User Activity Monitoring

Track user actions, audit security events, and maintain compliance with comprehensive activity logs.

Compliance Ready

User activity monitoring helps meet audit requirements for SOC 2, HIPAA, and PCI DSS.

Why Monitor User Activity?

Purpose	Description
Security	Detect unauthorized access and suspicious behavior
Compliance	Meet audit requirements for SOC 2, HIPAA, PCI DSS
Investigation	Reconstruct incident timelines and root cause analysis

What Gets Logged?

🔐 Authentication
👥 User Management
🛡️ Security Operations
⚙️ Configuration
📊 Data Access

Authentication Events

All authentication-related activities are logged:

Event	Details Captured
Login attempts	Success/failure, IP, timestamp
MFA events	Setup, modifications, verification
Password changes	Reset requests, completions
Sessions	Creation, termination, expiry
Lockouts	Trigger reason, unlock events

User Management Events

Event	Details Captured
Account creation	Creator, new user details
Account deletion	Deleter, removed user
Role changes	Old role, new role, modifier
Profile updates	Changed fields, old/new values
Team changes	Invitations, assignments

Security Operations Events

Event	Details Captured
Event investigations	Analyst, event ID, findings
Response actions	Action type, target, result
Rule changes	Rule ID, modifications
Workflow changes	Status transitions
Remediation actions	Type, scope, outcome

Configuration Change Events

Event	Details Captured
System settings	Setting name, old/new values
Notification setup	Channel configurations
Alert thresholds	Threshold modifications
Agent config	Agent ID, changes
API keys	Generation, revocation

Data Access Events

Event	Details Captured
Event views	User, event ID, timestamp
Search queries	Query text, results count
Report generation	Report type, parameters
Data exports	Format, record count
API queries	Endpoint, parameters

Viewing Activity Logs

📍 Access Logs
🔍 Filter Events
🔎 Search
📋 Event Details

Step 1: Access the Activity Log

Navigate to the Activity Log page to view all user actions.

Navigation Paths:

Role	Path
All Users	`Profile → Activity Log`
Administrator	`Settings → Security → Audit Log`

Step 3: Search for Specific Events

Use the search bar with query syntax:

Query	Purpose
`user:john@example.com`	All actions by user
`action:login`	All login attempts
`resource:detection-rule-123`	Changes to specific rule
`status:failed`	Failed actions only
`ip:192.168.1.100`	Actions from specific IP

Step 4: View Event Details

Click any log entry to see comprehensive details:

Field	Description
Timestamp	UTC and local time
User	Identity and email
Action	What was performed
Resource	What was affected
IP Address	Source location
User Agent	Browser/device
Status	Success or failure
Before/After	Changed values

Exporting Activity Logs

📄 CSV
📦 JSON
📑 PDF
🔌 API

CSV Export

Export filtered activity logs to CSV format for spreadsheet analysis.

Path: Activity Log → Export → CSV

Use Cases:

Spreadsheet analysis
Import into other systems
Custom reporting

JSON Export

Export in JSON format for programmatic processing.

Path: Activity Log → Export → JSON

Use Cases:

SIEM integration
Automated analysis
API consumption

PDF Report

Generate formatted PDF reports for audit documentation.

Path: Activity Log → Export → PDF Report

Use Cases:

Compliance evidence
Audit documentation
Management reporting

API Access

Query activity logs programmatically:

GET /api/v1/activity-logs?start_date=2025-01-01&end_date=2025-01-31

Parameters:

Parameter	Description
`start_date`	Beginning of date range
`end_date`	End of date range
`user`	Filter by user email
`action`	Filter by action type
`limit`	Maximum results

Activity Log Retention

Subscription Tier	Retention Period	Export Available
Small Business	90 days	✅ Yes
Medium Business	1 year	✅ Yes
Enterprise	7 years (configurable)	✅ Yes + API

Compliance Tip

Regularly export and archive activity logs to meet long-term compliance requirements (e.g., SOX, GDPR, HIPAA).

