DeviceLock DLP includes User Activity Monitor (UAM) - an optional component that extends the functionality of DeviceLock. It installs automatically but requires a separate license to function. For more information on a license for this component, see UAM Licensing.

The DeviceLock UAM component provides the ability to monitor end user actions by video recording of the user’s computer screen, as well as recording all keystrokes and information about the processes and applications that were running and used during recording. These kinds of activity monitoring significantly expand the evidence base in the investigation of information security incidents, simplify the process of identifying suspicious user behavior, and help reveal misuse of access privileges or data protection policies, thereby reducing risks of data leaks.

An important feature of DeviceLock UAM is the ability to record a computer screen, keystrokes, and process information when a specific event occurs. DeviceLock UAM rules can be set to start recording upon various event occurrences, such as triggering a certain content inspection rule, connecting an external drive, running a certain process in the system, etc.

To implement user activity monitoring, DeviceLock Service records the user’s on-screen actions in a video format along with recording user keystrokes and saving other information such as active application name, active window title, and so on. The monitoring data can then be collected from user computers by DeviceLock Enterprise Server where authorized persons can view and analyze those recordings of user activity.

The ability to store a recording of user actions gives DeviceLock a number of advantages when detecting data leak threats. The DeviceLock Service records exactly what the user sees on the computer screen regardless of applications and protocols used or level of privilege the user has. Keyboard input and other data recorded by DeviceLock Service along with video can be leveraged to track certain user actions.

DeviceLock Service features various triggering criteria to start recording when certain events or conditions occur. Depending on the criteria selected in the policy, recording can start, for example, when a specific device is connected, a certain application is opened, or an unauthorized attempt is made to write a file or send a message. Triggering criteria enable DeviceLock Service to perform selective recordings of potentially suspicious user actions. Here are some example of the triggering criteria available:

For more on record triggering criteria, see Setting up triggering criteria in the User Activity Monitor documentation.

DeviceLock Service initially stores user activity monitoring data on the local computer, allowing the administrator to explore local records of user actions in the DeviceLock Management Console connected to the DeviceLock Service. In this way, one can only view the records made by the DeviceLock Service on the local computer.

To enable a centralized viewing and analysis of the recordings made on different computers, it is necessary to transfer user activity monitoring data to DeviceLock Enterprise Server. The servers to collect and hold that data are specified by the respective DeviceLock Service setting. If necessary, the data from individual servers can be combined for viewing and analysis on a central collection server by using the log consolidation feature.

For more on monitoring record viewers, see Viewing User Activity in the User Activity Monitor documentation.