Monitor User Events in the Cloud Administration Console
a month ago

Monitor User Events in the Cloud Administration Console

The User Event Monitor lists the most recent user events for Cloud Access Service (CAS). Use this information to monitor user behavior patterns and troubleshoot unsuccessful authentication attempts.

The User Event Monitor can list up to 100 events that occurred over the past seven days. You can filter the results according to User ID, date range, and authentication methods. The User Event Monitor displays the following information related to the event:

  • Activity ID
  • Transaction ID
  • Timestamp
  • User ID
  • Event Code
  • Description
  • Application
  • Assurance Level
  • Method
  • Authentication Details

Events are color-coded for quick identification.

The assurance levels displayed depend on the following:

  • For SecurID Token, FIDO, SMS Tokencode, Voice Tokencode, and Emergency Tokencode the User Event Monitor displays the assurance level assigned to the access policy for the protected resource. If the policy contains multiple conditions and assurance levels, the User Event Monitor displays the assurance level for the condition applied to the user.
  • For Approve and Device Biometrics, the User Event Monitor displays the assurance level configured for those methods on the Assurance Level page in the Cloud Administration Console.

Procedure 

  1. In the Cloud Administration Console, click Users > User Event Monitor.

  2. (Optional) In the Filter field, you can enter:

    • User ID to view events for a specific user. By default, all events within the specified time period are displayed.

    • Transaction ID to view all related multi-factor authentication (MFA) events sharing the same ID. This groups all MFA events from the same session, allowing you to view the complete set of events that occurred during that MFA session, including successful FIDO security key registration events.

    • Activity ID to filter and track all related user events from a single login session in My Page, enabling easier troubleshooting and analysis.

    • Event Code to view specific types of events. Refer to the documentation links at the end of the page for a complete list of event codes and their descriptions.

  3. (Optional) Specify the time period to include in the report in hours (1 to 24) or days (1 to 7). The default is four hours.

  4. (Optional) Specify if you want to display only Success Events, Error Events, or Critical Events.

  5. (Optional) Select Include Verbose Logs to display verbose logs. Enable this option to add extra details to regular log events. Verbose logs are indicated in blue.

  6. By default, events appear in descending order by timestamp, with the most recent entry first. To sort the events by a different column, click the column’s arrow icon.

  7. Click Search.

  8. To generate a CSV report with events, click Generate Report.

    1. From the dropdown list, select Number of Events.

    2. Click Generate Report.

  9. Once the report is generated successfully, click Report Details to view the date, time, filters, and the requester of the generated report.
  10. To download the CSV file to your device, you can either click Download from the Report Details window or the download icon.

 

For the list of user event messages:

User Event Monitor Messages for Cloud Access Service (02 - 345)

User Event Monitor Messages for Cloud Access Service (400 - 1409)

User Event Monitor Messages for Cloud Access Service (1501 - 20406)

User Event Monitor Messages for Cloud Access Service (20601 - 38000)

Don't see what you're looking for?