing the time (for example, lowering the INTERVAL to 4 seconds) causes more snapshots to be taken. More snapshots provide greater detail but use up disk space and slow the computer.

IMPORTANT: Snapshot settings affect performance! It is NOT recommended to take a snapshot every second. A snapshot every 5 seconds may require 6 times the storage space. Do NOT use the Enter or Spacebar keys as triggers on a computer where a great deal of typing occurs.

Veriato Recon/360 captures most conversations in online chat rooms or Instant Messaging (Yahoo, AIM, Skype, Facebook). For a list of Chat/IM types recorded, click here. To turn off or refine this recording, elect Record |Chat/IM Activity.

To record Chat/IM Activity:

. Click the ON button in the left list of settings to toggle it to OFF. Click the OFF button in the left list of settings to toggle it to ON. -OR- Select OFF or ON in the right-side panel. Turning off Chat/IM recording will not affect capture of Chat/IM activity in Screenshots, Keystrokes, or Program Activity.

. System Settings - Click this button for advanced settings. Do NOT change these settings unless you are sure you can do so without compromising the Recorder's ability to capture data. More...

. Click OK at the bottom of the panel to save your changes or Cancel to remove them. The window closes.

CHANGE ONLY IF NECESSARY! In Chat/IM System Settings add a non-standard port to record or change a method of capture. Click the System Settings button to access this panel. Only advanced users should attempt to make changes, so that recording is not compromised.

NOTE: Changes take effect when the user logs off and restarts all Chat/IM applications. Be careful! If you remove ports, you may compromise the Recorder's ability to record.

This panel lists the default ports where the Recorder is listening for activity:

. IRC Ports – (Default) Records at ports 6660-7000. . MSN Ports – (Default) Records at port 1863. . AOL/ICQ Ports – (Default) Records at port 5190. . Yahoo Ports – (Default) Records at ports 5050, 5101, 8001, 8002.

To add or remove a port:

1. In the appropriate protocol field, type a space following the given ports.

2. Type the new number. Use Delete or Backspace to remove a number.

3. Click OK on the dialog box to save your changes.

CHANGE ONLY IF NECESSARY! A "protocol" (IRC, AIM/ICQ, AOL, MSN, Yahoo) is the method of communication used by chat and IM services. The Recorder uses one of two approaches to capture each protocol: High-level or Low-level. The default settings are usually optimal for each protocol:

. Low-level - Captures basic chat and IM conversations (text only) at "low level" when a "high level" capture is not possible. Low-level capture works well for most conversations because it does not rely on a Chat/IM client version. The Recorder uses low-level capture for AOL Instant Messenger (AIM) and third-party applications that interface with major providers (AOL, Yahoo, MSN), such as Trillian.

. High-level - Captures content directly from the application window at "high level," resulting in a recording with greater detail (emoticons and the HTML formatting). This approach can record conversations from encrypted communication, whereas low-level recording cannot. High-level capture is used as a backup to the low-level method because it relies on a specific version of an application, which may change.

. Auto - The Recorder determines whether to use low-level or high-level capture each time a Chat/IM event begins. Generally, the Recorder uses low-level capture unless (a) the communications protocol is encrypted or (b) it does not recognize the protocol.

. Disabled - Disables capture of a Chat/IM protocol. Use this setting to turn off all recording of one chat type, such as MSN.

To change a Record Level, determine which protocol to change, then use the drop-down list to change method of capture or to disable recording. Default settings are:

. IRC – Captures Internet Relay Chat at low-level.

. MSN – Captures Microsoft instant messing on Auto.

. AIM/ICQ – Captures America Online Instant Messenger and ICQ chat at Auto setting.

. AOL – Captures America Online in-browser chat activity at Low-Level.

. Yahoo – Captures Yahoo Instant Messenger and Chat at Auto setting.

Chat/IM System Settings: Record Options

The Record Options list displays additional chat types recorded by default. You may want to disable recording for approved chat (such as MSN Exchange) and still record all others. Alternatively, you may be interested in logging ONLY one type of Chat/IM. Checked options are recorded, cleared options are not recorded.

. Capture Web IMs - Messaging at a web site, such as Windows Live Messenger or Yahoo Messenger.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 153 . Capture OSCAR80 - OSCAR Open System for Communication in Realtime is an Instant Messenger protocol used by AOL for its ICQ and AIM messaging interfaces is a messaging protocol used by AOL.

. Capture MySpace443 - Messaging that occurs on MySpace.

. Capture MSN Exchange - Microsoft messaging on an MS Exchange Server.

. Capture Skype - Text chat through the Skype program.

Chat/IM System Settings: enable a Time Stamp on low-level recording

Check Enable Time Stamp if you want to add a time stamp to each line of the conversation when low- level capture is used. For example:

<10:15:22> BlueSuede> How are you <10:16:30> RedPatent> Fine <10:17:00> BlueSuede> Good to hear

Veriato Cerebral automatically records every website visited on the Internet, capturing the domain, subdomain, and other data. Websites Visited settings allow you to turn this recording on or off, or (for Windows) adjust recording of websites. Select the policy's Record | Websites Visited panel.

To record Websites Visited:

. Click the ON button in the left list of settings to toggle it to OFF. Click the OFF button in the left list of settings to toggle it to ON. -OR- Select OFF or ON in the right panel.

This setting has no effect on the other Record settings. Website activity will still be captured in Screenshots, Keystrokes, and Application Activity.

. Click OK at the bottom of the panel to save your changes or Cancel to remove them. The window closes.

Website System Settings

DO NOT CHANGE UNLESS NECESSARY! The Record | Websites Visited | System Settings panel sets the ports and browsers Veriato Recon/360 will record. The default settings capture most user visits to websites and the website content. Only advanced users should attempt to make changes, so that recording is not compromised.

NOTE: Changes to these settings take effect when the user quits and restarts browser applications.

Website Ports recorded

The Recorder captures activity at TCP/IP ports commonly used to access the Internet. You would add a port if a computer is configured to use a non-standard web server port or a proxy server.

. HTTP Ports - Ports 80, 8080, and 11523 are TCP/IP ports commonly used to access the Internet. If your web server is configured to a different port, type a space and add the port number to this list.

. HTTPS Port - Port 443 is the TCP/IP port commonly used to access the Internet with SSL security. If the web server is configured to use a different port, type a space and add the port number to this list.

To find other ports being used: Inspect Network Events in Data or User Explorer. The event details show both the application name and port making connection to the Internet, so if Internet Explorer (or another browser) connects at a port other than 80 (or one of the listed ports), you would add that port number to the Web Sites Visited System Settings.

To find proxy ports: If someone is using a proxy server, a different port is likely used. It's possible to find the proxy server being used at a client computer. The procedure will vary slightly, depending on the Windows OS version. At the client computer:

156 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. 1. Open the Windows Control Panel to Network Connections. Click the LAN Settings button to open the Local Area Network Settings to find out if a proxy server is used.

2. Click Advanced to open the Proxy Settings window and capture the port numbers.

3. Add these ports to Websites Visited System settings in the Recording Policy for this computer.

For example: A proxy server address for HTTP traffic is 192.168.1.100:2280 (with 2280 being the port number). Type a space and then 2280 in the HTTP Ports field.

Website Record Options

By default, Veriato Recon/360 captures activity from most web browsers. You can selectively enable or disable types of recording.

. Record Mozilla Browsers (Firefox) - (ON by default) Check to enable capture of activity in Firefox, Netscape, and other Mozilla-based web browsers. Clear to skip recording these browsers.

. Record AOL Security Edition - (ON by default) Check to enable capture of AOL Security Edition. Clear to skip recording of this browser.

. Record POSTs - (ON by default) Check to enable capture of all POST form data, where information is sent from the local browser to a remote Internet server. Information about each POST appears in Website Events (Data Explorer or User Explorer). Clear to skip this recording.

An example of POST form data captured with web activity

Web Content

Capture of web content provides rich data in Web and Online Search Events, as well as web-based email, chat and various types of alerting. Frequent web browser updates, however, can affect Veriato recording, preventing data capture. For this reason, two methods of recording (legacy and extension) are provided to prevent data loss.

. Legacy recording - Veriato's proprietary recording method captures detailed data from websites visited (see Recorded Web Events and Online Search Events) while maintaining complete stealth.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 157 . Extension recording - Veriato provides web browser "extensions," which have the advantage of being easily updated and reliable for changing browser versions. However, the extensions, although cryptically named (you will not see "Veriato", may be visible within the browser as plug-in apps.

To many customers, data capture is more important that stealth, especially if users are informed their activity on work devices is being recorded. We recommend using the extensions.

IMPORTANT: If you use both legacy and extension recording, data capture may be duplicated, affecting data aggregation in reports and graphs.

. If you DISABLE both "legacy" and "extension" methods, the browser will NOT be recorded.

. If you ENABLE both methods and both are working, recorded data may be duplicated.

. If you enable only the legacy method, it may stop working.

. If you enable the extension method, it may become visible.

Chrome recording . Record Chrome using legacy method - ON by default. Use the stealthy method of recording, even though it may fail to record.

. Record Chrome using extension - ON by default. Use a more reliable Veriato Chrome extension to record, even though it may become visible.

. Disable Chrome extension if visible - ON by default. If the Veriato extension becomes visible in Chrome, disable it.

. Prevent a Chrome update that will reveal the extension - OFF by default. Allow the Recorder to control Chrome updates. If the Veriato extension cannot remain hidden in an update, the update is blocked. If the extension can be hidden, the update is allowed.

Firefox recording . Record Mozilla Firefox using legacy method - ON by default. Use Veriato's secure and stealthy method of recording, even though it may fail to record.

. Record Mozilla Firefox using extension - OFF by default. Use a reliable but visible Veriato Firefox extension to record if the legacy method is not working.

Internet Explorer/Edge recording . Capture web content in Internet Explorer - ON by default. Check to record all activity in IE. Clear to skip recording of generated content, such as Chat/IM Activity, Email Activity, and some Facebook/blog activity taking place within the browser. However, during this activity Websites

. Record Edge using extension - OFF by default. Use a reliable but visible Veriato Edge extension to record if the other method of capture is not working.

The Veriato Recon/360 Recorder automatically captures email activity, but it does not capture email attachments unless you tell it to. Change email settings to record attachments, "filter" email recorded, or fine-tune recording. To view the email types recorded, click here. Access the Email Activity panel by opening a policy and selecting Record | Email Activity.

To record Email Activity

. Click the ON button in the left list of settings to toggle it to OFF. Click the OFF button in the left list of settings to toggle it to ON. -OR- Select OFF or ON in the right-side panel.

. Click OK at the bottom of the panel to save your changes or Cancel to remove them. The window closes.

This setting does not affect capture of email activity in Screenshots, Keystrokes, and Program Activity.

NOTE: The Recorder captures AOL, Webmail, and incoming IMAP email when the message is opened for reading by the user. The Recorder does NOT record attachments to AOL or Webmail messages.

. Record attachments - Check to record email attachments. Clear to skip capture of attachment files. The Recorder can capture files attached to incoming and outgoing email. The entire attached

160 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. file (if it does not exceed the maximum size) is stored with the email event record. If the file cannot be captured or if this option is OFF, the email event record still indicates the presence of an attachment.

. Maximum Attachment Size - Attachments larger than 100 KB (default) are NOT captured. Set any maximum size from 0 to 32767 kilobytes (over 32 MB). Be careful! If you increase maximum size, you may need to increase the computer's storage space for retaining all non-snapshot data (default is 10 MB).

The following setting records attachments up to 10 MB

NOTE: Email attachments can be large and numerous and take up disk space both on the local computer and in the central storage. Use an email Filter to limit capture of attachments, if necessary.

. Configure Filter - Click this button to define rules that record or ignore email based on the email contents or other criteria. More...

. System Settings - Windows Only. Click this button for advanced settings. Do NOT change these settings unless you are sure you can do so without compromising the Recorder's ability to capture data. More...

Configure an Email Filter

Email filters reduce the quantity of email captured and make it easier to find and focus on important information. An email filter tells Veriato Recon/360 whether to record or ignore an email based on conditions you specify. For example, you can instruct Veriato Recon/360 to ignore email from " XYZ Store" and ignore anything sent from your own auto-responder, "ABC Organization." From a policy's Record |Email Activity settings panel, click the Configure Filter button.

NOTE: Email recording must be ON, and all criteria of a rule must be TRUE before a rule is applied. To ensure new settings take effect, restart computers after changing filtering rules.

To set up email filtering:

1. Add a Rule. On the Email Filter box, click Add. The Email Rule box opens. See below.

Each rule conditions the email must meet to be recorded or ignored. Use one or a series of rules to create a filter. Each rule added appears at the bottom of the Rules list. Rules are applied in the order they appear in this list.

2. Set priority for the Rules. The first rule in the list is applied first and becomes an "exception" for lower rules. Use the buttons to arrange the rules and change the logic:

. Add - Add another rule. . Delete - Select a rule and click to remove it. . Edit - Select a rule and click to open the Email Rule box and change conditions for a rule. . Move Up - Select a rule and click to move it up the list, changing the filtering logic. . Move Down - Select a rule and click to move down the list, changing the filtering logic.

3. If NONE of the rules apply - Choose whether the email is recorded or ignored.

4. Finally, click OK on the Email Filter box to set the rules and return to the Email Activity settings panel.

For example: Too much inhouse email is recorded, but you do not want to lose valuable tracking information about legal matters.

1. Rule One. Create a rule to look for email with "legal" in the Subject or Body AND" MyCompany.com" in both the To and From addresses. Email matching this condition should be recorded.

162 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. 2. Rule Two. Create a second rule that looks for inhouse email (SMTP/POP email with "MyCompany.com" in the To OR From address). Email matching this condition should be ignored.

3. Set Rule Priority. On the Email Filter box, Position the first rule as an exception at the top of the list. Select "If none of the rules apply, then the email should be recorded." The logic will be:

(a) Inhouse "legal" email: Record (b) Other inhouse email: Ignored (c) All other email not matching these rules: Record.

Email Filtering Rule

An Email Filter rule sets the conditions for recording or ignoring email. The Recorder tests each email against the rule. Configure Filter and then Add or Edit to display this panel.

Rule Name

. Type a name for the rule you are creating. Alphanumeric characters and punctuation are permitted.

Rule Criteria: If the email was:

. Sent from This Computer - Check to include email sent from this computer; clear to exclude email sent from this computer.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 163 . Received by This Computer - Check to include all email received by this computer; clear to exclude. If both items are checked, all email sent OR received by this computer is included.

And the email:

. Has attachments - Check to include email with attachments; clear to exclude attachments. If "Has attachments" is checked, you can specify the size of the attachment using the drop-down list and entry field. Attachment rules do not apply to webmail.

of any size - All attachments are included.

less than - Include only attachments smaller than the specified size. Type a number to represent the size in kilobytes.

greater than - Include only attachments larger than the specified size. Type a number to represent the size in kilobytes.

equals - Include only attachments of an exact size. Type a number to represent the size in kilobytes.

. Does not have attachments - Check to include email with NO attachments; clear to exclude email without attachments. If both items are checked, email with OR without attachments is included. (Record Attachments must be enabled, and attachment rules do NOT apply to webmail.)

And the email's format is: If all items are checked, the email can be in any format.

. Plain Text - Text only, no formatting.

. HTML - Hypertext Markup Language - includes graphics and special fonts.

. RTF - Rich Text Format - includes graphics and special fonts.

And the email comes from: Check email types to include in the rule. By default, all email sources are included: SMTP / POP, Webmail accounts, AOL accounts, Microsoft Exchange accounts and IMAP accounts.

And the email's To / From / Subject / Body: Create conditions based on what appears in the To, From, Subject, or the Body fields of the email. Use the drop-down list next to each field to select how to match and type the word or characters to be matched.

