TWTQ: Create a session activity rule

TWTQ: Create a session activity rule

Hey everyone,

Here's This Week's Top Question (TWTQ): 

Q: What are activity rules? How do I create them?
A: Log360 allows you to perform in-depth user activity auditing, and track user sessions from start to close. Log360's session activity reports tell you which user started sessions on which device, when these sessions were started and ended, and the status and duration of each session. It also gives you minute details of their activity during each session in timeline form.

Normally, a session is considered to start when a user logs on to a device, and ends when the user logs off or the device is shut down for some reason. The predefined session activity reports provide you information based on this definition. However, typical sessions last for several hours, and if you are interested in a particular session, you might still have a lot of information to go through.

Log360 takes you beyond the simple logon/logoff model of a session and allows you to define the starting and ending conditions of a session, or activity rules. This way, when the events described by these rules occur, you can track all activity that occurs in between them.

For example, you may want to carefully monitor activity on one of your critical file servers. You wish to monitor users who log on remotely to the file server, and access a file after several failed attempts. You are also interested in tracking how they obtained this access. To monitor this, you can create an activity rule in the following way:
  • Activity starting rule: Remote logon to the file server, followed by a few failed attempts at accessing a file.
  • Activity ending rule: Successful access of the file.
By creating a session activity rule this way, you not only monitor unauthorized accesses to confidential files, but also identify security loopholes in your file server which allow these accesses.

How to create activity rules
Session activity reports can be found in the Correlation tab. Create a new activity rule by going to:
Correlation tab > Manage Rules > Activity Rules > +Create Activity Rule
The rule builder interface is the same as the correlation rule builder interface. You can learn how to use it  from this post. Session activity rules are similar to correlation rules, and the only differences are:
  • Session activity rules are split into two sub rules: the activity starting rule and the activity ending rule, which define how a session starts and ends respectively.
  • The use of a primary action: Each sub rule of an activity rule has one primary action. By default, it is the first action of each sub rule, but you can designate any action as primary by selecting the green check mark next to the required action. You can compare fields of the primary actions of both rules, using the Link to filter.
Session activity rules allow you to monitor customized sessions and track user activity with simple, straightforward reports.