To investigate user activity in Security Center using the Activity trails report, familiarize yourself with the activity definitions.
General user activity
You can investigate the following general user activity:
- Alarm acknowledged
- Who acknowledged an active alarm.
- Alarm context edited
- Who edited the context of an alarm.
- Alarm forcibly acknowledged
- Who forcibly acknowledged an active alarm.
- Alarm forwarded
- Who forwarded an active alarm.
- Alarm snoozed
- Who snoozed an active alarm.
- Alarm triggered (manually)
- Who manually triggered an alarm.
- All alarms forcibly acknowledged
- Who forcibly acknowledged all active alarms.
- Connected to remote Security Desk
- Who connected to a remote Security Desk workstation.
- Disconnected from remote Security Desk
- Who disconnected from a remote Security Desk workstation.
- Email a report
- Who sent a report, based on a saved reporting task, as an email
attachment.NOTE: The Activity trails report cannot indicate whether or not the recipient has received the email.
- Email a snapshot
- Who sent a series of snapshots of a video feed as an email
attachment.NOTE: The Activity trails report cannot indicate whether or not the recipient has received the email.
- Executed record fusion search
- Who performed a search for records registered with the Record Fusion Service.
- Health event dismissed
- Who dismissed a health event.
- Image exported
- Who exported a cardholder or visitor picture, or an image from a custom field.
- Intrusion alarm acknowledged
- Who acknowledged an intrusion alarm.
- Intrusion alarm silenced
- Who silenced an intrusion alarm.
- Intrusion alarm triggered
- Who manually triggered an intrusion alarm.
- Intrusion detection area disarmed
- Who disarmed an intrusion detection area.
- Intrusion detection area input bypass activated/deactivated
- Who activated or deactivated a sensor bypass in an intrusion detection area.
- Intrusion detection area master armed
- Who master armed an intrusion detection area.
- Intrusion detection area perimeter armed
- Who perimeter armed an intrusion detection area.
- Macro started/aborted
- Who started or stopped a macro.
- Output triggered (manually)
- Who triggered an output pin (for example, using a hot action).
- Record modified in cache
- Who modified a record in the record cache.
- Report exported/generated/printed
- Who exported, generated, or printed a report.IMPORTANT: To comply with State laws, if the Report generated option is used for an Activity trails report that contains ALPR data, the reason for the ALPR search is included in the Description field.
- Send an email
- Who sent an email to users, cardholders, or specified email
addresses.NOTE: The Activity trails report cannot indicate whether or not the recipient has received the email.
- Threat level set/cleared
- Who set or cleared a threat level, and on which area or system.
- Unit certificate changed
- Who changed the unit certificate.
- Unit password changed
- Who changed the unit password and whether the password was manually entered or system generated.
- Unit password history consulted
- Who viewed the password history of a unit.
- Unit password recovered
- Who recovered the password of a unit.
- Unit passwords exported
- Who exported the Hardware inventory report with unit passwords.
- User logged on/off
- Who logged on or off of which Security Center client application.
- User logon failed
- Who failed to log on to a Security Center client application, and why.
User activity related to access control
You can investigate the following user activity related to access control:
- Access control unit rebooted (manually)
- Who manually rebooted an access control unit.
- Access control unit support logs enabled/disabled
- Who enabled or disabled support logs for an access control unit.
- Access control unit synchronization started (manually)
- Who manually started an access control unit synchronization.
- Antipassback violation forgiven
- Who forgave an antipassback violation.
- Archived visitors deleted
- Who manually deleted an archived visitor from the Visitor management task and when an automatic cleanup of archived visitors was run.
- Badge printed
- Who printed a credential badge.
- Card encoded with a DESFire configuration
- Who encoded a card with a MIFARE DESFire configuration from the MIFARE DESFire configuration task.
- Card encoding tested with a DESFire configuration
- Who tested a card encoded with a MIFARE DESFire configuration from the MIFARE DESFire configuration task.
- Credential request canceled/completed
- Who completed or canceled a credential badge print request.
- Credential requested
- Who requested a credential badge to be printed, and why.
- Device shunted
- Who shunted (disabled) an access control device.
- Door maintenance mode canceled
- Who canceled the maintenance mode on a door.
- Door set in maintenance mode
- Who unlocked a door by setting it in maintenance mode.
- Door unlock schedule overridden (lock/unlock)
- Who overrode the lock or unlocking schedule of a door.
- Door unlock schedule override canceled
- Who canceled the unlocking schedule override of a door.
- Door unlocked (explicitly)
- Who unlocked a door from Security Desk using a hot action or alarm event-to-action.
- Door unlocked (manually)
- Who manually unlocked a door from the Security Desk Door widget.
- Elevator floor access schedule override canceled
- Who canceled an elevator schedule override.
- Elevator floor access schedule overridden (free access)
- Who overrode a free access elevator schedule.
- Elevator floor access schedule overridden (restricted access)
- Who overrode a controlled access elevator schedule.
- Exported DESFire configuration to file
- Who exported MIFARE DESFire configurations to a file from the MIFARE DESFire configuration task.
- Exported DESFire configuration to unit
- Who exported MIFARE DESFire configurations to an access control unit from the MIFARE DESFire configuration task.
- Exported DESFire cryptographic keys to unit
- Who exported MIFARE DESFire cryptographic keys to an access control unit from the MIFARE DESFire configuration task.