. is anything - (Default) All email is included, regardless of what is in the field; leave the field next to it blank.

. starts with - The beginning of the email field matches what you type in the adjacent box. For example, check the From field for addresses starting with "Robert" - [email protected] or [email protected].

. ends with - The end of the email field matches what you type in the adjacent box. For example, you might look in the To field for matches to "TheirCompany.com" and capture email sent to [email protected] and [email protected].

164 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. . contains - The email field contains the characters typed in the adjacent box. For example, you might look for "weapons" anywhere in the Body of an email.

. equals - The email field exactly matches what you type in the adjacent field.

Click OK to close the box and set the rule. Click Cancel to close the box without saving changes. Set the priority of this and other rules when you return to the Email Filter box.

Email System Settings

Windows Computers Only. Email System Settings allow you to control which types of email Veriato Recon/360 records and where it listens for email activity. You can also enable recording of Internal Webmail on private web sites. Do not change these settings unless you are sure you will not compromise recording. Select the profile's Record | Email Activity and click the System Settings button.

NOTE: If you do need to make changes to System Settings, ensure they take effect by restarting the computer.

By default, when Record Email Activity is ON, Veriato Recon/360 captures all types of email. Clear any boxes to turn OFF recording of a type of email. Check boxes to turn ON recording.

. IMAP Email - Incoming IMAP email. Programs using IMAP for incoming email usually use SMTP for outgoing email (see below).

. AOL Email - Email composed or opened using the proprietary AOL Internet interface. AOL email is recorded when the user opens received email or composes a message.

. Web Email - Email messages sent and received through a Web browser (Webmail) using Hotmail, Yahoo, Gmail, etc. Webmail is recorded when the user opens received mail or composes a message.

. SMTP/POP Email - Email sent using SMTP and received using POP.

. Exchange/MAPI Email - Email from MS Exchange or another application incorporating MAPI functionality to become "mail-enabled."

Scan ONLY Inbox for pre-existing new emails - The Exchange / MAPI Email option must be enabled. Check to capture unread Exchange/MAPI email ONLY in the user's Inbox folder. Clear to capture unread messages in ALL folders in the Exchange mailbox. If you change this option, the user must log out and log in for the change to take effect.

. Lotus Notes - Email sent and received through Lotus Notes. Check to capture Lotus Notes, and clear to skip this type of email recording.

Email System Settings: Options

. Check for duplicate emails - By default Veriato Recon/360 checks for and ignores duplicate email messages. Clear the check box to record all email sent and received. Veriato Recon/360 keeps a list of the last 100 email messages received. If an exact duplicate is received and this option is set, the duplicate is ignored. The list restarts when the computer restarts.

. Use alternate MAPI capture - Use this option when requested by Technical Support. Enable this option only if the Recorder conflicts with add-in software to cause unexpected behavior in a MAPI email client (such as Microsoft Outlook).

Email System Settings: Record internal webmail sites

“Internal web email” is hosted on a private website, as opposed to external webmail offered by providers such as Hotmail or Yahoo. Internal webmail is not recorded unless configured with the host location and/or IP address.

. On the Email System Settings panel, click Add next to Internal Webmail.

SqWebMail - The user logs into SqWebMail, a webmail CGI client frequently offered with private websites that sends and receives email using Maildir mailboxes.

2. Type the host location in the first field. This is the URL of the mail server, which usually starts with "mail" instead of "www," such as " mail.school.edu."

3. If you wish, check the "Host might be accessed by the following IP address" and enter the IP address of the webmail host. If you don't know the IP address, click the Resolve button. The IP address is optional.

4. Click OK to return to the Email System Settings, where the webmail host and is now listed and will be recorded.

Email System Settings: Mail Server Ports

Type a space following the default port, then type the port number. The Recorder will monitor all specified ports. Click OK to set the changes.

. SMTP Ports - Monitors port 25 to capture outgoing SMTP email.

. POP Ports - Monitors ports 109 and 100 to capture incoming POP email.

. IMAP Ports - Monitors port 143 to capture incoming IMAP email received via a remote server.

Files Transferred Settings

By default, the Recorder captures any peer-to-peer, FTP, or HTTP upload/download activity on network computers. Turn off or fine-tune File Transfer recording on the Files Transferred panel.

To record file transfer activity:

. Click the ON button in the left list of settings to toggle it to OFF. Click the OFF button in the left list of settings to toggle it to ON. -OR- Select OFF or ON in the right-side panel.

This setting has no effect on the other recording. Network and Document activity can still be recorded.

. System Settings - Windows Only. Click this button for advanced Files Transferred settings that allow you to add Gnutella and FTP ports or turn off capture of HTTP uploads. More...

The Recorder captures all keystrokes typed in all programs. You can turn off or fine-tune keystroke logging from the Keystrokes Settings panel. Keystrokes include non-visible keys, such as Shift and

Control.

NOTE: The Recorder does not capture mouse activity.

To record Keystrokes Typed

. Click the ON button in the left list of settings to toggle it to OFF. Click the OFF button in the left list of settings to toggle it to ON. -OR- Select OFF or ON in the right panel.

. Do Not Capture Passwords - Check to "mask" password entry with asterisks (*) so passwords will not show up in Keystrokes Typed reports. Clear this option to see all password keystrokes.

A user name with a masked password

Enabling this option may not prevent capture of passwords with form (Post) data, which appears in the Management Console as part of web site activity when Record POSTs is enabled. This means

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 169 passwords will be visible in some cases where a web site login was used. When you enable this option, a message asks if you would prefer to completely disable capture of form data to avoid capture of passwords.

Choose Yes to disable POST forms capture, ensuring no passwords will be captured.

Choose No to mask keystroke passwords but allow capture of form data.

. System Settings - Windows Only. Click this button to access the Record Characters option, which is useful for monitoring computers being used in other languages. More...

Program Activity Settings

By default, the Recorder captures all activity within applications used at the computer. You can turn OFF this type of recording or change the inactivity "time out" that determines when an event ends. Select the policy's Record |Program Activity panel.

Turning off Record Program Activity has no effect on the other recording tools. Program activity will still be visible in Screenshots and Keystrokes.

Program System Settings

A program is considered "inactive" once all mouse and keyboard activity has ceased for 3 minutes (default) within the program instance. If 3 minutes have passed with no activity, recording stops, and the Recorder marks the program as "inactive."

170 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. The Recorder subtracts the 3-minute time-out period from the active period in the event record. As soon as mouse or keyboard activity begins, recording begins again.

You can change the Inactivity Timeout period in a profile's Record | Program Activity | System Settings. This setting is effective only if Program Activity recording is ON and applies to activity within programs and at web sites (within browser programs). Timed Screenshots and general User Status are not affected.

Next to Inactivity Timeout click the up or down arrow or type a number to change the time out interval (0 – 999 minutes). The default interval is 3 minutes. Zero (0) specifies "no time out." Click OK to save your change and return to Program Activity settings.

NOTE: Once the inactivity time is exceeded, the time the program window remains open — including the Inactivity Timeout duration (3 minutes) — will be displayed as "inactive" in the Management Console.

The Recorder captures information about all users who log in to the monitored computer - when they log in, when they log out, and if they were actively working throughout the day. You can turn User Status recording on or off in a recording policy from Record | User Status.

Turn recording off or on

. Click the ON button in the left list of settings to toggle it to OFF. Click the OFF button in the left list of settings to toggle it to ON. -OR- Select OFF or ON in the right pane.

. Click OK at the bottom of the panel to save your changes or Cancel to remove them. The window closes.

When this recording is ON, a chart of activity for the user appears in the User Status view.

Document Tracking Settings

Veriato Recon/360 captures actions on files at network, cloud and removable drives, as well as documents sent to printers. Use the flexible File Tracking settings to watch what happens to specific files or at specific locations. Activity captured can be used in Recon alerts and 360 Document Events.

Enable or disable Document Tracking

. Click the ON button in the left list of settings to toggle it to OFF. Click the OFF button in the left list of settings to toggle it to ON. -OR- Select OFF or ON in the right pane.

. Click OK at the bottom of the panel to save your changes or Cancel to remove them. The window closes.

Disabling Document Tracking does not affect other types of recording. The same user activity would be captured in Screenshots, Program Activity or Websites Visited, as applicable.

Record files transferred at (drive type)

Check the drive types where you want to watch activity. Veriato Recon/360 watches for file creation, deletion, renaming, opening and editing. In addition to these drives, Veriato Recon/360 will also track documents sent to printers.

. CD/DVD - Windows Only. Track files copied or burned to CD/DVD media. . Cloud - Track files moved to or from cloud storage. . USB - Track file editing and movement on USB (removable) drives.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 173 Cloud storage activity - Google Drive, DropBox or OneDrive - is recorded when the cloud drive is mapped and synced to a local folder. Activity that takes place solely on the web is not captured as "Document Tracking," but would be visible in Websites Visited and Screenshots.

Document Tracking - File Tracking Filter

The Document Tracking Settings panel presents a File Filter button. Click this button to display the File Filter box (shown below) and enter the name of a file you want to include or exclude from recording on any drive. You can include a specific path or use a combination of wildcards with path specification and/or file type. The entry in the illustration below would track all .doc files on any UNC drive:

Track a file

Enter the file name. For example, if you enter "budget.xls" to be included, the Recorder will record activity to any budget.xls file in any directory on any of the drives being recorded. If you want to track a single file stored at a location, you must specify the full path, for example, "\\SERVER3\2011\Budgets\budget.xls."

Use wildcards

You can use wildcards to specify a path, a filename, or a file type. The Recorder will include or exclude files represented if file tracking is ON for the drive or drive type.

. Use the * (asterisk) wildcard to match any characters or none.

. Use the ? (question mark) wildcard to match any one character.

. Use *\* to find the match on any path.

For example:

Include or exclude all Word documents *\*.doc

All documents in any directory with "private" in the file name *\*private*.*

All documents on the C: drive with "private" in the file name c:\*\*private*.*

All documents on a specified UNC host \\192.168.1.20\*\*\*.*

All Word documents at any UNC location \\*\*\*\*.doc

All Word documents on any lettered drive *:\*\*.doc

Click OK to add the filter to the include/exclude list or cancel to discard the filter.

Document Tracking - Default File Tracking

Windows Computers Only. When you configure File Tracking for each Drive, the default settings are applied to drive locations where Custom Tracking is NOT set. You can change the default settings to limit or expand the activity captured. To see this panel, select System Settings and Configure File Tracking Options for each Drive and click the Default Tracking button.

Reasons to change Default Document Tracking:

. You are only interested in "write" actions in sensitive files. . You need to watch a user's local drives for a few days. . You need to track ALL activity that occurs to a sensitive document, even on local drives.

Be careful! Increasing Document Tracking capture can fill up a hard disk and slow performance! Be sure to set up a file filter when tracking the Local drive type!

To change the default settings

. Track if - Select file actions to watch. Clear (uncheck) actions you do not wish to track: CREATE: Creating a new file. A new document or copy of the document was created. DELETE: The document was removed. EDIT: The document was opened and then saved or not saved.

. Drive Type - Check the drives you wish to track. Clear the drives you do not wish to track: Local – Any local hard drive. Other - Any other drive.

Click OK. Changes will be applied when the Recorder checks in with the CCS. You may want to restart the recorded computer to make sure changes apply to all applications.

Save your changes and close the window

Click OK at the bottom of the panel to save your changes or Cancel to remove them. The window closes.

Network Activity Settings

If Record | Network Activity is turned ON in a policy the Veriato Recon/360 Recorder captures all external connections made from a device for updates, information, or data exchanges. These events can help you spot unexpected, inappropriate connections.

Because the amount of network activity captured on a busy network can be overwhelming and does duplicate other recording, you may want to limit what is recorded. Turning off Network Activity recording has NO effect on the recording of Files Transferred, Document Tracking, Websites visited, or other types of recording.

Turn recording off or on

. Click the ON button in the left list of settings to toggle it to OFF. Click the OFF button in the left list of settings to toggle it to ON. -OR- Select OFF or ON in the right pane.

. Click OK at the bottom of the panel to save your changes or Cancel to remove them. The window closes.

Record network activity by applications

Some installed programs regularly make connections to check for updates, creating unneeded data in Network events. To filter the data recorded, you can include or exclude programs. For example, you might exclude Internet browsers to avoid duplicating what is captured by Web Sites Visited recording. This filtering you set here has no effect on other types of activity recording.

. Record network activity for only these applications listed - Record ONLY the listed programs.

. Record network activity for all applications except these listed - EXCLUDE the listed programs.

Click Add in the Programs section. In the Select Programs box, select the programs you wish to include or exclude. Use the Browse button to navigate to and select an executable file (it would have to exist on the current computer). The folder path of the file name is NOT necessary. Click OK to close the add the program to the list. The listed programs will be recorded (or excluded from recording).

Tip: Start the program you want to select, then return to “Select Program(s) to Exclude” and click Refresh. The list of available programs now includes the one you just started.

Limit ports where Network Activity is recorded

You may want to focus Network event recording on certain TCP/IP communication ports by including only certain ports or excluding busy ports. This filtering will NOT prevent other types of activity being recorded at these ports.

. Capture network activity for these IP ports listed - Select to include ONLY at the listed IP ports. Be sure REMOVE the default ports and Add the ports to include. For example, to capture ONLY web traffic, clear all ports and add 80 (*.*.*.*:80).

. Capture network activity for all IP ports except those listed - By default, Veriato 360 captures activity at ALL ports EXCEPT those listed, which would result in large amounts of recorded data. You

can exclude additional ports. For example, port 25 is almost always used for SMTP email. You might exclude this activity if you get enough data from Email recording by adding (*.*.*.*:25).

10.*.*.*:* - Represents an IP address range typically used internally on local area networks.

169.254.*.*:* - Represents an IP address range used for link-local addressing. This range is used when there is no static IP address configured, and a DHCP server can’t be reached for auto-configuration.

192.168.*.*:* - Represents an IP address range typically used internally on local area networks.

Click Add in the Ports section. In the IP:Port box, type the IP address and port, or use * (asterisk) to specify ANY value.

Examples:

. All ports at a local computer might be: 192.168.0.90:*

. Email at any IP address using the standard SMTP port is: *.*.*.*:25

. Click here for a list of standard IP ports.

If you don't know the IP address, under Computer and Domain Name Resolver enter the "friendly" computer name known on the network (such as OFFICE005) or a domain name (such as amazon.com) and click the Resolve button. If the name can be resolved to an IP address, it is displayed in the IP fields above. In the example above, activity at Amazon.com would be excluded (or included).

NOTE: All network connections have IP:Port information. The IP is the address of the computer where connection was established, and the port locates the connection at the computer. Ports are like phone extensions to a single phone number. Some port numbers are well known, standard Internet connections. For example, port 25 is almost always used for SMTP email, and Port 80 is almost always used for web page connections.

Click OK to accept the entry or Cancel to reject it. The window closes. If the entry was accepted, the IP and Port is added to the IP:Port list.

Network System Settings

Network Activity System Settings allow you to adjust the time-out period at which the Recorder "flushes" a network event. Change this setting only if you are sure you will not compromise the Recorder's ability to record, or if directed by Veriato Technical Support. Select Record | Network Activity and click System Settings.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 179 Flush after n minutes of inactivity - Enter the minutes of Inactivity before a Network event ends. The default value is 10. In other words, ten minutes of inactivity network connections flushes network recording and ends the event. The next connection after 10 minutes begins a new event.

. Reducing the minutes in this setting generates more events.

. Raising the minutes in this setting generates fewer events with more connections.

. A connection to the same network IP address at a different port is recorded as a separate event.

. If more than one connection is made by the same program to the same network address/port within a period of activity, the Recorder adds the connection to the current event.

