Monitor and Investigate User Activity

Learn how to monitor and investigate user activity across all assets or a single asset on SaaS Security API.
On SaaS Security API, you can view user activity across all assets, depending on your SaaS app. Using an API integration model, SaaS Security API connects to each service and retrieves the user activity logs.
These logs enable you to monitor and investigate a variety of actions taken (activity or events) by your end users, including:
  • file and folder downloads
  • file and folder uploads
  • failed login attempts
  • sharing and collaboration
There are two different approaches to monitoring user activity: you can monitor activity across all assets or monitor activity for a single asset. The workflow you choose depends on your scope of investigation, but the filters and facets provided to explore the data are available at all times. Before you begin, however, determine if any of your SaaS apps have unique user activity requirements. Additionally, you can create a user activity policy rule to receive activity alerts.

Monitor Activity Across All Assets

As part of your daily operations, you might need to investigate activity on a broad scale.
  1. Select
    Explore
    Activities
    .
  2. Filter the results to meet your audit needs.
  3. Export this data to a CSV file to review the activity logs offline.

Monitor Activity for a Single Asset

If a specific asset triggered an incident due to your organization’s policies, you might need to investigate that incident to determine the correct remediation action.
View All Related Activities
is supported on Box, Dropbox, and Google Drive only.
  1. Select
    Incidents
    Assets
    .
  2. Locate and click on the asset’s
    Item Name
    .
  3. Navigate to
    Who is accessing this File?
    and
    View All Related Activities
    .
    If there’s no activity, a
    No activity in the past 90 days
    message displays.
  4. Filter the results to meet your audit needs.
  5. Export this data to a CSV file to review the activity logs offline.

Monitor Activity within a Folder

If you want to view user activity for the files within a specific folder, there are some cloud apps that support this view.
  1. Select
    Explore
    Assets
    .
  2. Locate and click on the folder’s
    Item Name
    .
  3. Navigate to
    Events inside this folder
    .
  4. Export this data to a CSV file to review the activity logs offline.

Explore User Activity Results

Whether you want to explore the data set for activities for a single asset or across all assets, the filters and facets provided are the same. Use these tools to narrow and expand the results to meet your audit needs.
  • Date
    —Time frame when the user activity occurred. For example: past day, past week, past month, or past year.
  • Action
    —Activity the user initiated. For example, download, view, sync, share, upload, delete, and copy a file or folder, or login.
    By default, any activity log with action
    Other
    is not displayed on SaaS Security API. To include all activity logs, hover-over
    Action
    to display
    Settings
    . Select
    Yes
    to
    Include activities whose action is unclassified?
    .
  • Cloud App
    —SaaS application on which the user activity occurred. For example, Box.
  • Target Type
    —Location, user, or asset where an activity or change occurred. It allows you to learn about who did what, for example which user initiated an action on a file, space, or folder, or added a user, created a space, performed work on a report, or used the API.
  • Search
    —Find an item using part of the filename or find a user by the full email address. Because the user activity logs include information on the email address of the user who logged in, the source IP address and location of the user who performed the action, and the name of the item being modified or created, you can match on a phrase or email address.

Identify Risky Users

Learn how to identify risky users.
Just as you can assess risks by investigating user activity, SaaS Security API also enables you to identify risks by users. It’s important to identify risk users so as to uncover the assets that pose a risk to your organization. For example, you can assess the risk of data leakage for untrusted users, external users, or former employees.
To identify risky users, you need to look at your users from a number of vantage points:
In addition to analyzing user activity, you can also identify a risky user in the context of incidents using the
Owner
filter.
  1. Select
    Explore
    People
    .
  2. (
    Optional
    ) Apply a
    Cloud App
    filter.
  3. Select
    Internal Users
    or
    External Users
    .
  4. Observe columns for
    Owned Items
    and
    Collaboration Items
    to identify users with a pattern of risky behavior.
  5. Click the value in a column to view the user’s email, any cloud applications used, role, and activity as well as
    More Info
    to see detailed information associated with the user.
  6. (
    Optional
    ) Click the CSV icon to export a CSV file with a list of all users and cloud applications used.

User Activity Requirements

SaaS Security API supports user activity, depending on your cloud app. Some cloud apps have unique requirements to enable user activity.
SaaS App
Requirement
Google Drive
Google Apps Unlimited or Google Apps for Education subscription to enable the retrieval of all event logs. Without this additional subscription, only login and logout events are available to SaaS Security API.
Salesforce
User Event Monitoring license to enable the retrieval of all event logs. Without this additional license, only log in and log out events are available to SaaS Security API.
Office 365
Microsoft Teams (Beta)
You must turn on audit logs in Office 365 to record user and administrator activity.

Recommended For You