There are two ways to see the authentication activity for your users, the Main Admin Dashboard and the Audit Log. Here we’re going to review the Audit Log table.
For more information on the Main Admin Dashboard, please view https://support.evosecurity.com/hc/en-us/articles/5474621626651-Main-Dashboard
What is the Audit Log?
The Audit Log shows you a complete list of the recent successful and failed login attempts by users, as well as other actions committed across the platform.
In the table you’ll see such detail as; the users email address, the action, result (success/fail), date and time of the activity, and the IP address the attempt was made.
- From the left nav menu, select My Company. Alternatively, select Customers and and choose a customer from the list.
- From the side navigation, click Activity.
For information on the activity map, see Can I see a map of where my users are logging in from?
How does the Audit Log work?
The Audit Log tracks various activity throughout the platform, including logins. It is displayed in a chronological, descending order by time of event for ease of view. However, you can use our Advanced Filters function to narrow down exactly what you are looking for.
1. On the Activity page, click the Advanced Filters dropdown menu.
2. This will display the Advanced Filters feature.
The Advanced Filters functionality is very strict. All text here is Case Sensitive and if separating inputs with commas, do NOT put a space between them. Here, we will break down what these filters do and how they work:
- Date Range: This will display results of actions that took place within the specific date range.
- Actor: This is the e-mail of the user who completed the action.
- Action: This is the type of action that was initiated/completed.
- Target: Currently, this will also display either the user, a request ID, or if neither are found, a blank space. This will change in the future to be more accurate.
- Origin: This will display either the IP address (Web Log-in) or the Endpoint of where you authenticated from (Such as a Desktop with the Evo Credential Provider installed).
- Status: This will display either a Success, Pending, or Fail status.
Currently Tracked Actions:
- Web
- Login
- Login with OTP
- Sending Push Notification
- Push Notification Approved
- Login approval initiation
- Delete User
- Disable Iser
- Add New User
- Update Password
- Desktop
- Elevated Login
- Authentication initiated
- Push Notification Sent
- Sending Push Notification
- Login approval initiation
- MFA code Validated
- Invalid MFA code
- Secure Login
- Login
- Other
- LDAP Agent
Use Case Example:
Let's say you want to see all Elevated Logins within a specified time range. Set your expected date range, and simply type "Elevated Login" within the action field and apply the filter:
This feature will continue to expand on auditable actions, so be sure to return here to see what has changed and what actions have been added!