. If the inactivity period passes without any new connections being made, the Recorder records current activity as an "event," including the count of connections made during the event.

For example: If you browse CNN in the morning for 5 minutes and again at lunch for 15 minutes two separate network events involving cnn.com are recorded (inactivity was detected between morning and lunch). If you are browsing CNN in the morning and continue to browse continuously until lunch, a single event with many connections would be recorded (no inactivity detected).

When to Record

Normally, a Recorder records activity whenever the device is on. Record | When to Record allows you to limit when recording occurs (affecting all users and activities under the policy). For example, it may not be necessary to record all hours or all days of the week.

Schedule recording

Check the "Record based on the following schedule" option to activate the weekly grid. Clear this option to record always (within other setting parameters).

. Green - Click on a half-hour spot on the grid or click and drag to mark the time to record. Green color indicates the time periods to be recorded.

. White - Click again on any green area to clear it (the time period will not be recorded).

. View Scheduled Times - Click this button to see a list of times when recording will be ON. This helps you adjust your selections.

. Clear Entire Schedule - Click this button to clear all green from the grid and start over.

Normally, the Recorder records ALL users who log onto a computer where it is installed. Each new user name is captured. Each user's activity is captured. It's possible to limit who you record by including or excluding users from recording. A user you are NOT recording could log in to any computer on the network, and the Recorder would not record any activity after that login.

NOTE: Who to Record affects ALL activity recording that is currently ON. The users must log in to a computer that has an installed Recorder.

Select who to record

Check the "Only record the following Windows users" option to activate the rest of the panel. Clear this option to record ALL users who log in.

. Record only users listed - Select to specify which users to record.

. Record all users except these listed - Select to specify which users NOT to record.

. Add - Click this button to add a user to the list of users to record (or not to record). The New User dialog box appears. Enter the name of a user to record. The name must be the local Windows or network login username. Click OK to add the user to the list.

. Delete - Select a user in the list and click this button to remove the user from the list. . Import - Import a list of valid local or network user login names. . Export - Export the list of users in this panel.

Importing users

Use any text editor, word processor or spreadsheet application that supports text (.TXT) output to create a list of valid local or network account login names. The names must be recognized by Veriato Recon/360 for the recording inclusion or exclusion to work.

1. Click the Import button next to the list box.

2. Navigate to a .txt keyword list of valid account login names (local or network).

3. Select it and click Open. The list loads into the settings panel

A file to import

Import file requirements:

. Plain text file format .txt . Line break between each user name . Comment lines begin with #

It is always possible to:

. Import more than one list. New names are added. . Use the Add button to add to the list at any time. . Add to your user name text file and re-import it. Existing names are ignored. . Remove incorrect user names by selecting them and clicking Delete.

Exporting users

The Export button creates a text file listing all users in the panel. Each user appears on a separate line. The export file can be used to import names into another Recording Profile.

Block

Block Websites Visited

DOES NOT APPLY TO RECON. When a website is blocked, the user sees a "Page Not Found" error or a Blocked Web Site message instead of the web page. Prevent users from accessing websites by selecting a policy's Block | Websites Visited panel. Website recording must be ON before the Recorder can BLOCK access. Keep in mind that a long list of websites to block may result in Recorder performance issues.

Turn on website blocking at the Recorder

. ON - Select to turn on website blocking. . OFF - Select to turn off website blocking.

List sites to block (or allow)

. Block websites in list - Select this option to BLOCK all the websites listed.

. Allow access ONLY to websites in list - Select this option to ALLOW access to only those websites listed. Keep in mind this will set limitations to using an allowed website if it uses content from another site. For example, if you allow cnn.com, not all of the content it provides will be allowed.

. Add - Click this button to add a domain to Block or Allow. In the Web Site Access box that appears, enter a host and domain or domain name only (for example, mail.site1.com or site1.com). Click OK to add the new domain to the list.

. Import - Click this button to import a list of websites from a text file. See Import/Export Sites to Block.

. Export - Click this button to create a text file from the currently displayed list of websites. See Import/Export Sites to Block.

NOTE: Specifying a host limits blocking to that portion of the website. For example, you could block gmail (mail.google.com) and still allow searching at google.com.

Block Chat/IM Activity

Limit users' access to online chat using the Block | Chat/IM Activity panel. These settings block (or allow) instant messaging with specific contacts or chat in specific chat rooms. Find out who to block by observing Chat/IM Activity in the Management Console.

NOTE: Chat/IM recording must be ON before the Recorder can BLOCK access.

For example, if you notice that Bob is continually on Yahoo Messenger having inappropriate conversations with his girlfriend Sue, you can block Sue's Yahoo ID. You would know her ID by

186 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. observing the previous Chat/IM recordings. Bob can still use Yahoo Messenger, but he will not send or receive any messages to or from Sue.

Turn on blocking of Chat/IM contacts

. Click the ON button in the left list of settings to toggle it to OFF. Click the OFF button in the left list of settings to toggle it to ON. -OR- Select OFF or ON in the right pane.

NOTE: To block a type of Chat/IM altogether, select the Chat/IM port for blocking on the Block Internet Access panel.

Block or allow Chat/IM access

First, turn ON Chat/IM Activity blocking.

. Block contact names in list - Select to prevent the user at the recorded computer from communicating with the contacts listed below. Other chat and IM will NOT be blocked.

. Allow access ONLY to contact names in list - Select to block all chat except with the contacts listed below. For example, you may allow a list of clients, teachers, or business associates.

. Add - Adds a contact name. Click to open a Chat/IM Blocking box where you can select the chat account type and identify the contact to block (or allow). See the section following. Click OK on the box to add the contact to your Chat/IM list.

. Delete - Select a contact from the list and click Delete to remove the name from the list.

Specify contacts to block

Select the type of Chat/IM account the local user signs in to. Enter the contact you want to add to the list. If necessary, obtain contact names by reviewing Chat/IM recordings in the Management Console.

NOTE: For example, if a user logs in to Windows Live Messenger and chats with a Yahoo contact, you would select MSN for the Chat/IM type but enter the Yahoo account ([email protected]) as the contact. Get the information you need by viewing Chat/IM activity that has already taken place.

. AOL/ICQ - Select this Chat/IM type if the user signs into AOL, AIM, AIM Express, Dead AIM, ICQ 2002, ICQ 2003 or ICQ Lite. Enter the Screen Name of the contact you want to block. For ICQ, enter the User Identification Number (UIN).

. MSN - Select if the person you are monitoring signs into MSN Messenger, Windows Live Messenger, or MSN Exchange Client. Next to Email Address, enter the full email address of the contact you wish to block (or allow), such as [email protected] or [email protected]. Blocking an internal MSN Chat/IM contact is not supported.

. Yahoo - Select if the person you are monitoring signs into Yahoo Messenger, Yahoo Chat 2.0, or an online Yahoo chat room. A Yahoo ID might be friend88; the ID of another contact participating in these Yahoo sessions might be a full email address, [email protected]. To block access to a Yahoo Chat Room (available from Yahoo Messenger), enter the name of the Chat Room; for example: Gardening:6. You can get the name of Yahoo contacts and the Chat Rooms being used from the Chat/IM Activity view.

. MySpace - Select if the person you are monitoring signs into MySpace to use Instant Messaging. Enter the Display Name and the User Profile ID you want to block. Both the Display Name and the numeric User-Profile ID appear in the Chatted with column in the Chat / IM Activity view.

DOES NOT APPLY TO RECON. The Block | Internet Access settings panel allows you to block ALL Internet Access or prevent access at a particular port, such as a port used by FTP or a type of chat. Use this type of blocking in addition to control general types of Internet activity and activity at ports.

NOTE: Your settings on this panel and on Web Sites and Chat/IM Activity blocking may overlap. For example, blocking Yahoo Messenger ports blocks ALL Yahoo IM contacts. The most restrictive policy always applies.

Block Internet access at the computer

. Block Internet Access - Select ON to turn on blocking and activate settings below. Select OFF to allow Internet access.

. Block All Internet Access - Select to block ALL access to the Internet on the computer: ports, web sites, email, and chat/IM communication. The Blocking Schedule can be set to schedule when access is blocked, otherwise it is blocked at all times.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 189 . Block Selected Internet Access - Select to specify (on this panel) types of Internet access to block. If a Blocking Schedule is set, it applies to these selections.

. Blocking Schedule - Click this button to set a schedule for the blocking specified on this panel. See When to Block.

Block specific Internet ports

Blocking a port blocks a particular type of Internet access. For example, in a library you might block all Chat/IM types (AIM, ICQ, MSN, etc.), but allow HTTP access to web sites for research. Check an item's Block column to prevent access. Clear it to allow access.

Slide the left/right scroll bar below this list to view the Ports Blocked by your selection.

. Web Sites via HTTP/HTTPS - Internet access to normal and secure Internet sites via the HTTP and HTTPS protocols; this includes most web sites, but not local network or FTP addresses. Blocks outgoing ports 80, 443, 8008, 8080, and 8088.

. SMTP/POP Email - Access to standard SMTP and POP email. Blocks outgoing ports: 25, 100, 109, 110, 465, and 995.

. File Transfer via FTP - File uploads and downloads using FTP (File Transfer Protocol). Blocks outgoing ports 20, 21, 989, and 990.

. AOL and HTTP/HTTPS - America Online (AOL) and other web sites that might not be covered by the first option. Blocks outgoing ports 80, 443, 8008, 8080, 4000, 5190-5193, 8088, and 11523.

. AOL Instant Messenger (AIM) - Instant messaging using AIM. Blocks all outgoing and incoming ports used by the AIM client.

. ICQ - Chat communication in the standard ICQ protocol (older AOL clients). Blocks outgoing and incoming ports used by ICQ.

. ICQ Lite - Chat communication using a simplified version of ICQ. Blocks all outgoing and incoming ports used by the protocol.

. MSN Messenger - Microsoft MSN Messenger. Blocks all outgoing and incoming ports used by the client application.

. Windows Messenger - Microsoft Windows Live Messenger instant messaging. Blocks all outgoing and incoming ports used by the protocol.

. Yahoo Messenger - Messaging via a YAHOO account. Blocks all outgoing and incoming ports used by protocol.

. Other Chat/IM and HTTP/HTTPS - Chat and Instant Messaging protocols PLUS web sites. Blocks outgoing ports 80, 443, 8008, 8080, and 8088 plus 1863, 5190, 6660-6669.

. Kazaa - Peer-to-peer communication via KAZAA, a file-sharing application commonly used to download MP3 and video files. Blocks all outgoing and incoming ports used by the protocol.

. Kazaa Lite - The Lite version of the Kazaa protocol. Blocks all outgoing and incoming ports used by the protocol.

Adding Outgoing/Incoming Ports

If you notice inappropriate activity at non-standard ports, you can block the ports at the bottom of this panel. All ports in the Additional Outgoing Ports and Additional Incoming Ports lists will be blocked. Be sure to avoid blocking a port that a user may rely on for normal work.

1. At the top of the panel, you must check Block Internet Access and choose Block Selected Internet Access to activate these entry boxes.

2. Click in the Outgoing or Incoming Ports list.

3. Type the port or ports to block. Separate multiple port numbers with a space or comma.

Save your changes and close the window

Click OK at the bottom of the panel to save your changes or Cancel to remove them. The window closes.

The Block | Block Cloud settings panel allows you to manage use of locally installed cloud drives, such as Google Drive, Dropbox, or One Drive. The goal is to prevent uploading files to and editing of files stored on a cloud drive. When this option is ON, a cloud drive becomes essentially read-only. This feature applies to both Veriato Recon and Veriato 360.

When the option is ON, the user cannot:

. Move or copy a file to the drive . Create a document and "Save as" to the drive . Rename a file on the drive . Open, edit, and save a file that is stored on the drive

The blocking affects only upload transactions with a locally installed cloud drive. It won't stop uploads from a browser-based cloud drive. This policy setting can be limited by the Who to Block setting.

NOTE: Document Tracking of Cloud Drives must be ON in the Record settings. This option is not yet supported for iCloud drives.

Normally the Recorder applies Internet blocking at all times. You can schedule blocking by clicking the Blocking Schedule button on a policy's Block Internet Access panel. The schedule affects selections on the Block Internet Access panel, but does not apply to Blocked Web Sites, which are blocked all the time.

NOTE: A new blocking schedule is applied when Internet applications are closed and re-opened.

To schedule when Internet access is blocked/allowed

. Block based on the following schedule - Check to enable setting a blocking schedule.

. Schedule Grid - Click and drag a red area to mark days and times when blocking is active. Red is blocked. White is NOT blocked.

. View Scheduled Times - Open a list of blocking times for each day of the week.

. Clear Entire Schedule - Click to clear all scheduled block times (red areas). When the schedule is cleared, Internet Access blocking is in place at all times.

Click OK at the bottom of the panel to save your changes or Cancel to remove them. The window closes.

Who to Block

Windows Computers Only. When local Recorder blocking is active, the Block Internet Access, Block Website, and Block Chat/IM settings apply to ALL users who happen to log on to the recorded computer where they are applied. You can select particular users to receive blocking. The Recorder will then apply blocking locally, based on which user is logged in to the computer.

Select users to block or allow

. Only block the following users - Check to specify users to block. Clear to apply blocking settings to all users under this policy. If no users are specified, all users are blocked.

. Add – Click to add a user to block. Enter a user name and click OK. If you don't enter specific user names, all users of the computer are denied access as specified on other panels.

Recorder Security Settings

Security Settings manage access to and stealth of the Veriato Recorder at the recorded Device. By default, the Recorder is set to run in Stealth Mode without a Viewer, and to use fixed filenames to facilitate preventing anti-spyware/anti-virus detection. Select a profile's General Options | Security panel.

. Set to Stealth Mode - Check to hide evidence the Recorder is running (default); clear to display a Recorder Service icon.

. Configure Advanced options - Click the Advanced button for the Advanced Security settings. More...

. Policy Name - Enter or change the name of this recording policy.

. Policy Description - Description of this recording policy.

Advanced Security Settings

Do not change these settings unless necessary. Select General Options | Security and click the Advanced button to change the following settings. A message appears warning that changes may have an adverse effect on recording. Click Yes to continue.

. Enable User Logon Warning - Check this option to display a message warning that this computer is being monitored. The message is displayed each time someone restarts the operating system, or a new user logs on to the computer. Clear this option to keep the Recorder "invisible."

. Set Warning Text - Click this button to change the text of the warning message that appears when "Enable User Logon Warning" is enabled. The default message is a standard warning used by many government agencies. Select the existing text and type over it to make changes. For example, you may want to cite your acceptable use policy. Click OK to set your changes.

. Mask Program Titles - Windows Computers Only. Default is OFF. Check this option to "hide" Windows titles (usually the program/document or web page name). All window titles are replaced by a non-recognizable string. Masking program titles does not affect aggregation of data in charts and reports. Clear this option to read program Window titles in recorded events.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 197 NOTE: Veriato recommends maintaining an acceptable use policy that informs employees and computer users that their computer activity is subject to monitoring.

. File Protection - Windows Computers Only. Do not change this setting unless you are requested to do so by Veriato Technical Support. Block - Default security for Veriato files. Stealth None

. Service monitoring credentials - Windows Computers Only. You may need to provide the Recorder with Administrator-level login credentials to give it the access it needs to continue recording certain activities when a non-Administrator is logged in to the computer. With Administrator credentials, the Recorder has full access to the computer. Admin Username - A Windows account in the Administrator Users group for the computer. Admin Password - The account password.

Click OK to accept the changes you have made or Cancel to reject them. The Advanced Settings window closes.