Activity-Based Alerts

Configure alerts for suspicious or important user activities:

🔐 Auth Alerts
👑 Privilege Alerts
📊 Data Alerts
⚙️ Config Alerts

Authentication Alerts

Alert	Trigger
Failed Login Attempts	5 failures in 15 minutes
New Device Login	Login from unrecognized device
Geographic Anomaly	Login from unusual location
Concurrent Sessions	Multiple simultaneous logins

Alert	Trigger
Role Change	Any role modification
Admin Promotion	User elevated to Administrator
Permission Grant	New permissions added
Bulk Changes	Multiple user modifications

Data Access Alerts

Alert	Trigger
Large Export	Export exceeding threshold
After-Hours Access	Access outside business hours
Sensitive Data Access	Access to restricted resources
Unusual Query Volume	Abnormal API usage

Configuration Change Alerts

Alert	Trigger
Critical Settings	Core settings modified
Rule Deletion	Detection rules removed
Integration Changes	Notification settings modified
API Key Events	Key generation or revocation

Best Practices

👀 Regular Review
🤖 Automation

Review Schedule

Role	Frequency	Focus
Administrator	Weekly	All activity, config changes
Security Analyst	Daily	Security operations, anomalies
Compliance	Monthly	Audit trail completeness

Task	Automation
Scheduled Exports	Auto-export weekly
Alert Rules	Configure activity-based alerts
Retention Management	Archive before expiry
Report Generation	Monthly compliance reports

📝 Activity Monitoring Checklist

Configure activity-based alerts
Set up scheduled exports
Establish review schedule
Document retention requirements
Test export and archive process
Correlate with security events
Train team on log analysis

What's Next?

Guide	Description
Access Control Policies	Configure IP and time-based restrictions
Multi-Factor Authentication	Enhance security with MFA
Generating Reports	Create compliance reports

User Activity Monitoring

Why Monitor User Activity?

What Gets Logged?

Authentication Events

User Management Events

Security Operations Events

Configuration Change Events

Data Access Events

Viewing Activity Logs

Step 1: Access the Activity Log

Step 2: Filter by Activity Type

Step 3: Search for Specific Events

Step 4: View Event Details

Exporting Activity Logs

CSV Export

JSON Export

PDF Report

API Access

Activity Log Retention

Activity-Based Alerts

Authentication Alerts

Privilege Escalation Alerts

Data Access Alerts

Configuration Change Alerts

Best Practices

Review Schedule

Automate Compliance

What's Next?

Why Monitor User Activity?​

What Gets Logged?​

Authentication Events​

User Management Events​

Security Operations Events​

Configuration Change Events​

Data Access Events​

Viewing Activity Logs​

Step 1: Access the Activity Log​

Step 2: Filter by Activity Type​

Step 3: Search for Specific Events​

Step 4: View Event Details​

Exporting Activity Logs​

CSV Export​

JSON Export​

PDF Report​

API Access​

Activity Log Retention​

Activity-Based Alerts​

Authentication Alerts​

Privilege Escalation Alerts​

Data Access Alerts​

Configuration Change Alerts​

Best Practices​

Review Schedule​

Automate Compliance​

What's Next?​

Why Monitor User Activity?

What Gets Logged?

Authentication Events

User Management Events

Security Operations Events

Configuration Change Events

Data Access Events

Viewing Activity Logs

Step 1: Access the Activity Log

Step 2: Filter by Activity Type

Step 3: Search for Specific Events

Step 4: View Event Details

Exporting Activity Logs

CSV Export

JSON Export

PDF Report

API Access

Activity Log Retention

Activity-Based Alerts

Authentication Alerts

Privilege Escalation Alerts

Data Access Alerts

Configuration Change Alerts

Best Practices

Review Schedule

Automate Compliance

What's Next?