This article discusses how to use the Cloud Activity Dashboard for visibility into Entra ID sign-in activity and insights that help you manage and secure your organization's SaaS apps.
The Cloud Activity Dashboard shows data about user activity for your organization's sanctioned SaaS apps to help you manage and secure your cloud app ecosystem. The page contains a number of widgets that provide visibility for SSO sign-in events in your organization's Microsoft Entra ID tenant. You can also drill-down to analyze relevant events in the Events page. The widgets include data such as:
-
Total number of sign-ins and failed sign-ins for each app
-
Failed sign-ins with a breakdown by country
-
Users with the most failed sign-ins
-
Breakdowns of sign-ins according to OS and browser
These are examples of insights you can gain from the Cloud Activity Dashboard widgets:
-
Identify apps that have very low sign-ins and may not require maintaining a license
-
Detect potential bad actors that may be trying to access apps without authorization
-
Assess app usage in different locations
The Cloud Activity Dashboard includes information for different types of sign-in events. You can filter the dashboard to focus on specific sign-in types. By default, the dashboard includes a filter to show only Interactive User sign-ins. For more about configuring filters, see below.
These are the different sign-in types:
-
Interactive User - User-initiated sign-ins, including authentication with passwords, MFA, and biometrics
-
Service Principal - Sign-ins by non-user entities such as apps and services using their own credentials, for example a certificate or app secret
-
Managed Identity - Background sign-ins not involving user interaction, performed by resources whose secrets are managed by Azure
For more about Microsoft Entra sign-in types, see the Microsoft documentation.
-
For the Cloud Activity Dashboard to show data, you need to configure an API connector for Microsoft Entra ID (Azure AD). For more about configuring the connector, see Configuring the Microsoft Entra ID (Azure AD) Connector.
The Cloud Activity Dashboard contains a number of widgets that present an overview of sign-in activity for your organization's sanctioned SaaS apps.
You can filter the Cloud Activity Dashboard according to a specific time frame, and create filters to focus on more specific data. When you manually create a filter or add an item to update the filter, the sign-in data on the Cloud Activity Dashboard is automatically updated.
There are two ways to filter the data in the Cloud Activity Dashboard and show the items that are most relevant: automatically update the filter with the selected item, or manually configure the filter.
As you hover over an item or field where a filter option is available, the button appears. Click the icon to show the filter options:
-
Add to Filter - Adds the item to the filter, and the Cloud Activity Dashboard now only shows data that includes this item. For example, if you filter for a specific app, the screen only shows activity data related to that app. No other cloud activity data is available until you change or clear the filter.
-
Exclude from Filter - Updates the filter to exclude this item, and the Cloud Activity Dashboard now only shows data that does NOT include this item.
-
View Events - Adds this item to the filter, and the Events page opens and shows all the events that match the filter.
You can continue to add items to the filter, click again to update the filter and drill-down further.
The default time range for the cloud activity data is the previous two days. You can select a different time range for the Cloud Activity Dashboard to show a longer or shorter time period. For more information, see Setting the Time Range Filter.
The maximum date range for the Cloud Activity Dashboard is 90 days.
You can manually configure the filter for greater granularity to analyze the cloud activity. After you configure the filter, it is added to the filter bar and the screen is automatically updated to show the activity data that matches the new filter.
To manually configure a filter:
-
In the filter bar, click .
-
Start typing or select the Field.
-
Select the Operator, which determines the relationship between the Field and the Value you are searching for.
-
Select the Value.
-
Click Add Filter. The filter is added to the filter bar and the Cloud Activity Dashboard is updated to show results based on the filters.
You can remove each item in the filter separately, or clear the entire filter.
This section explains the widgets that are available in the Cloud Activities Dashboard. The data in the dashboard is based on the configured time range.
These are the widgets:
-
Sanctioned Apps Sign-In Activity - Shows SSO sign-in information for all of your organization's sanctioned SaaS apps that use SSO. You can click in the row of an app to show the Events page pre-filtered for sign-in events for the app.
These are the widget columns:
-
# Sign-in - Total number of sign-ins for the app, including successful and failed sign-ins
-
# Outside Cato - Indicates users who authenticated to an app directly over the public Internet and not via the Cato Cloud. App traffic over the public internet isn't protected by the Cato Cloud Security services.
-
# Failed Sign-in - Number of failed sign-in attempts for the app
-
# Tenants - Number of Entra ID tenants associated with the sign-ins to this app. This number can include tenants external to your organization if you have configured External ID cross-tenant access, and a sign-in was performed from a source outside your organization.
-
Hover the mouse over the number of tenants and then hover over the tooltip to show the tenant IDs as they appear in sign-in events for the app.
You can use the tenant ID to filter the Events page to show events for that tenant. If a sign-in was performed from a source outside your organization, you can use the tenant ID to view details about the external source in the associated event
-
Click in the row of an app to show the Events page pre-filtered for sign-in events for the app
-
-
Sign-in Activities by Countries - Shows the following information for sign-ins from each country:
-
# Sign-in - Total number of sign-ins for the country, including successful and failed sign-ins
-
# Failed Sign-in - Number of failed sign-in attempts for the country
-
-
Top Users With Failed Sign-in - A list of users with the most failed sign-ins for a single app, with the name of the app and number of failed sign-ins
-
Click in the row of a user to show the Events page pre-filtered for failed sign-in events for that user and app
-
-
Sign-in Activity Over Time - Graphs the total and failed sign-ins on a timeline
-
Hover the mouse on the graph to show the sign-in details for a point on the timeline
-
Click a toggle button to show or hide a graph
-
Click and drag to zoom-in on:
-
Time of sign-ins
-
Number of sign-ins
-
-
-
Anomalies - Anomalous sign-ins in your Entra ID tenant that may indicate malicious activity. Anomaly types include: Atypical travel, Anomalous token, Suspicious browser, Unfamiliar sign-in properties, Malicious IP address, Suspicious inbox manipulation rules, Password spray, Impossible travel, New country, Activity from anonymous IP address, Suspicious inbox forwarding, Mass access to sensitive files, Verified threat actor IP, Additional risk detected, Anonymous IP address, Admin confirmed user compromised, Microsoft Entra threat intelligence.
For more information about the anomalous Entra ID sign-ins types see the Microsoft documentation.
-
Note: For data to appear in the Anomalies widget, a license for Entra ID Protection is required, and you must configure an Entra ID Protection connector. For more about configuring the connector, see Configuring the Microsoft Entra ID Protection Connector for Sign-In Anomaly Data.
-
Sign-in Break Down by OSs - Shows number of app sign-ins performed on each operating system
-
Hover the mouse over a chart section to show the number of sign-ins for that operating system and its percentage of total sign-ins
-
-
Sign-in Break Down by Browser - Shows number of app sign-ins performed on each browser
-
Hover the mouse over a chart section to show the number of sign-ins for that browser and its percentage of total sign-ins
-
0 comments
Please sign in to leave a comment.