By default, Veriato Recon/360 stores data in randomly named, hidden files, in a randomly named folder on the recorded computer. Files in this folder are deleted when passed to the Data Vault Server. The Data Files panel allows you to manage files and disk space at computers when data cannot be delivered to the Data Vault Server. Select a policy's General Options | Data Files panel.

Data files

The Recorder writes activity to hidden files on the recorded computer. Use these settings to control the file names, location, and access to the data (from a Viewer).

. Do Not Modify - Do not change the hidden location where data files are stored. .

. Specified Folder -Windows Only. Store data in a specific folder. In the following field, enter a folder name or Browse to and select a folder in which to store Data Files. The field is not case sensitive.

To divert recorded data to a consistent location when users are working on temporary, virtual desktops, you can use environmental variables in the folder specification. The Recorder attempts to resolve the location based on the current machine. For example, the following specification in the Recording Profile writes data files to "Server01" and a folder based on the local computer name. See Recording Virtual Machines for more information.

NOTE: Test this option before using network-wide. Although all environmental variables are accepted, we recommend using the computer name rather than the user name or another variable. Make sure write share permissions are set up at the target location and firewall ports are open.

. Hide Files and Folders in Explorer /Finder - Check to prevent files and folders from being visible in Windows or in the Finder. Clear to make files visible within the folder (which may be hidden).

Data storage limits

Data storage limits set a retention period for recorded activity data at the recorded device. When data cannot be uploaded to the server (e.g., a laptop cannot communicate with the server), the following date and/or size limit determines when older data will no longer be retained.

. Delete Data After 'n' Days - Set the number of days to retain data (including screenshots) at the client before deleting. The default and minimum value is 30 days. Enter a zero (0) to delete no data using this criterion.

Devices under Veriato Recon ignore this setting, as the retention period is fixed at 30, 60, or 90 days, depending on the Veriato Recon license used.

All data is trimmed at the date limit. For example, when the limit is 30 days, any event data or screenshots (not yet uploaded) recorded 31 days ago will be deleted.

. Maximum Data Size 'n' Megabytes - Data storage at the client device cannot exceed this size setting. When data reaches the size limit, older data is removed and replaced. The default limit is 1,000 MB. Enter a zero (0) to delete no data using this criterion.

Devices under Veriato Recon use this limit (if not 0) in combination with the fixed date limit. For example, if 30 days have not yet passed, but the data is larger than 1 GB, begin overwriting old data.

When data reaches this maximum setting, it is trimmed across all data types in different percentages (the following applies to both Windows and Mac computers): Keystrokes - 5% Chat - 4% Email - 10% Website Activity (URL) - 4% User Status - 4% Screenshots - 50% Document Tracking (Drive) - 5%

To control data size at the server, see Data Retention.

Application Settings

The Application panel provides settings to control recording, the inactivity timeout (after which Veriato Recon/360 stops recording), and which programs are recorded or not recorded. Select a policy's General Options | Application panel.

Be sure to click OK at the bottom of the panel to save changes. To ensure that new settings affect all applications and users, restart the computer after changing these settings.

Application hotkeys

Hotkeys are a sequence of keys pressed and held simultaneously that provide a "stealthy," non-visible way to operate the Viewer application. Click the Change button next to the hotkey you wish to set.

. Recording Hotkey - Windows Computers Only. Stops and starts recording at the computer. Initially there are no recording hotkeys defined. If you define recording hotkeys, you can use them to temporarily stop and restart recording at the monitored computer.

. Snapshot Hotkey - Windows Computers Only. Takes an immediate screen snapshot at the recorded computer. The default combination is Ctrl+Alt+Shift+P. Regardless of Screenshot settings, this hotkey sequence records an immediate Screenshot.

In the Hotkey box, check at least 2 modifier keys (Ctrl, Shift, Alt, Windows) to press for a valid combination. Type a regular key (such as "P") to press with the combination. Click OK to set the Hotkeys.

IMPORTANT: Be careful not to set hotkey sequences that are the same as keyboard shortcuts used by anyone at this computer!

Recording timeout

By default, after 3 minutes of no mouse or keyboard activity, Veriato Recon/360 recording stops. It starts again immediately when a key is pressed, or the mouse is used. This setting affects all types of recording, including Screenshots and User Status activity/inactivity periods. Increasing the timeout period may capture more data; decreasing timeout period (stop recording sooner) may save disk space.

Type a new number in the Inactivity Timeout field or use the arrows to increment or decrement the number from 0-999 minutes. Use 0 (zero) for no timeout period; the Recorder never stops recording.

Limit recorded programs

Veriato Recon/360 automatically records all applications that run on the computer. You can turn OFF recording of certain programs. An excluded program will not appear in Application Events and, depending on the program, may prevent activity from appearing in Website, chart or other events. (Activity may still appear in Screenshots or Keystroke views.)

To save disk space, you may choose to EXCLUDE monitoring of high usage, multi-window desktop programs, such as Excel or Adobe Photoshop.

To focus on web activity, you may choose to monitor ONLY Internet Explorer/Edge, Firefox, and Chrome applications. This results in capture of online searches, chats, Internet downloads, and activities that occur within a browser, excluding other desktop programs.

. Only monitor, record/alert/block, the following programs (otherwise all) - Check to limit recording by program and activate the following options. Clear to record all applications.

. Monitor only programs listed - Select to provide an "Include" list of specific programs to record, block and alert on.

. Monitor all programs except these listed - Select to create an "Exclude" list of programs to NOT record, block or alert on.

. Add - Opens a “Select Programs to Include/Exclude” box. All programs currently running appear in the list. Select one or more programs to add to your Include or Exclude Programs list. If the program you want to select is not listed, open the program now and click Refresh on the Select Programs box. This causes the program to appear in the list. If you wish, click Browse and Navigate to and select any executable file. Click OK. The Select Programs box closes, and programs are added to the list.

. Delete - To remove a program from the list, select the program in the box and click Delete.

Advanced Application Options

Advanced Application options allow you to fine-tune control of the Veriato Recon/360 recording. Do not change these settings you are an advanced user or unless instructed to do so by Veriato Technical Support. Access the Advanced Application settings for a policy by selecting General Options | Application and clicking Advanced.

Windows settings (red are disabled) Mac settings (red are disabled)

204 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. . Allow Viewer Access to All Users - When this option is enabled, users who do NOT have administrator privileges are able to open the Recorder Viewer and monitor recorded events. They will not, however, be able to change any settings. The default is to deny access to "limited users."

. Enable Veriato when Windows starts -Windows Computers Only. By default, Veriato Recon/360 automatically starts recording whenever Windows is started at the computer. If you want to manually start recording, turn this feature off.

. Capture Console Applications - Windows Computers Only. When selected, Veriato Recon/360 captures keystroke activity in the Windows Command (Cmd) window or in DOS.

. Automatically turn off Work Offline - Windows Computers Only. Enables the Recorder to work around communication problems when a computer is set to "Work Offline."

. Capture Elevated Applications -Windows Computers Only. Allows capture of processes in Vista that are running under Elevated (Administrator) privileges. This generally only applies to a small subset of applications – Setup Applications, Control Panel Applets, etc. However, any application can be run with these elevated privileges by right-clicking on it and choosing “Run as administrator.” Change this setting only if directed to do so by Technical Support staff.

. Include 32-bit Applications (64-bit OSes only) - Windows Computers Only. Applies to computers running a Windows 64-bit operating system. Enables an extra feature of the “Capture Elevated Applications” option so that 32-bit Elevated Applications are also captured. Change this setting only if directed to do so by Technical Support staff.

. Network Initialization Delay - Windows Computers Only. Default is 0. This setting increases the number of seconds to delay initialization of Recorder modules used to capture Internet information and may prevent the Recorder from conflicting with programs that compete for the same Windows resources. Click the arrows to change this setting only if requested to do so by Veriato Technical Support.

. Session Linger Timeout - Default is 0. Normally the Recorder shuts down when a user session ends. If data did not get uploaded, it will be uploaded when the next session starts. This setting allows delaying the Recorder session shut-down to allow the Recorder to upload all data to the server. The setting serves multi-user networks, where the user may shut down a session and data could be orphaned and lost when a new session (new Recorder) is generated. Contact Veriato Technical Support if you think this is a concern for you.

. Enable Automatic Error Transmissions - Windows Computers Only. Veriato Recon/360 traps internal program errors and stores them in a log file. When this option is turned on, program errors

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 205 may be automatically transmitted to Veriato so that Technical Support may find the cause of the errors. The default is not to enable automatic transmission. Turn this on only if requested to do so by a Veriato engineer.

. Enable Log File - The Recorder maintains a log of its own activity. The log, which you can view from Global Options, provides a date-time stamp of sessions and settings changes, but only records as much as specified in the Detail Level or under the Configure Log File settings. If you contact Technical Support, you may be asked to send us Recorder log files for troubleshooting purposes.

. Detail Level - Windows Computers Only. The default level of logging is "Info," which provides a minimal number of log entries. Other levels are Errors, Warnings, Verbose, and Debug. Change this setting only when a Technical Support representative asks you to increase the logging level to capture more internal Recorder activities for troubleshooting purposes. Increased detail will create a larger file on the recorded computer.

. Configure Log File - Click this button to display a box of Log File options. Click the appropriate activity, as advised by Technical Support. This increases data collection only for a specific component(s), as needed.

Server Settings

Adjust data flow from Recorders to Server in General Options | Servers. Because the server address settings are mostly automatic, the primary purpose of this panel is to control data uploads and computer check-in intervals.

. Enable data throttling - Default is ON. Automatically adjusts the send interval for heavy Recorder traffic at the server. Check this item to enable the next two. Clear to remove data throttling and allow uploads as they occur.

. Send interval - Default is 4 minutes. Determines how often the Recorder uploads data to the Veriato Server. You may want to reduce the send interval to allow faster data retrieval or extend the send interval to delay and balance network load.

. Max Send Period - Maximum time the Recorder remains in communication with the server. After 30 seconds, it discontinues, then delivers the remaining data at the next upload interval.

Click OK to save the settings. Settings go into effect as soon as the Recorder receives the instructions (within 5 minutes).

Client Options

Client Options control the visibility of a Recorder installation and provide settings for use of App-V, Published Applications, and other circumstances. Select a policy's General Options | Client Options.

Mac Settings - options shown in red are not available

IMPORTANT: Check "Enable Browser Extensions" in a Mac OS policy to activate recording of Safari and Chrome browsers.

208 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. . Install in Quiet or Silent Mode? Check to install the Recorder without displaying dialog boxes or messages. If the Reboot option is checked, the only sign of installation is the computer restarting. Clear for a visible installation requiring user interaction with the dialog boxes you choose. If you clear this option and select no further options on this panel, the Client Recorder installation will be interactive.

Minimal visible installation prompts are:

1. Password prompt - If a password has been configured in Security, prompts for the password to begin the installation. The same password is required to uninstall and to open a Viewer.

2. Installation progress bar - A progress bar appears showing the progression of the Recorder installation.

3. Remove install file prompt - Asks "Would you like to remove the Veriato installation file?" The file is removed by default to preserve stealth.

4. Restart prompt - Displays a restart prompt when the setup is complete (if the Reboot option above is disabled).

Check options for additional prompts during a visible installation:

. Show Agreement Dialog? - Adds a License Agreement dialog box following the password prompt. Click the View button to see what this dialog box looks like.

. Show Options Dialog? - Adds an Options dialog box to allow setting or changing a password and choosing visible or stealth installation.

. Show Installation Warning Dialog? - Adds a warning message at the beginning of the installation. The user must respond to the message before the installation continues. Click Edit next to this option to change the message.

. Reboot Client Computer After Installation? - The Recorder is not fully installed until the computer restarts. Check this option to override the prompt shown in step 4 above and have the Client restart immediately and automatically. Clear this option to allow the user to turn off and restart in normal operation. The Client will not begin recording until the computer restarts.

Fixed or Random Filenames

Check Use Fixed Filenames to install Client Recorder software with the same filenames on all computers, in a single directory. Fixed filenames allow you to exclude the Recorder files from antivirus scanning. You can add a custom file prefix using settings in Global Options.

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 209 Clear Use Fixed Filenames to randomize the filenames or create a randomly-generated set of files for the installation. Randomization uses the seed displayed in Global Options to generate a set of custom names unique to your installation. if you wish, add a prefix to the names.

Recorder installation subdirectory

. Use Custom Binary Subdirectory - Windows Only. Check to define a "hidden" subdirectory where Recorder files will be installed. If you do not enter another name, Recorder files will be installed in a Windows binary subdirectory named "winipbin." Enter any valid Windows folder name in the entry box. The subdirectory will be created when the Recorder is installed.

NOTE: If a Recorder using this policy is already installed, changing the client subdirectory will require reinstalling the Recorder. Be sure to add the "Custom Binary Subdirectory" to antivirus exclusions at endpoint computers!

Support options

. Enable App-V Support - Windows Only. Check Enable App-V Support if you have applications deployed using Microsoft Application Virtualization (App-V), formerly SoftGrid. This option allows the Recorder to capture activity within these types of applications. If you do not check this option, the App-V applications will not be properly recorded.

. Enable Alternative Shell Support - Windows Only. To install the Recorder on Windows Terminal Services (Microsoft Remote Desktop) or Citrix Server and capture check this option and click Edit. Specify the alternate shell that runs Citrix or Terminal Server published applications. The alternative shell names are:

wfshell.exe - Citrix Server rdpshell.exe - Windows Terminal Server

Click OK to set the alternate shell name.

Clear this option to record applications running under the normal Windows shell.

. Enable Veriato Client in Safe Mode - Windows Only. Check this option to activate recording when Windows is started in Safe Mode. When this option is cleared, the Recorder will not launch and record activity when Windows is started in Safe Mode.

. Enable Executable File Mutation - Windows Only. Use only if directed by Veriato Technical Support.

. Enable Browser Extensions - Mac Only. Installs extensions that enable recording of Safari and Chrome browsers on Mac.

. Recorder Method - Windows Only. Select these options only if directed to do so by Veriato Technical Support.

Selectively Record URLs

Windows Only. Normally the Recorder captures activity at every URL visited. Some customers prefer to exclude select web addresses from recording to protect the privacy of users. Other customers may wish to record ONLY sites where work requiring documentation takes place. Select a policy's General Options | Record URLs panel.

The Record URLs feature differs from other Record settings in that it applies to any web-based activity types at the named URL, depending on the domain: Website Activity, Online Searches, Email, Chat/IM, etc. (Activity may still appear in Keystrokes or captured Screenshots.)

NOTE: When a website is not recorded, it cannot be blocked or scanned for alerts.

1. Check “Enable URLs selective recording list (otherwise all).”

2. Select one of the following:

Administrator’s Guide © 2019 Veriato, Inc. All rights Reserved. 211 . Record only URLs listed - Record activity only at the web addresses in the list. Do NOT record other URLs. . Record all URLs except these listed - Do NOT record activity at the listed addresses. Record activity at all other URLs.

3. Click Add. The Record URL box opens. Type or paste a URL in the blank. A domain name specifies all possible subdomains and URLs within the domain. A URL for a web page specifies one page. For example, enter google.com to record or exclude activity anywhere on the Google domain.

4. Click OK to add the URL or Cancel to close the box without adding an item.

Selectively Record Program Captions

Windows Computers Only. The Program Caption setting under General Options allows you to "mask out" window captions of specific programs. A window caption may include a file name ("Microsoft Excel - budget.xls"), a user account name, a person's name, or other identifying information. For security or privacy reasons, you may want to mask out this information so that it is not seen by all Dashboard users.

As far as Dashboard viewing is concerned, this option applies to the "Window Caption" field in Program Activity. For example, you could choose "Record window captions for ONLY" Internet Explorer (iexplore.exe), Chrome (chrome.exe), and Firefox (firefox.exe). Other window captions would not be recorded. Keep in mind you must specify the exact program name, and the executable name can vary by application version or operating system.

