Investigation Dashboard for files

The investigation dashboard is a preset group of charts and a table that help you understand what is happening in your system at any given time, and upon which you can build your own customized dashboards.

There are two default FAM views, each with different charts and tables. Select the view from the dashboard menu Navigation. The default views cannot be modified.
Note: The Server IP and Client IP are always the same in the dashboard, except for the case of connecting through remote desktop on Windows. Client IP is only supported when connecting through a remote desktop session.
Note: The FAM queries the server for the server IP addresses and takes the first one it finds. There is no way to select "the appropriate" IP address from a host name when the host has multiple IP addresses. Specify the IP address explicitly you want to be guaranteed to see that IP address in the reports.
The default dashboards contain data for the last hour presented in one or more of:
  • Trimetric charts (3–axis data graphs). The default view is a color map. Additional views are bar graph, bubble graph, line graph, pie graph, step graph, and area graph.

  • Results table: provides the search results and investigation features of the original quick search. The Results Table is always at the bottom of the dashboard. It can be added to any dashboard. Tabs are:

    • Activity: Summary and Details tabs showing monitored data, based on the file server policy rules. Each row in the Summary tab gives the number of instances of recorded access activities per server and OS user. The Details tab adds the Server Hostname, Server, Client Hostname, Client IP, OS user, File Full Name, Command, Date and Time. Each row in the Details tab gives full details on one activity. Data in the Activity tab is consistent with the date and time of the collector.
    • Outliers: see Interpreting file activity outliers
    • Errors: Summary and Details tabs. Each row in the Summary tab gives the number of instances of reported errors per server and client IP, and the date. The Detailed Summary adds the error details, and the time. Each row in the Details tab gives full details on one error.
    • Violations: Summary and Details tabs. Each row in the Summary tab gives the number of instances of recorded violations per server, source program and OS user combination. The Detailed Summary adds the Client IP, severity, violation and violation details, date, and time. Each row in the Details tab gives full details on one violation. Data in the Violations tab is consistent with the data and time of the file server.
    • Entitlement: Summary and Details tabs. For file servers, this tab presents sensitive data based on the current FAM decision plans. Each row in the Summary tab gives the number of instances of recorded access activities per server and owner. The Details tab adds the Server Hostname, full path, Type, , Size, Classification Entities (the decision plan that caused this file to be identified as sensitive), Owner, Client Hostname, Client IP, OS user, File Full Name, users and groups with write, read, execute, and delete permissions, last modification, Version (Sharepoint only), creation time, Date, and Time. Each row in the Details tab gives full details on one activity. You can use the data in this table to create policy rules and groups for file servers, see Creating a FAM policy rule from the Investigative Dashboard Entitlements tab.
Additional views that you can add or open are:
  • Topology viewTopology view iconSearch server status view: see Using the topology view
  • Animated bubble chart: an animated visualization of data changes over the last 48 hours. The chart depicts the behavior of objects over a period of 24 hours. Each object is depicted as a circle, and its area and position (x and y axis) represent three user-selected variables. The animation represents the object's behavior over the 24 hours. Access from the Add Chart drop-down.
  • Activity chart: a line chart that displays the volume of activity and outliers, located above the Results table. Access from the Add Chart drop-down.
Controls and options on this page:
  • A categorized facet list of Where, Who, What, Exception, and When, from the search results appears on the left side of every dashboard and cannot be removed. Filter the entire dashboard by the specific facets, by expanding the list and clicking on individual facets.
  • The Active Filters row at the top of the window shows the current filters. Delete filters by clicking the x button.
  • Search field: free text search that filters the results in all fields simultaneously, irrespective of facet
  • Distributed search icon Distributed search: see Local and distributed search
  • Time period for which data is presented: modify by clicking the drop-down in the upper right corner. Options are last 1 hour, last 3 hours, last 1 day, last 3 days, any time period you specify. Default is one hour.
  • Filters drop-down: see Filtering data and saving filters in the investigation dashboard
  • add new dashboard save changes in dashboardsave dashboard as: see Creating, saving, and exporting investigation dashboards
Parent topic: Investigation Dashboard
Related concepts:
Interpreting file activity outliers
Related tasks:
Using the topology view