Lets you see how your users are behaving. Highlights anomalous activity that surrounds insider attacks and privileged account compromise.
Our real world analysis has made it clear that SysAdmins do a lot of work outside working hours, especially during incidents. Although the start time of connections could be an indicator of malicious behaviour, factors like which system and length of connection have more correlation.
We built our analytics around key factors like: Start Time, Session Length, Accounts Used and originating IP addresses. All of these data points link back to Osirium's reporting. Graphs show the trends, but reporting holds the specifics.
Its all about behaviour, these analytics show how individuals are working within the group. You can see how the server and network team behave. Taking different views lets your see the outlying data points quickly.
This gives you an overview of all the logins or privileged users along with all the sessions they had with devices
By running the mouse over the sessions, the detail panel gives the system, role and duration of the session.
This shows you which IP addresses were used to initiate sessions to systems and devices.
The information is very much dependent on the DHCP policy and how addresses are reused. In general you can tell the originating subnets, where leases are long it can reveal account sharing.