. Enable program window caption selective recording - Check this item to turn on selective window caption recording. If it is cleared (default), ALL window captions are captured, as possible. Note that this option does not affect capture of other activity data.

. Record window captions for Programs listed only - Select this to specify which programs in which to record captions.

. Record window captions for programs except listed - Select to specify which programs in which to NOT record captions.

. Add - Click to open a window and add a program name.

. Delete - Click to remove a program in the list.

. Import - Click to import a list of programs from a text file.

. Export - Click to export a list of programs.

Save your changes and close the window

Click OK at the bottom of the panel to save your changes or Cancel to remove them. The window closes.

Client Health Monitoring

Client Health Monitoring allows you to limit recording as CPU or application issues occur at the endpoint device. Whether the problem was caused by recording itself (often fixed with updating the Recorder), a slow application, or an overloaded system, this policy sets "tolerance" levels that dial back recording to avoid further problems at the computer. To access settings, modify a Recording Policy and select General Options | Client Options.

Overall system monitoring

Check the first option to enable monitoring of the overall system. If CPU consumption by the system exceeds a limit for set period, ALL recording will stop at the device.

. Consumes more than 90% CPU - (default is 90%) The maximum consumption allowed (all processes combined) before recording stops. Select a different value as you wish (0-100%).

. for 30 seconds - (default is 30 seconds) Minimum time during which the above CPU consumption must continue before recording stops. Increase or decrease the time as you wish.

Process monitoring

Check these options to enable monitoring at the level of single processes.

. Slows or stops responding (hang) - Any process/application fails to respond for 30 seconds (not configurable) or longer.

. Suddenly closes (crash) - An application crashes.

214 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. . Consumes more than 90% CPU - (default is 90%) The maximum CPU a single process can consume before recording stops. Select a different value as you wish (0-100%).

. for 30 seconds - (default is 30 seconds) Minimum time for the above setting to take place before recording stops. Increase or decrease the time if you wish.

Recorder response

When conditions are either overall system or process monitoring are met, recording automatically stops. All recording stops if the overall system monitoring conditions are met. Recording of the single process/application stops if the process meets any monitoring condition. Select how long you would like system or application recording to remain "off":

. For 30 minutes - (default is 30) Recording remains off until 30 minutes pass. If the user closes and reopens an application where recording is stopped, recording will NOT be enabled.

. Until restart - Recording remains off until the computer reboots.

. Permanently - Recording is not enabled on reboot. The Recorder software is still installed, and you must update it to continue recording.

Client health monitoring log

A log file in the following format tracks issues and helps Veriato improve future

Recorder response.

Timestamp Issue ProcessName Handling

02/06/2018 02:36:17.931PM Crash Outlook Recording suspended for 120 minutes

02/06/2018 02:42:18.952PM Hang Chrome Recording suspended until reboot

. Log file location: C:\Windows\ SysWow64\winipdat\ or C:\Windows\ System32\winipdat\

. Log file name: rhlth.dat

Android Policy

Android Recording

When a Veriato 360 Recorder is installed on an Android device, the recording policy can request capture of the following activities.

NOTE: The Veriato 360 Recorder supports Android devices with OS 5.0 and greater. See Requirements.

To enable/disable recording:

. Text Messages - ON by default. Captures the contents of all sides of phone texting conversations as Chat/IM events. Events include the date/time, duration and initiating and receiving phone numbers/Users or ID's. Text messages appear as chat data in 360 Dashboards, Data Explorer, and in Users. Clear the checkbox if you do not want this type of recording.

. Phone Log - ON by default. Captures inbound and outbound calls, when they happened, the phone numbers, and the call duration as Call Events. Calls events appear in 360 Dashboards, Data Explorer, and in Users. Clear the checkbox if you do not want this type of recording.

. Website Activity - OFF by default. Check to enable this recording. Captures web browsing activity in the Chromium browser app as Website Events. Events appear as website data in 360 Dashboards, Data Explorer, and in Users.

. Document Activity - ON by default. Captures data files received, transmitted, opened and changed as Document Tracking Events. Events appear as website data in 360 Dashboards, Data Explorer,

. Screenshots - OFF by default. Check to enable this recording. Captures an image of the user's mobile screen every 30 minutes. You have the option of a Grayscale or Color image. Screenshots take up more space than other forms of the recording at the local phone, and Color requires even more. You may want to reserve screenshots for device users under investigation.

Click Save to save changes to the policy. Click the X to close the settings without making changes.

Android Location

An Android Recorder logs location by default. In addition, you can set up geofences that call out times when a device enters or leaves a specific area.

To enable/disable recording:

. Log Locations - ON by default. Captures geographic coordinates of the device's location at regular intervals when the device is moving.

. Apply Geofencing - OFF by default. Set up Geofencing Policies first. When you have a policy, check to enable this option and then click Add a Geofence. Alert data is captured whenever the device crosses a geofence boundary.

NOTE: There is no data view for location and geofencing in this release, although you can receive alerts. It is possible to use SQL tools to view the data captured and stored in the database.

Click Save to save changes to the policy. Click the X to close the settings without making changes.

When connected to a network, the Android Recorder uploads data as soon as it is recorded, and then clears the device of stored data. The Android recording policy offers some control over data upload and data retained at the device when it cannot upload.

. Upload recorded data when connected to Wireless or Cell Network - Default selection. By default, the Recorder uploads data whenever it can, by any means. You can change this to Wireless only or Cell Network only.

. Remove data old than 30 days - Default selection. If the device cannot upload data, this setting determines how long data will be retained at the local device. Any data older than 30 days old is automatically removed. You can change this setting to 60 days. Keep in mind that a device without a lot of free space may have compromised capabilities if too much recorded data is kept.

Click Save to save changes to the policy. Click the X to close the settings without making changes.

Geofencing

A geofence is a virtual perimeter for a real-world geographic area. When a geofence is active (defined and assigned to a Recording Policy), a Recorder can detect when the device enters or leaves geofenced area. The data returned tells you how often and when the person carrying the device entered or left the geofenced area. No initial geofencing is defined; you need to find an area on the map and add a geofence to begin.

Navigating on the map

Find the area where you want to set a geofence by using standard map tools.

. Zoom In/Out - Click the + and - buttons at the bottom of the map to zoom in or out. You can zoom out to a complete world view or in to a detailed street view.

. Hand cursor - Click and drag to re-position the map. Click on a city or other destination icon to get its address.

. Map/Satellite - Switch between standard map and photographic views.

Add a geofence

1. Click the Add Geofence button. The cursor takes a + (plus) shape.

2. Click once on the map to place the green geofence circle, or click and drag to place and size a geofence circle.

3. The geofence Latitude, Longitude, and Radius details automatically appear in the right pane.

1. To save the geofence, click the blue Save button.

Remove a geofence

1. Check the checkbox next to the geofence name. If the geofence hasn't been saved, there is no checkbox. Just click the X to the right of the longitude detail to close the details to display a checkbox.

2. Click the Remove Geofence button. All checked items are removed.

3. Use the checkbox next to the Geofence column heading to remove ALL fences.

Modify a geofence

To change a geofence name or description, press the row to expand its details, click the Edit button, and then type over the field you want to change.

Click the blue Save button to save your changes.

To move a fence, when the fence is displayed on the map, click and hold the center point. When the fist cursor appears, drag the circle to the location you want. Changes are automatically saved in the geofence details.

To resize a fence, when the fence is displayed on the map, click and hold an edge point. When the cross arrows cursor appears, drag the edge of the circle outward or inward. Changes are automatically saved in the geofence details.

To undo changes to the geofence, click the return symbol in the callout.

Enable a geofencing alert

For more detail follow the links below.

1. Select Alert Email on the top bar and add at least one email operator.

2. In the Android recording profile, use Add a Geofence to select the fence you want to alert on.

You can receive an alert when a user carrying a device enters or leaves a geofenced area. An alert requires (a) defining a geofence, (b) adding at least one email operator, and (c) a geofence has been applied in the recording policy.

Define a geofence

First, create one or more geofences in Alerts & Policies | Policies - Geofencing. Create as many as you like, for different purposes. Only the geofences configured within a Recording Policy trigger an alert.

Add an alert operator

1. On the Geofencing Policy page, Click Alert Email on the top bar. The following panel appears. If there are "operators" listed, the alert email will be sent to all of them.

2. To add an operator, click Add Operator and fill in the form. Name - The person's name. Description - Any text to describe this operator. Email - The operator's email address.

Click Done to save the operator or Cancel to discard the entry. Operators defined here are added to your Alerts - Operators list.

3. To remove an operator, click the X next to the operator's name. The operator is returned to the "Add" selection list.

Apply the geofence in a recording policy

An alert is triggered automatically for ANY geofence applied in a policy. You can create dozens of geofences but apply only three in a policy for one set of devices, two in a policy for another set of devices, and so on.

The alert email includes the name of the policy ("Android Sales"), the device/user who crossed a geofence applied in the policy, the geofence crossed, and the time.

NOTE: In this version, ALL operators receive email for ALL applied geofencing alerts.

Dashboards, Data Explorer, Reports

Refer to the Dashboard Guide for complete information about these data views.

Recon Dashboard

Recon works in the background, generally not revealing information about users unless a threshold has been crossed. The Anomaly Alert report gathers triggered alerts and links to a detailed HTML report.

The Anomaly Alert report itemizes who triggered which alert

The link to the email report reveals why the alert was triggered

360 Dashboard

A 360 Dashboard folder can contain a selection of any charts you choose. Dozens of predefined charts in appear in the provided folders. Set date, user and event criteria to focus the chart. The Settings button below the chart controls the visualization and the Data tab switches to a data table view,

Click a data element (bar, pie slice, etc.) to open a detailed Event view (see Data Explorer)

Data Explorer

Data Explorer displays captured activity data for all or selected users by Event Type. The Event window is the same as shown when you drill into chart details. (1) Select date, user, and other criteria on opening a form. (2) In the form, select a branch from the Navigate pane to view aggregated Summary data. (3) In the Summary pane, click Load Events to view details.

Use Reports to export, share, and save data visualizations you have created. Create Reports directly from 360 Dashboard charts, from a pane of the Data Explorer, or from any User activity details. Add a watermark, if desired. Print the report or export it to a variety of file formats.

Users

After deploying the Recorder, recorded users begin to appear in their group in the Users section. Select a group to display users. Select a user to display details.

The list shows a one-line summary for each device. Sort the list by Display Name, User Name, or Status. Use the drop-down symbol at the right end of a user row to open complete status details (shown for the first row above).

. User Name - Account used to log in. Open the user details to see the user’s domain and device.

. Status – Open details to view recorded data for this user. See User Recording.

Searching

Use the Search entry box at the top of the list to find users in large groups. You can search for any text in the main user row (Display Name, User Name, Status). The search is not case sensitive.

Type a search word or phrase and press Enter to filter to resulting matches. Click the X in the search box to clear your entry and return to the full group list.

. Exact match - Type a complete name and press Enter. For example: The search john finds nothing, but john smith finds John Smith

. Wildcard before - Type a * wildcard before your entry to include any preceding characters in the results. For example: The search *john would find: Stuart John Louise Upjohn dev.xyz\lupjohn

. Wildcard after - Type a * wildcard after your entry to include any following characters. For example: The search John* would find: John Smith John Thomas johnscomputer\jsmith.

. Wildcard before and after - Type a * wildcard before and after an entry to include any (or no) surrounding characters. For example:

The search *john* finds ALL of the above results plus:

Displaying user details

Hover over a row and click the double-arrow that appears to expand user details.

Details include:

. Email - User's email address, if any was provided.

. Last Used Device- If the user has been recorded, the last device that reported data.

. User Recordings - If the user has been active, a badge for each type of recorded event appears. User Status appears for ANY activity. Screenshots appears for Veriato 360 recording.

Editing a user's display name and email

Once you add a user, you can modify the only the Display Name ("friendly" name) and Email address.

. The Display Name appears on charts, reports, and grids.

. The Email address is optional and for your convenience. Edit these fields at any time.

Viewing user activity

Click a badge to view recorded events for the user.

Application Categories

When viewing data, you can select applications (or programs) individually or as categories in General Criteria. Because the list of programs to select from can be overwhelming, it makes sense to define Program categories. Grouping programs into categories is a powerful way to speed up criteria selection.

For example, you could create these categories:

. Productivity apps: How often and how long are top productivity applications being used? Who's using it? For example, a Shipping department that relies heavily on Excel spreadsheets might need a program group that includes all versions and instances of MS Excel. An Engineering department might want to group all code editors and compilers as one group. The Marketing group may select all versions of MS PowerPoint and Word as part of its productivity group.

. Unacceptable apps: How much company time is being spent playing mine-sweeper or solitaire? Most managers don't know the name of every game out there and don't have the time to sift through individual program usage. You can help them by grouping applications that are strictly for entertainment. In addition to games, you might include media players and other distractions from productivity.

To create a category

. Open Categories | Application Categories.

. Select Add Category from the top bar. The Program Group window appears for "New Group."

. In the New Group window, type a Group Name (up to 20 characters including spaces).

. In the Description field, type a description for the group.

. In the Group Type field, select Specific Programs. A list of all Available Programs appears in the left pane of the Program Group window. Each program has a Program Name (which can be edited), an Executable Name, and may have a Description.

. Scroll through the Available Programs list or type the first letter of a program name to find the desired program. For example, type V to jump to "vb6" (Visual Basic).

TIP: Click a column heading to sort programs alphabetically by that column. Sorting by Description makes it easier to find versions of Notepad, for example. Hold down the Shift key and click the Executable Name column head to sort by Description AND Executable Name.

. Select a program. Use the Shift and Control keys to select multiple programs.

. Click the > button (or double-click) to send highlighted programs to the right-hand Selected Programs list. (The >> button sends all programs in the available list to the selected list, but the list may be too long!)

. Click the < button to return highlighted programs in the Selected Programs list back to the Available Programs list. Click << to return all programs back to the Available Programs list.

. When all the programs you want are in the Selected Programs list, click Save and Close on the toolbar. The window closes, and the new category appears.

List of recorded applications

Veriato maintains a list of all applications it has detected in 360 recording. When you categorize programs, they are listed by:

. Program Name: The program name as detected on the network. You can edit this name to achieve a more readable program list.

. Executable name: The name of the executable file.

. Description: A brief description of the program, as taken from the executable properties.

Make it easy to select which hardware is shown in charts and grids. Rather than hunting for and selecting individual devices, you could select a category: all the devices in a department, within a building, belonging to a network domain, or frequently traveling.

A customer support manager might quickly select email and chat transactions from “Level 1" and "Level 2" support computers. An IT manager might view productivity for devices grouped by domain.

NOTE: You can use Recorder Groups as Device Categories, but you can change these groups only from the Recorders section.

To create a new category

Click Add Category on the top bar. Fill in the top of the New Category form.

. Group Name: Name of the group; any name you want, up to 20 characters including spaces.

. Description: A description for the group.

. Group Type: Choose to select: Specific Devices - Select individual devices (from any domain) for your group. All from Specific Domains - Select and group entire domains. For example, you could group the CHICAGO, OMAHA, and LOCAL domains.

. Available Devices or Domains: The left pane lists the hardware OR all available domains you can add to this group. Use the Shift and Control keys to multiple-select. Click the > button to send all selected (highlighted) devices or domains to the right-column Selected list. Click the >> button sends all devices or domains in the Available list to the Selected list.

. Selected Devices/Domains: The right pane lists your selections for the group so far. Select an item and click the < button to return it to the Available list. Click the << button to return all devices or domains back to the Available list.

When you have selected all group members, click Save and Close on the toolbar. The window closes, and the new group appears in the right pane.

