Wondering if anybody can assist. We're logging privilege user activity (GUI interactions etc) and looking to identify when a certain sequence occurs.
We have data such as the following:
Time | User | Action
10:00 Joe Copied To Clipboard (Sensitive Data)
10:01 Ben Copied To Clipboard (Normal Data)
10:01 Ben Pasted From Clipboard
10:01 Joe Copied To Clipboard (Normal Data)
10:02 Joe Pasted From Clipboard
10:03 Joe Copied To Clipboard (Sensitive Data)
10:04 Joe Pasted From Clipboard
10:06 Joe Copied To Clipboard (Normal Data)
10:07 Joe Pasted From Clipboard
We're only interested in knowing when Sensitive data is copied, then pasted. So exact sequence of Joe's actions above at 10:03 and 10:04. If Sensitive data is copied, but then overwritten such as Joes actions 10:00, 10:01 and 10:02 then its ignored
I've toyed with Transactions for this, but I'm a newb and a bit out of my depth:
| SORT time
| transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"