The Incidents > User Activity > Activity Monitoring page provides a weekly timeline or location view of the threat activity within your organization. It can be used to monitor the activity of the users within your organization and detect risk trends for the entire organization over time.
You can leverage the Activity Monitoring view to gain insight into your organization’s use of Cloud Service Providers, breaking down individual usage over activity, time, users, and role development. Additionally, when a specific anomaly has been detected, the activity screen allows an administrator to drill down into all other activities that have occurred around the same time as that activity, or by the same user; this is especially useful in cases of suspected security breaches. Lastly, because your users with administrative access have the greatest access to sensitive data and user information, the activity screen spotlights actions taken by these privileged users.
The Activity Monitoring page provides the following information and actions:
- Activity from... Select a service using the Activity from... menu to view and analyze activity for all services or for a single service.
- Search. Use the Search bar to search your Activities with the terms listed in Threat Protection and Activity Monitoring Search Terms.
- Filters. Select options on the Filters tab to scope down your search. See Location and Network Filters for more information.
- Date Picker. Use the Date Picker to specify a date range to display data.
- Views. Select Saved Views created by you or shared with you by another user to reuse specified search parameters from a previous search on current data.
- Activity Tab. The Activity tab displays the Activity List: a list of all user activities organized into activity categories. F
- Geo Location Tab. Geo Location tab displays a world map with bubbles based on numbers of detected users.
- Users Tab. The Users tab details information about the individuals in your organization related to the activity being investigated. Its focus depends on whether you are in the Activity Tab or the Geo Location Tab.
- Anomalies Tab. The Anomalies tab displays information about activities that exceed expected thresholds and indicate unusual behavior or potential threats. Its focus depends on whether you are in the Activity Tab or the Geo Location Tab.
- Activities Tab. The Activities tab displays information about each action taken by your users. its focus depends on whether you are in the Activity Tab or the Geo Location Tab.
- CSV. Click to export a CSV file of the data available on the selected tab.
Location and Network Filters
Location and Network are the two key trigger dimensions for Anomalous Access Location and Superhuman anomalies. To filter these anomalies, on the Available Activities page, use the following Omnibar search terms or filters:
- Country (two letter code)
- IP Organization (org name)