Use categories in

. Global Criteria . General Criteria . Chart Settings that allow device "Groups" visualization

Keyword categories allow scanning for sets of words and phrases in chat, email, websites, and document names and file transactions. Veriato Recon/360 supports up to 10,000 separate keywords in its categories. Create and edit keyword categories in Filter Categories | Keywords and use them in your Keyword Alert and Event Alert policies.

Provided keyword categories

Veriato Recon/360provides predefined keyword categories ready to use, such as "Fraud" and "Malicious Programs," as a starting point for discovering violations. Obviously, the lists are not complete, and some keywords (such as "bash" or "bite") may elicit false alarms. Be sure to set up your alerts carefully and be aware of the need to review the context of an alert. You can add words to or remove words from the provided groups to make alerting more effective.

View keywords in a category

Click the + (plus) next to the category and respond to the warning about explicit words.

Add/Remove keywords

Check the box next to a category, and from the top bar select Options | Modify Selected. See Defining a Keyword Category. Be sure to Save your changes on the Keyword Category window.

Add/Remove categories

To create a category, click Add Category on top bar. See Defining a Keyword Category.

To delete a category, check the box next to a category, and from the top bar select Options | Delete Selected. A message asks you to confirm the deletion. A category cannot be recovered unless a Database Backup is restored.

Defining a Keyword Category

Use keywords to watch for data you're interested in: people's names, passwords, domains, file names, and so on. Modify an existing category to make it more effective, based on alerts you receive.

In Categories | Keywords, select New or double-click an existing category to open the following selection window. The right column lists keywords already in an existing category.

Name the category

When you are creating a new category, type a unique Category Name and Description. The category names appear in Alert Profile keyword selection lists.

Select a tab to add at least one keyword to your new category. You can use both tabs to build a list of "Selected" keywords.

Choose Select Keywords to use words from any of the existing keyword categories. A warning appears before the words are displayed - some words are offensive!

Select one or more words. Click the > button to add the word to the list. To remove a word from the Selected list, highlight it and click the < button.

Enter keywords

Type a word or phrase in the Keyword field. You can use characters, numbers or spaces. For example, you could enter a phone number or an entire document path or URL. Click the > button to move this word to the Selected list. Veriato Recon/360looks for a match to a complete keyword. Veriato Recon/360would find "investment" in the path \\server05\admin\documents\2014\investment.txt in file activity and initiate an alert. If your keyword was "investment.doc," it would NOT find "investment.txt," since there is not a match to the whole word.

Click > to move the word to the Selected list. Click < to a remove a word from the Selected list.

Double-click a word to select it and move it to the Selected Keywords list. Or, using Shift and Ctrl to multiple-select in the left-hand list, and then click the > button to move words to the Selected list.

236 Administrator’s Guide© 2019 Veriato, Inc. All rights Reserved. Click > to move a word to the Selected list. Click >> to move all words to the Selected list. Click < to a remove a word from the Selected list. Click << to move all words out of the Selected list.

NOTE: Avoid using small or commonly used words. You want your alerts to be meaningful!

Save

Click Save on the New or Modify Category toolbar to save your changes and Save and Close to save and close the window. If you attempt to close the window after making changes, you are prompted to save. If you added a new category, it appears in the Keyword Categories list.

Time Categories

Policies such as 360 Event Alert definitions require you to select a Time Category. The time category specifies WHEN to apply the alert. In addition to "All Time," Two categories are provided:

. Non-Office Hours (weekends and weekdays, 5:00 PM to 9:00 AM)

. Office Hours (weekdays, 9:00 AM to 5:00 PM)

View or edit these categories in Filter Categories| Time to define any blocks of time you choose.

Viewing time categories

Select Categories | Time Categories in the left navigation pane.

. Name - The name of the defined time category. Click the - (minus sign) next to a policy name to close details, or the + (plus sign) button to open the daily schedule for the category.

. Description - Change the description of the category when you add or edit one.

Click the + to the left of the category to open it and view a list of ON hours.

1. To add a category, click Add Category on the top bar. To edit a category, check the category in the list and select Options | Modify.

2. Enter a name and description for the category. Name - Up to 50 characters. Appears in applicable category selection lists. Description - Describe the schedule and, if you like, include instructions for using it. The description may be up to 100 characters. The description appears next to the category selection where available

3. In the calendar grid, click on date/time squares to color or clear them. Colored areas define the filtering times.

. Hold down the mouse button and drag to color an area green, or ON. . Click a time column heading to color that time for all days. . Click a day row heading to color all times in that day . Drag over colored areas to clear them to OFF. . Dragging over colored AND blank areas colors all areas.

In the below illustration, the ON state would apply to Sun-Wed, from 1:45 to 5 AM and from 12 to 1 PM and the OFF state would be all other times. The time is shown with the cursor position.

4. As you color in the grid, or remove color from the grid, the ON days and times are updated below the grid. The list is for your information only; to make changes, click and drag on the calendar grid. The selected time periods are listed below the schedule graphic.

Removing a time category

Select the category and choose Options | Remove from the top bar.

Website Categories

Website categories allows you to create lists of domains in groups. Initially, this list is empty. You must define the groups available for selection in Event Criteria. It's more convenient to select a category than to find individual items in a long list of domains.

. Category Name: Name given to the category for domain selection.

. Category Type: Indicates whether the group is a list of specific domains or a list of other domain groups.

. Description: A description of this group of domains.

Add a category

1. Select Filter Categories | Website Categories from the sidebar and select Add Categories from the top bar. A New Website Category window appears.

2. Type a Group Name (up to 20 characters including spaces).

3. In the Description field, type a description for the group.

4. Next to Group Type, select Specific Domain: All domains known to Veriato Recon/360are listed in the left "Available Event Domains" list. Click in the list and type the first character of a domain name to move quickly through the list.

5. Select a domain from the left column list. Use the Shift and Control keys to select multiple programs.

6. Click > to send all highlighted domains to the right hand "selected" list. (The >> button sends all domains in the available list to the selected list.)

7. Click < to return highlighted domains in the "selected" list back to the "available" list. Click << to return all domains back to the "available" list.

8. When you have selected the desired domains, click Save and Close on the toolbar. The window closes, and the new group appears on the Domain Groups window.

Edit a category

. Change a group's domains, name, or description. Right-click on the group and select Edit.

. Use Domain Groups to select criteria for activity.

. Create charts and reports that show activity by domain group, rather than by individual domains.

Configurations

Licenses

Activation

If you haven't activated the product, the Activate button appears at the top of this window. (After activation, it no longer appears.) Click to open the Activate Product form where you can copy and paste your Product Key (in the first field). You can't install Recorders until you do this! See Activation.

Alternate Activation

If your Veriato server does not have Internet access, use Alternate activation.

1. Enter your product key and enable "alternate activation"

2. Click the Create a File button.

An HTML file RequestActivation.html is created and opened. The file is saved on the desktop.

3. Copy RequestActivation.html from the desktop at your Veriato Server to a device that has Internet access and open it.

4. From the device that has Internet access, open the HTML file and click the Request Activation link. Download license information in a .bin file

5. A connection is made to Veriato. An activation file is created for you. You can choose to download the file, or have it sent as an email attachment. If you choose an email attachment, enter a valid email address (for example, [email protected]). If you choose to download, follow normal procedures for downloading a file within the type of browser you are using.

6. Click Download. A .bin file containing your license information is downloaded or emailed.

7. Next, a second link is presented allowing you to download your Recorder software (updates will work similarly). Click Download Recorders to download a .zip file via the browser. Email is not an option for this download.

Browse for the files one at a time from "Activate Product"

8. Copy or move the License ***.bin file and the Recorders ***.zip file to a location where you can access them from the Management Console at your Veriato Recon/360 server device.

9. Use the Browse button on the Activate Product dialog box to locate and open the file. Wait as Veriato Recon/360 is activated.

10. A message informs you when the product is successfully activated. Click OK.

If an error occurs, try the procedure again, or contact Veriato. When activation is successful, your licenses are ready to use. View your Unused licenses in Configurations | Recorder Licenses.

Check for updates

Use the button at the top of the window to retrieve newly purchased licenses for immediate use. If you receive automatic updates, any new licenses will automatically appear in this list within 24 hours of purchase. This action will also notify you of any updates available for your installation. See Checking for Updates.

Activating a Veriato Recon/360 upgrade

Following a Veriato Recon/360 upgrade, you need to re-activate your licenses. If you do not activate the upgrade, recording continues at computers without interruption, but alerting and data uploads will stop until activation is complete.

NOTE: The activation exchanges encrypted licensing and registration information with Veriato. No other data is exchanged.

Activating a Database Restore

If you restore a database backup, online activation occurs in the background. If your server is offline, you will need to request offline activation. Following the restore, recording continues at devices with no interruption, but alerting and data uploads will stop until the activation is complete.

License Types . Veriato 360 - A Veriato 360 license provides full-featured, continuous monitoring, additional alerting and data uploads. Includes screenshots, charts, reports, detailed logs, and the ability to search for, aggregate, and report on any recorded data across the network.

. Veriato 360 Floating - A Veriato 360 Floating license provides full-featured, continuous monitoring and data uploads with the flexibility to reclaim and move the license from computer to another as needed.

. Veriato Recon - A Veriato Recon license is required to enable Veriato Recon user behavioral analysis and alerting. Veriato Recon uploads only meta-data required for Recon charts and alerts. Meanwhile, detailed recording is kept at the endpoint for 30+ days (depending on license level). If Veriato 360 capability is applied, all detail, including screenshots are uploaded for viewing.

List of licenses

When you need to purchase more licenses, see Adding Licenses.

. License Type - Shows the type of license available - Veriato Recon, Veriato 360 or their variations. See License Types to learn about different license capabilities of Veriato Recon and Veriato 360 license type. Contact Veriato Sales to learn about purchasing additional license types.

. Auto-License - Assigns any checked license types automatically to an unlicensed, but fully installed and valid Recorder. Note that a Recorder cannot receive more than one Veriato Recon and one Veriato 360 license. See below for more.

. Licenses Available - Number of purchased licenses that have not been used. If no licenses are available, any newly added Recorders assigned the license type will NOT function until you purchase additional licenses and assign them to the devices.

. Total - Total purchased licenses.

Assign a license when adding a Recorder

Both the Add Recorder wizard Deployment | Add Recorder and the Manual Setup file Deployment | Create Manual Setup require that you select at least one license to deploy Recorder software to the device. Be careful to install Recorders in groups based on the license you want to assign. Any device selected for Recorder installation that doesn't have the specified license will use one!

If a Recorder was not successfully installed on a device (has "Red" error status in the Recorders list), you can recover the assigned license by removing (Uninstalling) the device from the list. This only applies to devices that have NEVER had a Recorder installed.

A Recorder can be installed as part of a VM or VDI with an assigned license, but an additional license will used for each desktop iteration. Learn how to plan for licensing of virtual machines in Deploying to Virtual Machines and Citrix VDI Desktop.

Automatic licensing

Automatic licensing is useful for handling new VM and VDI desktops that include an installed Recorder and have been previously licensed under a known device name. If this option is not checked, Recorders on new virtual machines show up in the device list with an unlicensed error, and you would need to manually assign and potentially "burn" another license.

If auto-licensing is enabled, when a Recorder "re-creates" itself on a new VM and checks in to the server, it will retrieve the licenses.

Automatic licensing will not work on invalid (old) Recorders, and is ignored by Recorders that already have their license assignment. If you "lose" Recorders due to a catastrophic event, where device names have been lost from the database, Recorders may be able to report into the server and receive automatic licensing. Device information, such as groups and other configurations will be lost.

Switch license types from the Recorders list

Following Recorder deployment, you will manage device license assignments from the Recorders list. If you are using Veriato Recon, you can easily switch to Veriato 360 investigation capability from the list.

. Add license capability using Recording | Add/Enable. Add Veriato 360 or Veriato Recon active recording to a device by selected Add/Enable. If the device does not have the license, it receives and uses one. If the device has the license but it has been "disabled," the command re-enables it.

. Remove license capability using Recording | Remove/Disable. Only a Veriato 360 Floating license can be removed, but all others can be disabled to temporarily turn off functionality. For example, at the end of an investigation, you can disable Veriato 360 on the target devices.

You can't double-assign a license

Don't worry about assigning a device the same license twice. If a device already has a Veriato 360 license, it will NOT receive a second license if it happens to be selected for Add/Enable a Veriato 360 license, or a target of a Manual Setup with a Veriato 360 license.

The same is true for Recon: A device with a Veriato Recon license will NOT receive an additional Recon license (or any variation - Recon 60, Recon 90, or Recon SHD). By default, it retains its original license. Contact Veriato if you have a special situation.

License warnings in the Recorder list

Unlicensed Recorders appear in Recorder groups with yellow or red status. Without an active license, the Recorder is not returning data. To solve the problem, purchase more licenses if necessary, and then select the device and add or enable a license.

. Install complete. Assign a license - The Recorder was successfully installed but did not receive a license (not enough licenses available).

. License disabled, re-enable - Licenses have been assigned, but are disabled.

. License maintenance has expired - You need to renew maintenance on licenses or remove devices you are no longer recording. The license remains "used."

Purchase or renew licenses

You can purchase additional licenses at any time. Keep track of license maintenance timelines and renew before expiration stops recording! Contact Veriato..

Recorder Versions

Recorder Versions and Updates

When you activate Veriato Recon/360, the latest Recorder software for each operating system is downloaded and becomes available in Configurations | Recorder Versions. Be sure to check for version updates frequently or automatically. Updated recording keeps pace with the latest web browsers, chat, email and other software installed on client devices.

IMPORTANT: After upgrading the Veriato Recon/360 Server, update Recorders with Reinstall ("push") the Recorder.

Recorder Versions list

All downloaded versions or versions actively used by clients reporting in appear in this list.

. Latest Version - A green check mark indicates the most recent version. This is the default version, if you do not select another while installing or creating a Manual Setup file.

. Platform - The operating system supported by a version.

. Recorder Version - The first two numbers (9.1) indicate the Veriato Recon/360 version, and the next four (.7526) indicate the build.

Checking for updates

Checking for updates synchronizes your licenses with Veriato and offers Recorder updates. Click Check for Updates in Recorder Versions or Recorder Licenses.

Automatic Check for Updates

1. From the Management Console top bar, select Global Options.

2. In the Recorder section, check Automatically Check for updates.

Downloading updates

If software updates are available, when checking for updates or responding to desktop notification, a Veriato page opens listing the updates. If no updates are available, click OK at the message that appears.

Read the update notes to see what has changed in each release or version.

Click Download Latest Recorder to add the latest version for each platform (as available) to your Veriato Server. No software is updated until you schedule deployment to devices.

1. The download places Recorder install package(s) in the correct directory of your Veriato Recon/360 installation (../Veriato/Veriato 360/).

2. You can view the new versions in Configurations | Recorder Versions.

3. To update Recorders, see Updating the Recorder.

Alternate check for updates

If your Veriato Recon/360 server does not have Internet access, you can add in new licenses and check for software updates using the alternate method. This method submits a request to Veriato and returns update information in a file, without using Internet access at the Veriato Recon/360 server. Be sure to initiate this process from the Veriato Server's local Management Console.

1. On the Check for Updates panel, select Use alternate check for updates.

2. Click Create a File. The file UpdateRequest.html is created and saved on the desktop. Leave the Check for Updates panel open as you complete the next steps.

3. Copy the Update Request file to a device that has Internet access.

4. Open (double-click) the HTML file and click the Request Updates link.

5. A connection is made to Veriato. You can choose to download a file containing updates or have it sent as an email attachment. If you choose the email attachment, enter a valid email address (for

example, [email protected]).

