View the Directory Insights Data Activity Log

The Directory Insights Activity Log includes an event frequency chart and a table with individual events for the selected time range. Directory Insights data is useful for auditing & compliance or for troubleshooting issues like user lockouts.

Considerations:

探花大神 stores Directory Data for 90 days. Any views in the admin console will only reflect the previous 90 days of activity. If you need to store data longer than 90 days, consider the 探花大神 Directory Insights AWS Serverless Application or export the logs directory using the .
You can export Directory Insights data in JSON or CSV format.

Prerequisites:

Directory Insights has to be enabled for your account. Email your Account Manager to get this enabled.

Chart View

The Activity Log chart shows a graph of the number of events that occurred during the selected time range. You can click a bar in the chart to view data for that bar's time range.

List View

The Activity Log list shows event data in the following default columns:

Timestamp: When the event happened; the date and time on which the event occurred.

Note:

The Admin Portal displays Directory Insights event timestamps in the local time zone of the administrator viewing the portal. However, when exporting these events to JSON or CSV format, the timestamps are in UTC.

Event Type: The event type. Events are gathered from the following services: All, Directory, LDAP, MDM, Password Manager, RADIUS, SSO, Software, and Devices.
Result: The result of the logged activity, such as, "Device login successful" or "Policy created."
Initiated By: Who initiated the event; the username of the 探花大神 user that initiated the event. If no username is available, the user's email address is shown. If neither a username nor an email address is available, "--" is shown.
Client IP: Where the event happened; the IP address of the requesting client.

To add or change the columns:

From the 探花大神 Admin Portal, go to Insights > Directory.
On the Events list, click the columns menu. You can either search, or select from the list of Available events. You can select up to eight columns to display. You can always click Revert to default columns if needed.

Refining Data

Use the service, event type, and user filters to refine log data. You can view data for the following services:

All
Directory
LDAP
RADIUS
Password Manager
SSO
Software
Systems
MDM

Note:

You can view data for one or more different event types. You can also view data for either all or specific users.

Use the Time Range to filter data from 15 minutes to 90 days ago.

To select a time range:

From the 探花大神 Admin Portal, go to Insights > Directory.
Click the Time Range and select from the easy Quick Picks, or define a range with the Specific Dates fields.
Click apply.
Click clear all to go back to default settings.

To add a filter:

From the 探花大神 Admin Portal, go to Insights > Directory.
Next to the Search bar, there are four filter menus you can apply; Service, Event Type, User and Device.
Click add filter to select a different filter to apply. You can filter by the following field names listed in DI Activity Log Filters.
Click the ( X ) next to the filter, or clear all to go back to the default settings.
If you want to see all of the same event types in the Activity Log list, under the columns Event Type and Client IP, you can click any event type or client IP to filter only that type.
- For example: Click admin_login_attempt to see all login attempts.
Click clear all to go back to default settings.

View current data by clicking refresh in the top right corner of the Activity Log.

View summary details and JSON by clicking the down arrow to the left of an event date.

Export event data in JSON or CSV by clicking export in the right corner.

Activity Log Views

Use the Views list to see pre-filtered Quick Views or to create and save custom views.

Activity Log Data Availability

The Activity Log can show data for up to the last 90 days.
Keep in mind that your org may not have data available for the previous 90 days.
Free accounts can see data for the last 15 days.

Using Saved & Quick Views

Considerations:

If you choose a specific date for a view and then save it, the view defaults to the previous hour of data the next time you load the Saved View. Choose a different Quick Picks time range to view data for a longer time period.
If you choose a Quick Pick time range for a view and then save it, data for the Quick Pick time range you saved is shown each time you load the Saved View.
Saved Views are available to all administrator accounts on a 探花大神 org. All administrators can view, modify, and delete any Saved Views.
There is a maximum of 1,000 saved views per organization.

Creating and Saving Views

To create a saved view:

Apply columns and filters for the data you want to see.
Apply a Quick Picks time range.
To the right of the Views list, click save view.
Give the view a unique name.
Click save.

