🔬Activity Tab
Last updated
Last updated
The Activity tab's purpose is to show a detailed view of all activities, across all sources, associated with a given identity over time in one view. Without having to jump across different tools and platforms to piece together bits of a user's activity, the Activity tab can save you time and is incredibly valuable when investigating a user.
The Activity tab is the second tab of the User 360. This article will describe the different information and functionality available on the Activity tab in detail.
The Activity table contains all the detailed event information for a particular user. Above the column headers on the left, you can see the total number of events for the selected timeframe, and on the right, the last data collection timestamp for each source, if you hover over "Last data collection".
The section below details the fields that appear in the table by default, as well as the definition of each field:
Date (UTC)
The date and time the event/action happened
Source
The identity source associated with the event/action
Event
What the event/action taken by the user was
Initiator
Who initiated the event/action and a session ID for the event, if available
Target
What the target of the event/action taken by the user was
Result
The result of the event/action taken by the user
Geo IP
The IP address and respective location for the associated event/action
Tags
Tags associated with the event and/or the IP address Hover over each tag to see a tooltip with the source of the tag (ex: Okta: Password Spray, IP info: Hosting, etc). If no source, it is an Identity Intelligence tag (ex: New ISP)
OS
The operating system associated with an event/action
Hover over the icon in this column to see a tooltip with the OS name
Browser
The browser associated with an event/action
Hover over the icon in this column to see a tooltip with the browser name
Device Type
The device type associated with an event/action
To see more information on an event in the Activity table, click on any blank space in the row related to the specific event you'd like to dig into.
This will open a slide panel from the right side of the page, that has 2 tabs - Event Attributes and Raw data. The event attributes themselves and raw data will vary depending on the relevant information for the event/action you are looking at.
Event attributes shows you more detailed information on the attributes related to the event
Raw data shows you the raw data for a given event
To close the slide panel, click the X in the top right corner, or click anywhere outside of slide panel.
This section describes the high level actions you can perform on the Activity tab. Click through the tabs below to learn more about how to utilize each feature.
Use the search bar above the Activity table to search based on various items such as a specific IP address, session ID, application name, source, location, etc. When searching, you do not need to provide an exact value. Typing a piece of the word will return results.
If you have searched on a particular parameter, the search criteria is retained as you navigate between different tabs within the platform.
To clear the search bar click the X on the right most side of the search bar, next to the Advanced button.
The Activity tab has a timeline widget which displays a given user's total number of events per day, color coded by result type (ie: success, failure, challenge, etc). Hovering over a segment of the bar will display a tooltip with the date, the result, and the count of events for that result. By default, the view is set for 30 days but this can be adjusted to see a wider or smaller window of time using the + and - buttons in the top right corner of the timeline widget.
To export this visualization, click on the 3 line button in the top right corner of the widget. Downloading as a SVG or PNG will export an image, whereas downloading as a CSV will export the raw data for you in CSV format.
If you would like to hide this widget to get more space for the Activity table, click the Graph icon button next to the timeframe filter. To get the widget back, click the Graph icon button again.
Like the Users table, the Activity table is filterable by multiple attributes, enabling you to slice and dice the activity based on the parameters that are important to you.
There are several ways to filter the results of the Activity table - basic filters, directly from attributes in the table or slide panel, and Advanced Query mode, which can be enabled via the search bar above the Activity table. Click here to learn about how to use Advanced Query Mode.
To access the basic filters, click on the filter button that is to the left of the search bar, above the Activity table. This will open a slide panel from the left side of the page with the available filters.
The filter categories available via the slide panel are Result and Event. You can enable a filter by clicking the check box for the attribute you would like to filter by. The applied filters will be added to the search bar. The number of events that you are currently viewing, based on any filters and searches used, will appear in the top left corner of the Activity table, above the column headers.
Filter attributes will vary user to user based on the results and events available for a particular user
Like on the Users tab, you can also select all attributes or exclude an attribute. To select all values within a given filter, hover over a filter value and click All
. To exclude a value from filtered results (ie: NOT), you can click on the 🚫 icon in either the filter box in the search bar or the left hand filter menu.
To remove a filter, you can either deselect a filter attribute from the filters list on left hand side of the Activity table, or click the X on the right hand side of the filter box that is in the search bar. To remove all filters, click the X located next to the Advanced Filter button in the search bar.
After you have selected your filters, the filters are retained as you navigate between different tabs within the platform.
Another way to filter in the Activity table is by clicking on an event attribute in the table or in the slide panel, which will add it to the search bar as a filter. The elements that can be filtered on via the table elements are:
Source
Event
Session ID (in Initiator column if present)
Target application (in Target column if relevant)
Result
OS and Browser (only works on icons, not free text)
Additionally, if you open the slide panel and click on any of the attributes in the Event Attribute tab, the attribute will be added as a filter.
The IP address in the table or in the slide panel has a few actions associated with it that can be useful to learn more about an IP address and the associated activity.
The actions menu will pop up when left-clicking on a specific IP address in the Activity table. The actions are:
Find user activity - Adds the selected IP address as a filter on the given user's Activity tab so you can see all the user's activity associated with this particular IP address
Find users who attempted to sign in from X.X.X.X - Adds the selected IP address as a search parameter on the Users page so you can see any other users who have activity associated with this particular IP address
See IP info - Add the selected IP address as a filter on the given user's Networks tab and opens the slide panel so you can see more detailed information about that IP address
Copy to clipboard - Copies the IP address to your clipboard so that you can paste it within Identity Intelligence or another tool