6. Click Download. If prompted, enter your product key and press Submit. Two files are downloaded or sent by email, as applicable: (1) A .bin file with a name that includes your product key and contains updated license information. (2) A .zip file that contains new Recorder versions for any or all OS platforms.

7. Move the files to, or be prepared to access them from, the Veriato Server machine. Return to the Management Console at the server to complete the next steps.

8. Click Browse for File on the Check for Updates panel. If the panel has been closed, simply Check for Updates and select "Use Alternate Check" again. Navigate to and open the .bin file you downloaded. A message informs you that your licenses have been updated.

9. On the message that appears, click OK to go on to Recorder Versions.

10. Use the Browse for File button on the Check for Updates panel. Navigate to and open the .zip file. Wait as it loads.

11. Click OK at the message. If an error occurs, try the entire procedure again, or contact Veriato.

Exporting to File Formats It is possible to export detailed Veriato Recon/360 user activity from the database for use in another application for reporting or analysis. The Veriato Recon/360 Export Utility allows you to export selected data from your Veriato Recon/360 database instance to specific file formats. The utility is especially useful when you need the data in a format to use in an environment that does not necessarily have access to Veriato Recon/360.

NOTE: Each Dashboard view also provides export options.

How the Export Utility Works

The Veriato Recon/360 Export Utility application logs into the Veriato Recon/360 database and allows you to query the data, like criteria selection in the Dashboard. You can choose general criteria (users, computers, date range) the type of events to export, and the file format and destination. In addition to running an export at any time, you can schedule automatic exports to run at regular daily, weekly, or monthly intervals using your selected criteria.

Export file formats

The Export Utility lets you select from the following export file formats:

. Microsoft Excel . HTML - table format . Text - rows, with tab-delimited fields . XML - text/xsl . Veriato SDF - requires a Veriato Viewer to open the data . AVI - for Screenshots

Export data

You can select all or specific fields from each event type to export. For example, you could choose to export just Alert counts with user names.

. Alerts (server-side) . Call Activity . Chat/IM . Document Tracking . Email . Email Attachments . File Transfers . Keystroke . Keyword alert (client-side) . Network events . Online Searches . Program . Screenshots . User Status . Website activity

Acquiring the Export Utility

Contact Veriato to request this easy-to-use add-on tool.

Exporting to SIEM Veriato Recon/360 provides an option to pump alert and event data collected by Veriato Recon and Veriato Recon/360 directly to your SIEM (Security Information and Event Management) host. You provide the SIEM host address and choose how and what to export. A Veriato Recon/360 database job runs daily to perform the export. The result is a seamless and constant (when machines are running) data stream from the powerful recording capability of Veriato Recon/360 to your favorite security application. Access this feature from Configurations.

Splunk and ArcSight

Adding Veriato Recon/360 data to your Splunk, ArcSight, or other SIEM application arms you with the data necessary to correlate network and hardware events with user actions and reveal greater depth of analysis and investigation. For example, you will easily see who bypassed network security and downloaded a cloud-based storage application that could put sensitive information at risk. You're more likely to explain an unusual spike in outgoing network traffic if you can correlate it with user behavioral anomalies.

Configuring export

Export configuration is in the Management Console's Configurations section. You can use JSON, Syslog, or CEF format. The database job will run automatically and provide an ongoing "pipe" of alert and other event information to your SIEM repository.

1. Select Configurations | Export.

2. Initially, the Available Export Profiles lists only the Default profile.

. To activate and configure the Default Export Profile, double-click it. . To modify an existing profile, double-click it in the left list. . To start a new profile, click New at the bottom of the dialog box.

3. Export Type - Select the type of export you want:

Splunk - Export using HTTPS (JSON) to Splunk. Streaming data over HTTPS is the fastest, most secure method of export. See Export to Splunk.

TCP - Export using TCP to the target SIEM. See Export to ArcSight for an example. See the notes below for more about TCP export.

UDP - Export using UDP to the target SIEM. Not recommended. The export will combine all selected events in a single packet, which may be too large to deliver (see the notes below).

4. Export Format - Base your choice on the application receiving the export.

JSON - Exports in JSON (JavaScript Object Notation) format to the target SIEM. Available for all export types.

Syslog - Exports in Syslog (standard system logging) format to the target SIEM. Available for TCP or UDP export.

CEF - Exports to Common Event Format log records. Available for TCP or UDP export.

5. Status - Select Enable if you want the job to run. Select Disable to keep the configuration without running the export job.

6. Select Event Types - Check at least one type of event data to export. Check all to receive the maximum data. See Export Event Fields for more details.

7. Profile Name - Optional. Type a descriptive name for the profile. When you save the profile, it will be listed under this name in the left "Available Export Profiles" list. You can set up multiple configurations and have them all run, one after the other. The name does not affect the export.

8. Target IP - Enter the IP address of the SIEM server.

9. Port - Enter the IP port that will receive the export. The 8088 value is used by Splunk. Change it to the receiving port for the selected export type. For example, the default UDP Syslog port is 514, while the TCP Syslog port may be 601. Use the port expected by your SIEM, and make sure no firewall will block the transaction.

10. Select Export Criteria. User name and password are not used.

. Export All Available Records - If checked (default), exports from the earliest record available in the database. Clear the checkbox to select a start date. In either case, the export tracks what it has and has not exported. After the initial export, only data following the last export is included. . Export Start Date - Sets the beginning date for export to limit the data exported. Type in the date MM/DD/YYYY or click the arrow to select a date from a calendar.

11. Splunk Token - For Splunk export only. Type or paste in a token value generated by the HTTP Event Collector to authenticate connection with Splunk.

12. Save - The Export database job automatically runs when a profile is configured and enabled. It connects with the SIEM host and the selected data is transferred.

Reset Tracking

The export tracks what has and has not been exported to avoid duplicate records. Use the Reset Tracking button if you need to capture ALL data again from the very first or a selected start date. This button affects only the current export profile.

Selecting event types to export

In the right column, check event types to export to the SIEM. Check all event types to process all Veriato Recon/360 events for your SIEM. If you're only interested in one or two event types, check those and leave the others blank. Learn more about event data, and refer to Export Event Fields in this guide for a list of the event types and their fields.

New configuration

If you need more than one configuration, click New to clear the current configuration and create a new one. Be sure to click Save at the bottom of the panel to save your configuration.

The Data Export job

When an export profile is defined and enabled, the export is automatically scheduled to run as a database job (Data Export Service). By default, the job runs every hour.

Export Log

An Export log file captures records and record types that have been exported, as well as any errors occurring during the export. Look for the _Data_Export.log file the default database logging directory:

C:\Program Files\Microsoft SQL Server\MSSQL13.VERIATO360\MSSQL\Log\VeriatoLogs

Export Notes

UDP Exports

. Since the UDP protocol does not maintain a connection, even if an export sends data to the target and marks it as exported, there is no guarantee the data actually made it to the target.

. When data selected for UDP export is too large to fit in a single packet, the export fails. A log file entry notes that the data could not be sent.

. UDP exports are sent in plain text and are not secure, as they may be captured and read by a simple packet sniffer, such as Wireshark.

TCP Exports

. TCP exports are sent one event at a time and TCP must wait for a response for each packet. While this ensures delivery, it causes some network lag, and large numbers of events could take a long time to process.

. TCP exports are sent in plain text and are not secure, as they may be captured and read by a simple packet sniffer, such as Wireshark.

The exporter takes raw data from the database and does not convert it. In the case of off hours for login times, the data is stored in the database as number of seconds since midnight instead of an actual time. So, 1 PM would be 46800, 11 PM would be 82800. The Export includes the actual time of login/logout and the mean time for comparison, both in number of seconds since midnight.

You will need to convert the data to get a human readable value. Do this in Excel by using the value/86400 and set the Cell format to Time.

Export to Splunk

Configure the export from 360. In the Veriato Recon/360 Management Console, modify or create an export profile.

1. Log in to the Veriato Recon/360 Management Console (at the database machine).

2. Select Configurations | Export.

3. Double-click the Default configuration in the left column.

4. For Export Type, select Splunk.

5. For Export Format, select JSON, the only choice. Although it is possible to export via TCP to a Syslog format that Splunk can use, the Splunk to JSON configuration is more secure, more reliable, and much faster.

6. Select Enable if you want the job to run automatically. Select Disable to keep your configuration for future exporting.

7. For the Target IP, enter the IP Address of your Splunk server.

8. Enter the Port at which Splunk receives data, by default 8080. Check your Splunk HTTP Event Collector to verify the port number (see below).

9. In the Splunk Token field, type or paste in a JSON token from your Splunk HTTP Event Collector. If the HTTP Event Collector is not enabled or you do not have an appropriate token, follow the steps below to create one.

10. If you don't want to export all available data records, clear the Export Criteria checkbox and select a start date for the export.

11. In the right column, check Event Types to export.

12. Click Save. Wait for the first automatic export job to run - within 15 minutes.

Enable the HTTP Event Collector, if necessary

The Splunk HTTP Event Collector is the endpoint that receives Veriato Recon/360 events and delivers them into Splunk using the HTTPS (Secure HTTP) protocol. The Event Collector runs as a separate app (splunk_httpinput), storing its input configuration in:

$SPLUNK_HOME/etc/apps/splunk_httpinput/local. Refer to Splunk documentation for additional detail.

Using the HTTP Event Collector requires a token. The token will provide authentication for Veriato Recon/360each time it connects to the Event Collector, avoiding use of actual Splunk credentials. If the Event Collector recognizes the 32-bit value token and is active, it accepts the connection, and Veriato Recon/360can begin delivering events in JavaScript Object Notation (JSON) format.

To enable the HTTP Event Collector:

1. In Splunk Web, select Settings | Data Inputs from the System bar.

2. Click HTTP Event Collector to open the Event Collector management page.

3. Click Global Settings. The Edit Global Settings panel opens.

4. Enable tokens for the Event Collector using the following settings (others may be left at "Default"): All Tokens - Enabled Enable SSL - Checked HTTP Port Number - 8088 is default. Be sure to use the same port in your Veriato Export Configuration. Make sure no firewall is blocking the port on or between the Veriato Recon/360server and the Splunk instance.

5. Click Save and return to the management page.

Create an HTTP Event Collector token

To create a token for use by Veriato Recon/360:

1. On the management page, select New Token.

2. Follow instructions to create a token. Give it a name that describes its purpose, and the Source Type JSON (unless you plan to use Syslog).

3. A success page displays the token value.

4. Copy the value and paste it in the Veriato Recon/360Export Configuration Splunk Token field.

5. Save the Veriato Recon/360export profile and wait for the first automatic export job to run - within 15 minutes.

Export to ArcSight

Map the export fields:

1. Review data in the Dashboard or the Export Event fields in this guide to see which events you would like to export.

2. In the Veriato Recon/360Management Consoler, select Configurations | Export | Field mappings.

3. In the Export Field Mapping dialog box, select the CEF (or Syslog) export format and use instructions in Editing the Export Fields to map each Veriato Recon/360field to the field you need for ArcSight processing.

Configure the export from 360:

1. Log in to the Veriato Recon/360Management Console (at the database machine).

2. Select Configurations | Export

3. Double-click the Default configuration in the left column.

4. Export Type - select TCP. It is possible to use UDP, but not as reliable.

5. Export Format - Select CEF.

6. Status - Select Enable if you want the job to run. Select Disable to keep the configuration without running the export job.

7. Select Event Types - Check at least one type of event data to export. Check all to receive the maximum data. See Export Event Fields for more details.

8. Profile Name - Optional. Type a descriptive name for the export profile. When you save the profile, it will be listed under this name in the left "Available Export Profiles" list. You can set up multiple configurations and have them all run, one after the other. The name does not affect the export.

Export configured for ArcSight

9. Target IP - Enter the IP Address for your ArcSight Host.

10. Port - Change the port to the receiving port at your ArcSight Host.

11. Select Export Criteria. User name and password are not used.

. Export All Available Records - Leave this checked (default) to export from the earliest record available in the database. Clear the checkbox to select a start date. In either case, the export tracks what it has and has not exported. After the initial export, only data following the last export is included. . Export Start Date - Sets the beginning date for export to limit the data exported. Type in the date MM/DD/YYYY or click the arrow to select a date from a calendar.

12. Save the export profile and wait for the first automatic export job to run. It should run within 15 minutes.

Accessing the data in ArcSight

After the data has been acquired, you can access a Veriato 360 channel in ArcSight. This view shows Alert events on social networking sites.

Edit Export Fields

To allow flexibility in interfacing Veriato data with SIEM applications, the Management Console allows you to edit event fields as they are exported. The mappings you set here apply to all profiles you create for Syslog/JSON or CEF in Export Configuration.

IMPORTANT: Do not edit fields for a Splunk export if you are also using the Veriato Connector on the Splunk side. In this case, you must keep the fields as they are!

1. In the Management Console, select Configuration| Export Fields.

2. Select an export format to map. You can maintain two mappings: Syslog/JSON applies to all exports to Syslog or JSON, and CEF applies to all exports to CEF.

3. The "Field name" column displays Veriato fields exported with an event type. Click in the "Export as" column and begin typing to change a field name. Use any name that contains alphanumeric characters with no spaces. Invalid field name entries are highlighted in red.

4. Use the drop-down list at the top of the dialog box to select a different Event Type and map its fields.

5. When you are finished mapping fields for event types, click Save at the bottom of the dialog box.

6. To return to default field names for the current format selection (Syslog/Json or CEF), click the Reset Defaults button.

7. The next Export job will use the mappings you have defined.

Export Event Fields

. Alert - Data Event Alerts are triggered by a set of conditions (for one type of activity), and apply to Veriato Recon/360 data returned to the database. Event Alert Policies must active.

360_alert SearchDate, TRANS_ID, LKUP_AlertHeader_ID, Event Type, EventName, EventDescription, EvalDateTime_Start, EvalDateTime_End, UserFriendlyName, UserSerialNumber, RecordCount, OSTypeID, FullLoginName, UserID

. Anomaly - Anomaly alerts are triggered by analysis of Veriato Recon information gathered at Recon clients. Recon Policies must have users assigned to them.

360_anomaly TRANS_ID, AlertName, AlertCategory, AlertSubCategory, Group_Name, Hash_ID, FullLoginName, UserFriendlyName, AnomalyType, AlertDate, RecordedDate, ReportFrequency, AlertDetai

. Chat - Chat and instant messaging events recorded at Veriato 360 clients and uploaded to the database.

360_chat RecordedDateTime, TRANS_ID, ComputerDomainName, ComputerName, OSTypeID, FullLoginName, UserEMailAddress, ProgramName, ChatDataFormat, ChatType, ProtocolType, ChatUserName, ChatRemoteUsers, WindowCaption, ChatData, UserFriendlyName, ComputerFriendlyName, PlatformType, OSType

. Document Tracking - Actions on documents and files are recorded at Veriato 360 clients and uploaded to the database.

360_document_tracking RecordedDateTime, TRANS_ID, ComputerDomainName, ComputerName, OSTypeID, FullLoginName, UserEMailAddress, ProgramName, DocDeviceType, DocDeviceName, DocAction, UserFriendlyName, ComputerFriendlyName, DocPath, DocName, DocExtension, DocNewName, PlatformType, OSType, PrintPageCount, FileSize

. Email - Email messages sent and received are recorded at Veriato 360 clients and uploaded to the database.

360_email RecordedDateTime, TRANS_ID, ComputerDomainName, ComputerName, OSTypeID, FullLoginName, UserEMailAddress, ProgramName, AttachCount, IncomingFlag, EmailType, EmailBodyType, FromName, FromAddress, ToNameAddress, Subject, CCNameAddress, BCCNameAddress, EncryptedFlag, TooBigFlag, UnsentFlag, BodyErrorFlag, AttachErrFlag, AttachOffFlag, WebMailHost, BodyDisplay, BodyText, UserFriendlyName, ComputerFriendlyName, PlatformType, OSType

. Keystrokes Keystrokes in any application on the computer are recorded at Veriato 360 clients and uploaded to the database.