- Firmware upgrade for access control unit scheduled with interface module upgrade
- Who scheduled a firmware upgrade for an access control unit and its associated interface modules.
- Firmware upgrade for access control unit scheduled without interface module upgrade
- Who scheduled a firmware upgrade for an access control unit.
- Firmware upgrade for interface module scheduled
- Who scheduled a firmware upgrade for an interface module.
- Imported DESFire configurations
- Who imported MIFARE DESFire configurations from the MIFARE DESFire configuration task.
- Inputs shunted
- Who unshunted (disabled) an input.
- Inputs unshunted
- Who shunted (disabled) an input.
- Minimum security clearance modified
- Who changed the minimum security clearance for an entity, and what the minimum security clearance was set to.
- People count reset
- Who reset the people count of an area to zero.
- Person added to area
- Who added a cardholder to an area, using the SDK.
- Person removed from area
- Who removed a cardholder from an area in the People counting task.
- Platform upgrade for access control unit scheduled without interface module upgrade
- Who scheduled a platform upgrade for an access control unit.
- Scheduled upgrade for access control unit canceled
- Who canceled an access control unit's scheduled firmware or platform upgrade.
- Set reader mode
- Who changed the reader mode for accessing doors between Card and PIN and Card or PIN.
- Trusted certificate reset
- Who reset the trusted certificate of a Synergis™ Cloud Link unit.
- Unlock area perimeter doors
- Who unlocked an area perimeter door.
- Zone armed/disarmed
- Who armed or disarmed a zone.
User activity related to ALPR
You can investigate the following user activity related to ALPR:
- Application updated
- Who updated a Genetec Patroller™ or a Sharp unit.
- Enforce in-lot violation triggered
- Who enforced an in-lot violation in a parking zone.
- Hit deleted
- Who deleted a hit.
- Hotlist or permit list edited
- Who loaded a hotlist or permit list, or added, modified, or deleted license plates in the list.
- Past read matching triggered
- Who performed past read matching in Patroller.
- Photo evidence report printed (Hits/Reads)
- Who printed a hits/reads evidence report.
- Plate filtering enabled
- Which ALPR Manager role has plate filtering enabled.
- Read edited/triggered
- Who edited/triggered a license plate read.
- Read/hit protected
- Who protected a license plate read or hit.
- Read/hit unprotected
- Who unprotected a license plate read or hit.
- Reset parking zone inventory
- Who reset the inventory of a parking zone.
- Set parking zone occupancy
- Who modified the occupancy of a parking zone.
User activity related to video
You can investigate the following user activity related to video:
- Archive backup started/stopped (manually)
- Who manually started or stopped video from being backed up from an Archiver.
- Archiver consolidation started/stopped (manually)
- Who started or stopped video from being consolidated from a secondary Archiver to the primary Archiver.
- Archive duplication started/stopped (manually)
- Who started or stopped video from being duplicated from one Archiver to another.
- Archive restore started/stopped (manually)
- Who started or stopped video archive from being restored to an Archiver.
- Archive retrieval from units started/stopped (manually)
- Who started or stopped transferring video from video units to an Archiver.
- Bandwidth limit exceeded
- Who requested a video stream that was unable to connect because the bandwidth limit for redirected video was reached. Or, who lost a redirected video stream connection because the bandwidth limit was reached and a user with a higher user level requested a stream.
- Bookmark added
- Who added a bookmark.
- Bookmark deleted
- Who deleted a bookmark.
- Bookmark modified
- Who modified a bookmark.
- Camera blocked/unblocked
- Who blocked or unblocked a camera.
- Confidential video requested
- Who requested to view a confidential video stream.
- Connected to analog monitor
- Who connected to an analog monitor.
- Disconnected from analog monitor
- Who disconnected from an analog monitor.
- Key stream removed
- Who removed a key stream.
- Live/Playback streaming requested from Federation™
- Which Federation host requested streaming and from which camera.NOTE: The name given to the Federation user should be descriptive of the Federation host. For example, instead of using federation_1, use PoliceDepartment or CompanyHeadquarters.
- Live streaming started/stopped
- Which camera was displayed or removed.
- Playback streaming
- Which recording was played.
- PTZ activated
- Who moved an idle PTZ.
- PTZ command sent
- Which PTZ command the user sent. It can include presets that are set or cleared, patterns that are started, run, or cleared, and so on.
- PTZ locked
- Who locked PTZ on which camera.
- PTZ zoom started/stopped
- Who started or stopped PTZ zoom on which camera.
- Recording started/stopped (manually)
- Who started or stopped recording video manually.
- Sequence paused/resumed
- Who paused or resumed a video sequence.
- Snapshot printed/saved
- Who printed or saved a snapshot.
- Video exported
- What did the user export and where did they save it.NOTE: If the user lacks the Single user export privilege, both usernames are reported. In a federated system, only the federated username is reported.
- Video file deleted (manually)
- Who deleted a video file from the system.
- Video file protected/unprotected
- Who started or stopped protection on a video file.
- Video stream not delivered
- Who had their video request canceled without having a single frame being rendered.
- Video unit identified/rebooted/reconnected
- Who identified/rebooted/reconnected a video unit.
- Video unit replaced
-
- Who replaced a video unit using the Unit replacement tool.
- Which video unit was replaced.
- Visual tracking enabled/disabled
- Who enabled or disabled visual tracking in a tile.