Monitor and Investigate User Activity
Learn how to monitor and investigate user activity across all assets or a single asset on SaaS Security API.
On SaaS Security API, you can view user activity across all assets, depending on your SaaS app. Using an API integration model, SaaS Security API connects to each service and retrieves the user activity logs.
These logs enable you to monitor and investigate a variety of actions taken (activity or events) by your end users, including:
- file and folder downloads
- file and folder uploads
- failed login attempts
- sharing and collaboration
There are two different approaches to monitoring user activity: you can monitor activity across all assets or monitor activity for a single asset. The workflow you choose depends on your scope of investigation, but the filters and facets provided to explore the data are available at all times. Before you begin, however, determine if any of your SaaS apps have unique user activity requirements. Additionally, you can create a user activity policy rule to receive activity alerts.
Monitor Activity for a Single Asset
If a specific asset triggered an incident due to your organization’s policies, you might need to investigate that incident to determine the correct remediation action.
View All Related Activitiesis supported on Box, Dropbox, and Google Drive only.
- Locate and click on the asset’sItem Name.
- Navigate toWho is accessing this File?andView All Related Activities.If there’s no activity, aNo activity in the past 90 daysmessage displays.
Monitor Activity within a Folder
If you want to view user activity for the files within a specific folder, there are some cloud apps that support this view.
- Locate and click on the folder’sItem Name.
- Navigate toEvents inside this folder.
Explore User Activity Results
- Date—Time frame when the user activity occurred. For example: past day, past week, past month, or past year.
- Action—Activity the user initiated. For example, download, view, sync, share, upload, delete, and copy a file or folder, or login.By default, any activity log with actionOtheris not displayed on SaaS Security API. To include all activity logs, hover-overActionto displaySettings. SelectYestoInclude activities whose action is unclassified?.
- Cloud App—SaaS application on which the user activity occurred. For example, Box.
- Target Type—Location, user, or asset where an activity or change occurred. It allows you to learn about who did what, for example which user initiated an action on a file, space, or folder, or added a user, created a space, performed work on a report, or used the API.
- Search—Find an item using part of the filename or find a user by the full email address. Because the user activity logs include information on the email address of the user who logged in, the source IP address and location of the user who performed the action, and the name of the item being modified or created, you can match on a phrase or email address.
Identify Risky Users
Learn how to identify risky users.
Just as you can assess risks by investigating user activity, SaaS Security API also enables you to identify risks by users. It’s important to identify risk users so as to uncover the assets that pose a risk to your organization. For example, you can assess the risk of data leakage for untrusted users, external users, or former employees.
To identify risky users, you need to look at your users from a number of vantage points:
- (Optional) Apply aCloud Appfilter.
- SelectInternal UsersorExternal Users.
- Observe columns forOwned ItemsandCollaboration Itemsto identify users with a pattern of risky behavior.
- Click the value in a column to view the user’s email, any cloud applications used, role, and activity as well asMore Infoto see detailed information associated with the user.
- (Optional) Click the CSV icon to export a CSV file with a list of all users and cloud applications used.
User Activity Requirements
SaaS Security API supports user activity, depending on your cloud app. Some cloud apps have unique requirements to enable user activity.
Google Apps Unlimited or Google Apps for Education subscription to enable the retrieval of all event logs. Without this additional subscription, only login and logout events are available to SaaS Security API.
See also Fix Google Drive Monitoring Issues.
User Event Monitoring license to enable the retrieval of all event logs. Without this additional license, only log in and log out events are available to SaaS Security API.
Microsoft Teams (Beta)
Recommended For You
Recommended videos not found.