360_keystroke RecordedDateTime, TRANS_ID, ComputerDomainName, ComputerName, OSTypeID, FullLoginName, UserEMailAddress, ProgramName, FormattedKeyCount, WindowCaption, KeyboardLocale, CharacterSet, KeystrokeCombined, UserFriendlyName, ComputerFriendlyName, PlatformType, OSType

. Keyword alerts - Alerts triggered by keywords in a Recon alerting policy.

360_keyword RecordedDateTime, TRANS_ID, ComputerDomainName, ComputerName, OSTypeID, FullLoginName, UserEMailAddress, ProgramName, Keyword, KeywordSource, UserFriendlyName, ComputerFriendlyName, PlatformType, OSType, alert_type

. File Transfers - File upload or download actions using FTP or HTTP/HTTPS are recorded at a Veriato 360 client and uploaded to the database.

360_p2p RecordedDateTime, TRANS_ID, ComputerDomainName, ComputerName, OSTypeID, FullLoginName, UserEMailAddress, ProgramName, P2PAction, P2PProtocolType, IPAddress, FullDomain, host_name, file_name, UserFriendlyName, ComputerFriendlyName, PlatformType, OSType

. Network Activity - Network connections by port are recorded at Veriato Recon/360 clients and uploaded to the database.

360_port RecordedDateTime, TRANS_ID, ComputerDomainName, ComputerName, OSTypeID, FullLoginName, UserEMailAddress, ProgramName, IPAddress, Port, HostName, DomainName, ConnectionCount TotalTimeMS, TotalBytes, ReceivedBytes, SentBytes, UserFriendlyName, ComputerFriendlyName, PlatformType, OSType

. Screenshots - Data recorded with screen images at Veriato Recon/360 clients and uploaded to the database.

360_snapshot RecordedDateTime, TRANS_ID, ComputerDomainName, ComputerName, OSTypeID, FullLoginName, UserEMailAddress, ProgramName, StartDateTime, EndDateTime, UNCPath, FileName, SnapshotCount, EncryptKeyType, EncryptKeyGUID, UserFriendlyName, ComputerFriendlyName, PlatformType, OSType

. Program Activity - Activity within applications recorded at Veriato Recon/360 clients and uploaded to the database.

360_programs RecordedDateTime, TRANS_ID, ComputerDomainName, ComputerName, OSTypeID, FullLoginName, UserEMailAddress, ProgramName, TotalTime, FocusTime, ActiveTime, WindowCaption, UserFriendlyName, ComputerFriendlyName, PlatformType, OSType

. Websites Visited - Activity at web pages recorded at Veriato Recon/360 clients and uploaded to the database.

360_url RecordedDateTime, TRANS_ID, ComputerDomainName, ComputerName, OSTypeID, FullLoginName, UserEMailAddress, ProgramName, TotalTime, FocusTime, ActiveTime, URI, HostName, DomainName, WindowCaption, URL, SearchDomainName, SearchPhrase, UserFriendlyName, ComputerFriendlyName, PlatformType, OSType

. User Status - Veriato Recon/360 clients capture logins, logouts, and level of activity.

360_user_activity RecordedDateTime, TRANS_ID, ComputerDomainName, ComputerName, OSTypeID, FullLoginName, UserEMailAddress, ProgramName, ActionDescription, StartDateTime, EndDateTime, TotalTime, UserFriendlyName, ComputerFriendlyName, PlatformType, OSType

Viewing Data with Other Tools

Companies that use reporting services throughout their organization can benefit greatly by integrating and pumping Veriato Cerebral UBA and activity data into the same system.

Accessing Veriato database views

A reporting tool, such as SQL Server Reporting Services (SSRS), can be used to gather data and create reports from your Veriato Cerebral database.

The basic steps to connect to Veriato databases are:

1. Configure the report server.

2. Set up the Veriato Reporting database as the data source (connector). Use the tool’s user interface to connect to the VeriatoReporting database on the SQL Server that hosts your Veriato application.

3. Set up your report using queries based on "views" in Veriato data . The following views are in the VeriatoReporting database and reference the user and device tables used by each event type. If you base a custom report on these views, you will not have to worry about the underlying data table schema. vw_AlertData vw_ChatData vw_URLData vw_KeystrokeData vw_PortData vw_DocTrackingData vw_ProgramData vw_WebSearchData vw_UserStatusData vw_PeerToPeerData vw_SnapshotData vw_EmailData vw_EmailAttachmentData vw_EmailParticipantData vw_EmailDomainData vw_KeywordData vw_CallData vw_AnomalyAlertData

4. Read the data and generate the report or visualization.

Search Rules

Online Search Rules

Veriato Cerebral detects Online Search activity by looking in the recorded data for any URL that contains a search query. To facilitate finding online search events, Veriato Cerebral associates the major search engine domains with the search tags they generally use. You'll find these listed in Configurations | Search Rules. For any domain not listed here, Veriato Cerebral looks for generic search tags. This view allows you to review and update existing domains or add new domains to Online Search event recording. (more below).

There are two views to this tool. Use the View by button on the tob bar to toggle between views:

. View by Domain (the default) . View by Tag (click the toolbar button)

NOTE: The default Online Search Rules capture almost every search query. Keep in mind that adding Online Search Rules to the Database will slow processing.

View by domain

To find out if a domain is covered Online Search data:

1. Click View by Domain on the Top bar. The button toggles from View by Tag to View by Domain (and vice versa).

2. A list of search engine domains already associated with search tags appear. More than one domain may be associated with a search tag. Each entry includes:

3. Domain Name: The domain associated with the tag.

4. Search Tag: The search tag immediately preceding search words in a search query URL. A search tag usually beings with & or ?.

5. Domain Specific: "Yes" instructs Veriato Cerebral to look for the tag at a specific domain. "No" means the tag is commonly used, and Veriato Cerebral will look for that tag at any domain.

6. Select Ctrl+F and type characters to find a domain or tag within the list.

7. Double-click any entry to open the Online Search Rules box and view all other domains associated with the same tag.

View by tag

To assess tags currently covered in Online Search events:

1. Click View by Tag on the Top bar to display all tags. Tag entries include:

Search Tag: The search tag immediately preceding search words in a search query URL. A search tag usually beings with & or ?

Domain Name: The domain or domains associated with the tag. Others appears in this column if the search tag is NOT domain-specific. Veriato Cerebral looks for the "Other" tags at any domain.

2. Double-click any tag entry to open the Online Search Rules box and view associated domains.

Test for and add a search tag

Well-known browser search engines (Google, Yahoo, etc.) are automatically included in Cerebral Online Search event data. The need to add a search tag arises when searches at other domains of interest are not showing up in Online Search data. The Test button on the top bar, and also on the New/Modify Online Search Rule toolbar, allows you to verify which search tag is used at a website. By saving a new tag, you add it (and the domain) to your Search Rules.

1. Search URL - After initiating a search at a website of interest, copy and paste the URL from the top of the browser in the Search URL field. The search itself doesn't matter. For example, you could search for "twin sheets" at the JC Penney website and then copy and paste the URL that appears on the browser when results are found.

2. Search Phrase - Enter the phrase searched for to assist in the parsing.

3. Parse - Click the Parse button. The domain and search tag are extracted from the URL.

4. Save Tag - Click the Save Tag button to add the Search Tag to the Online Search Tags list as a domain specific tag. Online Search events now include this tag and jcpenney.com as a domain-specific search engine that you can query and chart.

Add domains to a tag

To aid in queries and charting, you can add domains to a general search tag. Select a domain or tag entry and click Modify or double-click a domain or tag entry to open Edit Online Search Rules. See Add/Edit Search Rules.

Add a search tag

When you want to add a specific, new search tag, click New on the top bar or right-click New anywhere in the Search Rules list. The New Search Rule dialog box opens. See Add/Edit Search Rules.

About online searches

When web recording is on, the Veriato Cerebral Recorder captures all URLs visited by a user. If a search has taken place, the URL for the resulting page is followed by a search query string. The string may contain many tags, but the tag immediately preceding the actual search words typed is the tag Veriato Cerebral uses to identify the search. For example, a search for "recipes" in Google and in Yahoo may return these URLs:

http://www.google.com/search?hl=en&q=recipes http://search.yahoo.com/search?p=recipes&fr=yfp-t-501&toggle=1&cop=mss&ei=UTF-8

Google uses the tag &q= to identify the search phrase, and Yahoo uses ?p=. By associating these specific tags with domains that use them, Veriato Cerebral ensures capture of search queries at major search engine sites.

However, thousands of web sites are NOT major search engines, but do provide searching. A New York Times search on "recipes" returns:

http://query.nytimes.com/search/query?query=recipes&srchst=nyt Even though nytimes.com is not part of any Veriato Cerebral rule, the search will be detected because it uses one of the "generic" search tags, ?query=. Veriato Cerebral ALWAYS looks for a set of generic search tags at ALL domains. These tags are marked No or Others in the Online Search Rules list, because they might be used by any domain:

. ?search . &search . ?searchtext . &searchtext . ?query . &query

If you discover a new search tag being used at a specific (or at any) domain, or if you want to ensure capture of online searching at a particular site, make changes to the Online Search Rules.

Add or Edit Online Search Rules

You can add new search tags (click New on the topbar) or modify existing search tags (double-click) with new website associations.

Test a domain to find its search tag

To make sure you have the right search tag for the domain, in a separate browser window, try a search at the website in question. For example, if you search the Metropolitan Opera website for "Domingo" the URL for the search results (at the top of the browser) is: http://www.metopera.org/Search/?q=Domingo. You can immediately see the ?q= search tag. Search results at large websites, however, are not this simple. For these, use the Test option and parse the search results URL.

1. Click Test on the toolbar.

2. Copy (Ctrl+C) the URL for a search results page into the test Search Results field.

3. Enter the search phrase you used at the website.

4. Click Parse. The domain and search tag are displayed.

5. If you want to add this tag specifically for this domain in your Online Search Rules, click Save Tag.

Add a new search tag with or without a domain

To make a new tag domain-specific, select New from the Search Rules top bar or right-click anywhere and select New.

1. In the Online Search Rules box next to Search Tag, enter the tag you want to add.

2. Next to Associated Website: Select Specific Domain and select or enter domains as described above. Select All other (non-specific) domains to allow the tag to be used for any domain search.

Add domains to a search tag

A few general search tags are commonly used by websites. If you wish, you can add a specific domain to an existing tag.

1. Double-click the tag you want to add to open its rules box. For example, double-click ?q=

2. Look for the website of interest under the Selected Domains tab. If the domain appears, select (highlight) it. Use CTRL and SHIFT to multiple-select. Click > to move the highlighted domains to the Selected Domains list. Click >> to move ALL Available Domains to Selected Domains. Click < to send a Selected Domain back to the Available Domains list. Click << to send all Selected Domains back to the Available Domains list.

3. If the website does NOT appear in the Select Domains list, select the Enter Domain tab and type in the domain name.

4. Click the > button to add the domain to Selected Domains for this tag.

5. Click Save and Close on the toolbar to save your rule. The domain and search tag now appear in the Online Search Rules list and will be used to detect Online Searches.

System Management

Accounts

Changing a Password

In System Management | Accounts Master account owners with permission can set a new password for any other SQL account owner. Standard account owners must contact the Master admin for a password change.

NOTE: You won’t be able to reset passwords here for accounts selected from Active Directory (use your normal network procedure).

Click here for help on setting up Veriato Accounts.

To set a new password

1. Select System Management | Accounts.

2. Double-click on your account or select it and click Modify at the top of the window.

3. On the Edit Account toolbar, click Change Password.

4. Enter a new password.

5. Confirm the new password. Click OK.

6. Close the Edit Account window.

You will be prompted to log in again using the new password. A Veriato Recon/360 Management Console password requires:

8+ characters, including three of the following: an uppercase letter a lowercase letter a number and a non-alphabetic character (excluding the characters: / | ' " [ ] { } ( ) , ; ? * ! @ $ \ or )

NOTE: The password should also meet security requirements for the Veriato Server network. As a SQL password, it is tested for SQL Server requirements, which are based on Active Directory settings. If Active Directory requires higher complexity or more characters, a message will appear.

Veriato Login Accounts

All accounts allow access to System Management | Accounts for managing your own password.

Plan account permission

Because of the nature of Veriato Recon and 360 data, it is extremely important, both ethically and legally, to determine who gets to see what. Keep in mind that a "Master" account owner can access nearly all data, unless specifically limited. Consider:

. Which users or user groups the account owner can view? . Can the account owner access all event types (Chat/IM, Keystrokes, Screenshots, etc.)? . Should the account owner be able to deploy Recorders? . Should the account owner be able to change recording or alert policy?

IMPORTANT: If you have upgraded from version 8.5, not all account access details were migrated. Change all accounts to make sure permissions are correct and set passwords for any former "Windows Authentication" accounts.

Active Directory accounts

You can add and manage Veriato Recon/360 administrator accounts through Active Directory. A user logging into an Active Directory-based account does not need to login to Veriato Recon/360. He or she already has access by logging into the network. You will still refine permission to the Management Console and user data from this section. See Managing Veriato Accounts from Active Directory.

Original Master Account

The Account Information and Access Type for the original Master account, defined during installation, can NOT be edited. This account has access to all data. Keep tight control of these account credentials.

Master Accounts

You can create additional Master accounts, but since this account can create and change other accounts, and delete data, take security precautions. For example, you may need someone with Master account credentials to backup and restore data, but you might want to restrict that person from deploying the Recorder, changing policies, or modifying accounts.

NOTE: Grant Master permissions only to trusted personnel, and always record devices containing sensitive information accessed by high-privilege users.

Standard Accounts

For an account owner responsible for monitoring activity of a set of users, a Standard account will suffice. A Standard account starts with permission to nearly every feature. You may want to selectively remove permission; for example, you may not want all accounts to have ability to Add/Edit Recorders or Add/Edit Recording Policy. Any capability the account does have can ONLY be applied to users the account is permitted to access.

A Standard Account can NEVER:

. Add/Edit Categories, . Configure Data Retention (or Delete Data) . Create or Edit Veriato Accounts . Access Backup & Restore

Table of Permissions

The table below shows the Initial Master Login Account's full access privilege and - BEFORE any restrictions - the Master and Standard account default permissions. Blue X's indicate default permission that can be removed. Blank cells are where permission can be granted. Blocked out cells are where permission cannot be granted. In ALL cases (except the initial Master Account) access is limited first by user access, then by event access, and then by feature.

Management Initial Master Master Standard

Account

View Account Details ( your own) X X X

Change SQL password ( your own) X X X

View Account Access (your own) X X X

Recorders

View all Recorders (limited by user access) X X X

Add/Import/Edit Recorder X X X

Uninstall Recorder X X X

Create Manual Setup X X X

Add/Edit Recorder Groups X X X

User access

Access to All Users (limit by individuals or X X X group/company)

View users (limited by user access) X X X

Add/Edit users X X X

Add/Edit User groups (categories) X X X

Event Types

Calls X X X

Chat/IM X X X

Email X X X

File Transfers X X X

Management Initial Master Master Standard

Websites & Online Searches X X X

Keystrokes (view passwords - checkbox) X X X

Document Activity X X X

Screenshots X X X

Network Activity X X X

360 Event Alert Activity X X X

Recon Keyword Alerts X X X

User Status X X X

Data Viewing & Reporting

Recon Dashboard X X X

360 Dashboard X X X

Data Explorer X X X

Reports X X X