Skip to main content
McAfee MVISION Cloud

Activity Tab

MVISION Cloud automatically organizes all user activities into categories, including a catch-all category called Service Usage. But you can edit activity categories in order to better fit your organization's needs. 

The Activity Tab displays Users, Activities, Anomalies and Policy Violations, providing the clearest details for the information provided in the activity timeline. Use the activity list to drill-down and locate actionable information for use in security audits, privileged user activity monitoring, login tracking and more. 

Activity Timeline

The Activity Timeline displays a twelve-week span with daily lines to illustrate the daily number of activities, anomalies and policy violations each day. This provides insight into activity trends over time in order to help you better understand and respond to anomalous behavior.

Incidents_ActivityTimeline.png

  • Each line on the timeline represents a category of activity.
  • The columns represent a single day.
  • The higher the bar on each day, the more activities of that type occurred that day.
  • Click Edit Category to add additional activities to the category list.
  • Click a bar or icon to bring up the specific activities, anomalies or policy violations contained in those categories that occurred on the specified day in the Activity List.
  • Zoom into a specific day to drill down and gather additional information.
  • Click Reset to return to the standard view.

Activity Categories

To see the activities included in a category, select that category, and in the table below, select the Activities tab.

Activities are displayed by Action Name, User, Source IP, Country, Device Type, Date/Time and Service Name. 

MVISION Cloud automatically categorizes new activity types from Cloud Service Providers using Natural Language Processing (NLP). Users can overwrite the NLP categorization by editing categories of those activity types.

ActivityMonitoring_ActivityCategories_Top.png

Edit Categories

Removing an activity from a category, or adding an activity to a category, is a two-step process. 

  1. Go to Incidents > User Activity > Activity Monitoring.
  2. Click Edit CategoriesActivityMonitoring_UserActivity_EditActivityCategories1.png
  3. In the Edit Activity Categories dialog, select a Category from the column. The associated Activities are displayed. 
  4. To remove an activity from the category, select it and click the arrow to move it into the Unassigned column. To remove all activities, click the double arrow. 
  5. Click Save. When the confirm dialog is displayed, click OK
  6. Next, to add that activity to a different category, select Unassigned from the Category column. The associated Activities are displayed. 
  7. Select the activity from the column, and from the Unassigned menu, select the category you want to add that activity to. 
  8. Click the arrow to move it.
  9. Click Save. When the confirm dialog is displayed, click OK.  

Users Tab

The Users tab details information about the individuals in your organization related to the activity being investigated. It displays the following information:

  • User. The name or email address or username of the selected user, as provided by your Active Director or from the user profile information in Salesforce.
  • Profile. This information is pulled from user profile information stored in Salesforce.
  • Role. This information is pulled from user profile information stored in Salesforce.
  • # of Actions. Actions taken during the period of time investigated.
  • Anomalies. Anomalous actions performed by the selected user.

ActivityList_Users.png

User Detail Box

Clicking on a specific user line will open the User Detail box on the right side of the screen. The User Detail box displays the following information:

  • Profile. This information is pulled from user profile information stored in Salesforce and is defined by your organization.
  • Role. This information is pulled from user profile information stored in Salesforce and is defined by your organization.
  • Company. The company where the user works pulled from information stored in Salesforce.

Users CSV File

When you export the data from the Users tab to a CSV file, the following columns are provided:

  • User. User who performed the anomaly. This information is retrieved from your Active Directory.
  • Role. User's role, if available. 
  • Profile. User's profile, if available. 
  • Service Name. The Cloud Service Provider used. 
  • Sub-Service Name. Sub Cloud Service Name, if applicable. (For example, Microsoft OneDrive is a sub-CSP.)
  • Service Identifier. 
  • Threats.Service Name. The Cloud Service Provider used. 
  • Anomalies. 
  • Activities. 

Anomalies Tab

The Anomalies tab displays information about activities that exceed expected thresholds and indicate unusual behavior or potential threats. The following information is displayed:

  • Anomaly. Includes Anomaly Category and Anomaly Name.
  • User. The user who performed the suspicious action.
  • Service. Where the threat was performed.
  • Date. When the threat was detected.