To create a saved view from a quick view:

Select Quick View from the View list.
Modify the Quick View.
Click save as.
Give the view a unique name.
Click save.

Modifying Saved Views

Considerations:

When you modify a saved view, it鈥檚 updated for all admins in your org.
Currently you can't rename a Saved View. If you need to rename a view, you can delete a view, then create a new one with the name you want.

To modify an existing saved view:

In the Views list, click select view ... .
Select Saved View.
Modify the filters applied to the view by adding new or removing existing columns and filters.
Click save view.
Confirm you want to save over the existing view

To create a new saved view from an existing saved view:

In the Views list, click select view ... .
Select a saved view.
Modify the filters applied to the view by adding new or removing existing columns and filters.
Click save as.

Deleting Saved Views

Considerations:

When you delete a saved view, it鈥檚 deleted for all Admins in your org.
You can鈥檛 undo a delete action.

To delete a saved view:

In the Views list, click select view ... .
Hover over a saved view, then click the trash can icon to the right of the view name.
To confirm that you want to delete the view, click delete.

Using Quick Views

Quick Views are shortcuts to pre-filtered views.

If you select a Quick View that has no data for the time period you've chosen, you can increase your time range to see data for the view.

To choose a Quick View:

In the Views list, click select view ... .
Select a view from the list of available Quick Views.
(Optional) Click clear view to remove the view from the Activity Log.

Using Search

Considerations:

When exporting Directory Insights data, any search terms in use to filter the list view will not be applied to the export.

The DI Search is a full text query that enables you to narrow the table view of individual events in the activity log based on the terms entered.

Spaces are treated as AND
Underscores are treated as AND
OR, NOT operators are not supported
Exact phrase search with quotations is not supported

Search works in conjunction with applied Saved Views, Time Range, and filters to search within those results for something more specific. You can also apply Saved Views, Time Range, and filters after performing a text search to further narrow results.

See the table below to see which database fields are searched for each Service selected from the Service drop-down menu.

DI Search

Service	Database Fields Searched
Directory	id correlation.id correlation.type event_type resource.type resource.id resource.username resource.recipient_email resource.email_type resource.name system_group.type system_group.object_id system_group.name initiated_by.id initiated_by.type initiated_by.email initiated_by.source initiated_by.username association.type client_ip geoip.timezone geoip.continent_code geoip.region_code geoip.country_code geoip.region_name application.id application.name
LDAP	id event_type initiated_by.id Initiated_by.type Initiated_by.username auth_method username
RADIUS	id event_type initiated_by.type initiated_by.username client_ip geoip.timezone geoip.continent_code geoip.region_code geoip.country_code geoip.region_name auth_type username
Password Manager	id correlation.id correlation.type event_type resource.type resource.id resource.username resource.recipient_email resource.email_type resource.name system_group.type system_group.object_id system_group.name initiated_by.id initiated_by.type initiated_by.email initiated_by.source initiated_by.username association.type client_ip geoip.timezone geoip.continent_code geoip.region_code geoip.country_code geoip.region_name application.id application.name application.displayName
SSO	id event_type initiated_by.id initiated_by.type initiated_by.username client_ip geoip.timezone geoip.continent_code geoip.region_code geoip.country_code geoip.region_name application.id application.name
Software	id event_type resource.type resource.id initiated_by.id initiated_by.type client_ip geoip.timezone geoip.continent_code geoip.region_code geoip.country_code geoip.region_name system.id system.hostname application.name application.version application.publisher
Systems	id correlation.id correlation.type event_type resource.type resource.id resource.username resource.email resource.name initiated_by.id initiated_by.type initiated_by.email client_ip geoip.timezone geoip.continent_code geoip.region_code geoip.country_code geoip.region_name system.id system.hostname system.displayname system.osFamily
MDM

探花大神

Use Cases

Identity Management

Access Management

Device Management

SaaS Management

Become a Partner

Partner Resources

Engage

Learn

Support