Monitor User Events in the Cloud Administration Console

The User Event Monitor lists the most recent user events for the Cloud Authentication Service. Use this information to monitor user behavior patterns and troubleshoot unsuccessful authentication attempts.

The User Event Monitor can list up to 100 events that occurred over the past seven days. You can filter the results according to User ID, date range, and authentication methods. The User Event Monitor displays the following information related to the event:

  • Timestamp
  • User
  • Event Code
  • Description
  • Application
  • Method
  • Authentication Details
  • Assurance Level

Events are color-coded for quick identification.

The assurance levels displayed depend on the following:

  • For SecurID Token, FIDO, SMS Tokencode, Voice Tokencode, and Emergency Tokencode the User Event Monitor displays the assurance level assigned to the access policy for the protected resource. If the policy contains multiple conditions and assurance levels, the User Event Monitor displays the assurance level for the condition applied to the user.
  • For Approve and Device Biometrics, the User Event Monitor displays the assurance level configured for those methods on the Assurance Level page in the Cloud Administration Console.

See User Event Monitor Messages for the Cloud Authentication Service for a list of all user event messages.


  1. In the Cloud Administration Console, click Users > User Event Monitor.

  2. (Optional) In the Filter field, type the User ID for which you want to display events. By default, all events within the specified time period are displayed.

  3. (Optional) Specify the time period to include in the report in hours (1 to 24) or days (1 to 7). The default is four hours.

  4. (Optional) Specify if you want to display only Success Events, Error Events, or Critical Events.

  5. Click Go to begin the search.

    By default, events appear in descending order by timestamp, with the most recent entry first. To sort a column, click its arrow.