16.1.1. Connection details

The Details pop-up window provides in-depth information on each of the indexed audit trails stored in the connection database. You can use it to gain contextual insight about the indexed session and its events.

The pop-up window consists of two main parts: the header and the trail details. In the header, you can:

  • Move to the previous / next trail listed on the Search page with the and buttons.

  • Search the current trail. Search is performed on the displayed audit trail only. When you move between trails, search is reset to the query you used on the Search page (if you entered one). You can also revert to that query using the button. For details on using search expressions, see Section 16.1.4, Using the content search.

  • Export / follow the trail. Click the button to export the trail, or the button to follow an ongoing connection. The trail data is exported in .srs format, which you can open with the Audit Player application.

Figure 16.2. Audit trail details

Audit trail details

Trail details: 

The details section is organized into tabs (left) and screenshots (right). The Details tab is always visible. The All results, Events, and Alerts tabs are displayed dynamically, when there is matching content in the trail.

Details tab: Quick summary of the connection details (user, server, time).

  • User information: remote and gateway username. The gateway username corresponds with the Username field of the connection metadata database, so note the following:

    • If the user performed inband gateway authentication in the connection, the field contains the username from the gateway authentication (gateway username).

    • Otherwise, the field contains the username used on the remote server.

  • Connection information: connection verdict, protocol, connection policy, client and server address.

  • Session time: start and end time of the connection.

  • Trail information: is the trail indexed, or archived.

  • Link: a link that leads to the Search page filtered to show only this connection. Note that if you share this link, other users can access the audit trail only if they have the required privileges, and can access PSM using the IP address in the link (PSM can be configured to be accessible using multiple IP addresses).

Figure 16.3. Details tab

Details tab

All results tab: Matching results for your search on the Search page (or in the trail contents), in chronological order.

  • Date and time of the matching event.

  • Search rank. The displayed Rank indicates how closely the result matches your search query.

  • Screenshots. If screenshots are available for the trail, you can click each search result to view the corresponding screenshot.

Figure 16.4. All results tab

All results tab

Events tab: Connection events, in chronological order.

  • Date and time of the event.

  • Event type (command, screen content, window title).

  • Event details.

Figure 16.5. Events tab

Events tab

Alerts tab: Content policy alerts triggered in the session, in chronological order.

An event is listed as alert only if the Actions > Store in Connection Database option is selected in the Content Policy used to handle the session.

  • Date and time of the alert.

  • The type of the alert (command, screen content, credit card, window title).

  • The matching content.

  • Terminal buffer contents. If the alert is not visible on the screenshot, you can click the icon to view the contents of the full terminal buffer.

  • Screenshots. If screenshots are available for the trail, you can click each alert to view the corresponding screenshot.

Figure 16.6. Alerts tab

Alerts tab

Screenshots are generated for search results and alerts when the trail is opened, and for subsequent searches. You can scroll between screenshots using the carousel, and view each screenshot in full size. Selecting a screenshot highlights the corresponding search result or alert.

Screenshots are not available for:

  • Ongoing connections.

  • Unindexed trails.

  • Audit trails indexed by the Audit Player application.

  • Trails of HTTP connections.

  • Encrypted trails (without the necessary certificate).

Note

For SSH and Telnet trails, trail data is aggregated for each second. The screenshot you see reflects the terminal buffer as it was visible at the end of that second. If data was pushed off-screen during this second, the search still finds it, but it will not be visible on the generated screenshot.