Video Recording

Privileged Access Management (PAM) Secure Session Video or Event Recordings.

PAM provides the ability to video record remote sessions (excluding HTTP(S) proxy and SSH Tunnel sessions) which then can be used to monitor or investigate all activity that has taken place during this session.

In combination with the Video recordings, PAM also generates Keystroke and Clipboard recordings that are can be used to quickly locate and “jump” to this event in the video itself.

Session Events are also overlayed on the Instant Video Playback timeline to ease the process of session recording investigations.

Session Recordings

When supported, Session Recordings are available immediately after the Remote Session is completed and can be viewed with the following methods:

  • Instant Video Playback: When applicable, this option will instantly play the recorded video directly in your browser without requiring a conversion or export operation.
  • Convert to AVI, Convert to MOV or Convert to MP4 (Web browser created sessions only): This option will convert the video into an .avi, .mov or .mp4 video file so that it can be given to users outside of PAM.
  • Download (zip): (SSH Proxy sessions) This option will download the typescript recorded session in a native format (individual metadata, timing and typescript files). These files can be used for playback using the native Linux scriptreplay command.
  • Download (zip): (HTTP Proxy sessions) This option will download the HTTP proxy recorded session in a native .har format (HTTP Archive). These files can be used for review in an http archive viewer like HAR Analyzer or HTTP Archive Viewer, among others.
  • Jump to Recording: From the Session Events report, use the Jump to Recording option to automatically open the video playback where the playhead will be placed at the beginning of this keystroke or clipboard event. This option is only available when the session was recorded.

Videos are captured at the resolution of the user’s session so they may appear larger or smaller when played back on different resolutions (scrollbars or borders).

Session Recordings with Event Overlay

Instant Video Playback displays the history of recorded session events in a bar located above the video playback timeline. This Session Event overlay bar displays each recorded session event from this session in a color-coded category as described below:

  • Key Sequence events are shown in blue and includes:

    • KeySequence, CommandSequence, ShellInput, ShellExec, InputStream, OutputStream, AwsCliCommand

  • Clipboard events are shown in yellow and includes:

    • Clipboard

  • File Activity events are shown in orange and includes:

    • FileUpload, FileDownload, FileListing, SftpListDir, SftpUpload, SftpDownload, SftpRename, SftpRemove, SftpMkdir, SftpRmdir, ScpUpload, ScpDownload

  • In-Session events are shown in red and includes:

    • SessionJoin, SessionLeft

  • Database events are shown in green and includes:

    • MySQLQuery, MySQLCreateDb, MySQLDropDb, MySQLInitDb, MySQLChangeUser, MySQLShutdownServer, MSSQLQuery, MSSQLBatch, MSSQLExecute, MSSQLCursorOpen, OraSQLStatement

Session-Event-Overlay-Bar.png

The session event category filters can be displayed or hidden with a single click to adjust which category of session events will be displayed in the overlay bar.

Each session event is displayed in equal width blocks with a small white space between each and ordered by event start time.

These event blocks are not intended to match the timestamps to the video playback, but rather display each event chronically as they were recorded during the user’s session.

When a keyframe category is disabled, a larger white space (gap) may appear between other visible category blocks indicating the presence of these hidden events.

Session-Event-Overlay-Bar-With-Disabled-Category.png

The viewer may hover over any session event in the overlay bar to see additional details about each event.

Session-Event-Overlay-Bar-Rollover-Details.png

The viewer may use the vertical ellipsis button, to the left of the play button, to access the Configure Session Events menu to adjust options.

Session-Event-Overlay-Bar-Menu.png

PAM Permissions

PAM Permissions are used to define which sessions are recorded by default and which sessions have recording enabled via the user’s choice.

When configuring your Session Control permissions, the following options are available for Principals (users or groups):

  • None
    • The principal may not establish a remote session using this record.
  • Connect (Optionally recording without session events)
    • The principal may establish a remote session using this record and can choose whether their session is video recorded or not. Session events (keystrokes, clipboard and file transfer) will not be recorded.
  • Connect (Always recording without session events)
    • The principal may establish a remote session using this record and their session will always be video recorded. Session events (keystrokes, clipboard and file transfer) will not be recorded.
  • Connect (Optionally recording with session events)
    • The principal may establish a remote session using this record and can choose whether their session is video recorded or not. Session events (keystrokes, clipboard and file transfer) will be recorded.
  • Connect (Always recording with session events)
    • The principal may establish a remote session using this record and their session will always be video recorded. Session events (keystrokes, clipboard and file transfer) will be recorded.
  • Connect (No Recording with session events)

    • The principal may establish a remote session using this record and their session will not be video recorded. Session events (keystrokes, clipboard and file transfer) will be recorded.

  • Connect (No Recording without session events)

    • The principal may establish a remote session using this record and their session will not be video recorded. Session events (keystrokes, clipboard and file transfer) will not be recorded.

  • Convert to AVI, Convert to MOV, Convert to MP4

    • This option will convert the video into an .avi, .mov or .mp4 video file so that it can be given to users outside of PAM.

Please note that SSH Proxy recordings will only occur for users that have the Always Recording permission. Users with the Optional Recording permission will not be recorded.

Session Recordings are accessible from the following locations and requires an account with either Owner, Auditor or System Administrator privileges.

  • From the Record: Open the Record and navigate to Sessions > Recording and use the Action button to choose your playback option.
  • From the Sessions Report: Locate or Search for the Record and then use the Recording’s Action button to choose your playback option.
  • From the Session Events Report: Locate or Search for the Keystroke or Clipboard event and then use the Action button to select the Jump to Recording option.
  • From My Sessions: Navigate to Management > My Sessions, locate or search for the Record and then use the Recording’s Action button to choose your playback option.

By default, session recordings are stored in a directory within your PAM installation location.

If you would like to change this location to a new path (for example, a network share or external drive), please see the steps required here.

Session Recording Retention

All session recording video files are stored indefinitely, however if you would like to implement a retention schedule for these video recordings then please configure the option described below:

  1. Login to PAM as a System Administrator
  2. Navigate to Administration > Settings > Parameters > Session Recording Retention
  3. Enter a value (defined in Days). PAM will delete all session video recordings after this specified number of days. A value of 0 (zero) will disable the retention schedule.
  4. Click the Save button next to this option.

Please note that this retention schedule is applied Globally for all session video recordings and video recordings that have been purged due to this schedule cannot be recovered.