Centrify DirectAudit for Windows Key Features
DirectAudit's easy-to-install, low overhead Agent silently and transparently gathers comprehensive user session activity: what actions were taken, what changes were made to key files and data, and what system results appeared. DirectAudit records this data without interrupting the user's workflow.
Auditor Console Gives You Global View of User Sessions
The DirectAudit Auditor Console gives you a central, global view of user sessions across your audited Windows, UNIX and Linux environment. Out-of-the-box views show both current and historical sessions grouped by computer, by user, and other criteria. In this example, you can see all sessions during a specific time period: this month. Notice that the list contains both Windows and UNIX/Linux systems in a single view.
Visual Replay
Using the DirectAudit Combo Replayer, with a simple right-click you can replay any user session on any audited system to see what actions were taken, what changes were made to key files and data, and what system results appeared. You can pause, rewind, fast-forward, scrub through the timeline, or jump to a specific point — as easy as using a VCR. This unique playback feature gives IT security and IT auditors the ability to verify what privileged users are doing on audited systems. It also provides a powerful tool for monitoring real-time and historical activity, troubleshooting changes that may have led to a system failure, or documenting system configuration tasks.
In this example, clicking on the indexed event list on the left takes you directly to the place where the user tried to add an administrative group to a user's account. This unique session replay feature helps you proactively spot insider threats and takes the guesswork out of troubleshooting system problems.
Indexed Event List for Session Recordings
The indexed event list shows a timeline of the major actions that occurred during a Windows session, providing a high-level overview. You can use the indexed event list to start a session replay from that exact point.
In this example you can see the user was displaying the Active Directory Users and Computers panel, which may be an indication the user was trying to make unauthorized configuration changes.
Comprehensive, Easy-to-Use Query, Search and Reporting Capabilities
You can use the DirectAudit Console's out-of-the-box views to see active sessions and historical sessions, or build your own views that show sessions by specific users, machines, time periods, or other criteria. Or perform full-text searches to find, for example, all instances of a password change command across all sessions. By adopting a non-proprietary SQL data format, DirectAudit enables robust reporting and querying through third-party tools as well.
Using the DirectAudit Query wizard, you can create your own views of user sessions and export them for reporting purposes. You can perform full-text searches of transcripts, or create structured queries with multiple filtering criteria. For example, this query has been set up to find all root logins on computers whose name starts with "rhel" and an additional filter is being added to limit the query to sessions in the past month.
Real-Time Monitoring with an At-a-Glance View of All Current User Activity
The DirectAudit Auditor Console gives you a centralized, real-time view of every user session on every audited Windows, UNIX and Linux system. For each session you can see who is logged on, and you can immediately drill down to see what they are currently doing. This is an invaluable tool for both spotting suspicious activity and quickly troubleshooting system issues. By clicking on folder (such as "Active Sessions" or "This Month"), you can all the relevant sessions. You can see the user name, the system they're logged into, and start time. To see what they've been doing, just right-click to replay the session.