ActivityList_Anomalies.png

Anomalies Detail Box

Clicking on a specific anomaly line will open the Anomaly Detail box on the right side of the screen. The Anomaly Detail box displays the following information:

  • Anomaly Category. The sortable category to which the anomaly belongs.
  • Date/Time. The recorded date and time when the anomaly occurred.
  • User Activity. A map location of where in the world the anomaly occurred.
  • Anomaly
    • Anomaly Name. The specific name of the anomaly.
    • Activity Name. The specific name of more than 100 possible activities performed.
    • Number of Activities. How many times during this period the activity occurred.
    • Anomaly Generated. Recorded instances of the activity.
  • User. User who performed the anomaly. This information is retrieved from your Active Directory.
  • Service. The monitored service where the anomaly occurred.

Anomalies CSV File

When you export the data from the Anomalies tab to a CSV file, the following columns are provided:

  • Search Key.
  • Incident ID. 
  • User. 
  • Anomaly. 
  • Anomaly Cause. 
  • Anomaly Category. 
  • Anomaly Created Time. 
  • Activity Name. 
  • Activity Count. 
  • Anomaly Threshold. 
  • Threshold Duration. 
  • Severity. 
  • Service Name. 
  • Sub-Service Name. 
  • Instance. 
  • Anomaly Updated Time. 
  • Source IP. 
  • Source Organization. 
  • Source City. 
  • Source Region. 
  • Source Country. 
  • Source Proxy Type. 
  • Source Network Type. 
  • Source Trust Reason. 
  • Source Trusted For. 
  • Source Action Name. 
  • Source Timestamp. 
  • Source IP Next. 
  • Source Organization Next. 
  • Source City Next. 
  • Source Region Next. 
  • Source Country Next. 
  • Source Proxy Type Next. 
  • Source Network Type Next. 
  • Source Trust Reason Next. 
  • Source Trusted For Next. 
  • Source Action Name Next. 
  • Source Timestamp Next. 
  • Source Latitude. 
  • Source Latitude Next. 
  • Source Longitude. 
  • Source Longitude Next. 
  • Distance in miles. 
  • Time Differential Observed. 

Activities Tab

The Activities list displays information about each action taken by your users. It provides the full scope of every action monitored and evaluated against the threshold.

  • Activity Name. The specific activity performed.
  • User. User who performed the action.
  • Source IP. The location from where the action occurred.
  • Country. The geographic location where the action was detected.
  • Device Type. Personal Computer, Tablet, Mobile Device.
  • Date/Time. When the activity was detected.
  • Service Name. The Cloud Service Provider used. 

For more information on Enhanced Metadata, see MVISION Cloud Enhanced Metadata

activity_list_activities_4.1.2.png

Activity Detail Box

Clicking on a specific activity line will open the Activity Detail box on the right side of the screen. The Activity Detail box displays the following information:

  • Source. 
    • Instance. The Service instance. 
    • User Name. This information is pulled from your Active Directory.
    • Source IP. The IP address of the source. 
    • Source Type. The source type. 
  • Enhanced Metadata. 
    • ASN
    • Activity Trust
    • Trusted For
    • Object Count
    • City
    • Region
    • Country
    • ASN Name
    • IP Organization
    • Trust Reason
    • Network Type
    • Proxy Type
    • Proxy Description
    • Longitude. The map coordinate of the activity.
    • Latitude. The map coordinate of the activity.
    • Device Type
    • OS
    • Browser
  • Related Items & Additional Details. This information is provided directly from the API of the monitored cloud service provider. Because available metadata changes may change without notice, we do not document the information provided by the CSP. For definitions of the fields in these sections, please contact the cloud service provider's support or consult their API documentation.

Activities CSV File

When you export the data from the Activities tab to a CSV file, the following columns are provided:

  • Activity Name. The specific action that the user took within the CSP. 
  • Operation. Usually, this is the same as Activity Name. Sometimes additional information is appended to an Activity Name and stored here. 
  • actionId. N/A
  • User Name. Username from the CSP along with the activity. 
  • Source IP. As reported by the CSP, the IP from which the activity was registered. It is not always the user's IP. Routing and other CSP issues sometimes populate this field with CSP Data Center IPs.  
  • Role. User's role, if available. 
  • Profile. User's profile, if available. 
  • Country. Based on the source IP/s registration info.
  • City. Based on the source IP/s registration info.
  • Activity Trust. Based on MVISION Cloud models that compute if the sourceIP/country/city/ASN/Org can be trusted for a given user or not. This is based on historical tenant and user activities. 
  • Trusted For. Tenant (implies the entity is trusted at the tenant level), User, MVISION Cloud (entities that we trust, McAfee IPs, CSP Data Center IPs, etc). 
  • Trust Reason. Allow listed (anything that is added to the allow list by the customer). Trusted organization (the org to which the source IP is registered, is trusted), Trusted City, Trusted Country, etc. 
  • ASN. (AS Number) Based on the source IPs registration info.
  • Account ID. CSP account ID, if applicable.
  • IP Organization. Based on the source IPs registration info.
  • Device Type. Personal Computer, Tablet, Desktop, etc. Information obtained through third-party integration. 
  • OS. The operating system on the device used for the activity. Information obtained through third-party integration.
  • User Agent. User Agent on the device that was used for the activity. Browser name, app name, etc. 
  • Activity Timestamp. When the activity was registered by the CSP, provided by the CSP. 
  • Parent Service Name. Cloud Service name. (For example, Microsoft 365 is a CSP.)
  • CSP ID. MVISION Cloud internal ID for the Cloud Service.
  • Sub-Service Name. Sub Cloud Service Name, if applicable. (For example, Microsoft OneDrive is a sub-CSP.)
  • Instance. Instance ID for the Cloud Service, if applicable. 
  • Number of Events. The number of the same events observed within a UTC minute window. 
  • File/Report Name. Name of the file or report, if associated with the activity type. Provided by the CSP. 
  • File/Folder Path. File/Folder path, if associated with the activity type. Provided by the CSP. 
  • File Size. Size of the file. Depending on the activity, this is not always the full size of the file, it also could be the partial size. 
  • File Type. Type of the file. Not always consistent. 
  • File Owner. File owner, if associated with the activity type. Provided by the CSP. 
  • Last Modified. File Modified timestamp, if associated with the activity type. Provided by the CSP. 
  • Directory?. Boolean to indicate if the entity associated with the activity is a Folder? Provided by the CSP. 
  • Domain. Typically the domain of the org to which the CSP instance is registered. Provided by the CSP. 
  • Sharing Enabled?. Boolean to indicate if the file, folder, or report is shared. Not always consistent.  Provided by the CSP. 
  • URL. URL link, if applicable. 
  • Report Details. Salesforce specific Report info. 
  • Other Info. If applicable and available. 
  • targetId. Typically a UUID that is maintained by the CSP. For Microsoft 365, it is the full file/folder path. 
  • Proxy Type. Proxy type of the source IP, if available. Provided through a third-party integration. 
  • Proxy Description. Proxy description of the source IP, if available. Provided through a third-party integration. 
  • Network Type. Broadband, DSL, etc. Provided through a third-party integration. 
  • Region. State or Province. Based on the source IPs registration info.
  • ASN Name. Based on the source IPs registration info.
  • Device ID. If it's a managed device and if available.
  • Device Managed. Boolean. Provided by the CSP. 
  • Site Url. SharePoint site, IaaS URLs, etc. If applicable and available.

Detect Mobile Devices Based on User Agent

You can search and filter for mobile devices in activities using the Network Type filter Mobile User Agent. It identifies mobile devices based on the browser’s name and version, rendering engine, device’s model number, operating system, etc. 

activity_list_activities_network_4.1.2.png

Log in Failure Activity Types

Office 365 uses two additional qualifiers to help differentiate log in errors (ResultStatus and LogonError). In addition, O365 Activity logging has a log in failure error that displays in the Activity List.

  • User Logged In - Failed. Indicates that ResultStatus recorded a failed log in (ResultStatus: Failed) or a LogonError that an account can't be found (LogonError: AccountNotFound).
  • User Login Failed. Indicates O365 Activity (User Login Failed) error.
  • Was this article helpful?