ThreatSync+ Users

Applies To: ThreatSync+ SaaS

The Users page in the ThreatSync+ UI shows details about user activity and threat detection in Microsoft 365. You can use the information on this page to view detailed information about unusual Microsoft 365 user activity, logins by authorized and unauthorized Microsoft 365 users, and login history.

The Users page enables you to see which users in your organization have the highest threat scores that represent potential risks based on the activity detected by ThreatSync+ SaaS.

This page is only available with a ThreatSync+ SaaS license. For more information, go to About ThreatSync+ SaaS Licenses.

To open the Users page, from the ThreatSync+ UI:

  • Select Monitor > ThreatSync+ > Users.
    The Users page opens and shows a list of users in the table.

Screenshot of Users page in ThreatSync+ with a SaaS license

User Details Page

To view details about specific user activity, select a user to open the User Details page.

Screenshot of the Users Details page in ThreatSync+ available with a SaaS license

The User Details page shows information about login and user history. This information includes the user ID associated with the Microsoft 365 user and the current user threat score. The user threat score represents your exposure to cyberattack through Microsoft 365.

The Login History section shows these details:

  • Login Time — The time and date of the user login.
  • Origin — The application the user logged in to. For example, Microsoft 365.
  • From IP — The source IP address of the user activity.
  • Location Last Known — The city, state or province, and country of the last known user location.

The User History section shows these details:

  • Date — The date and time a specific action took place.
  • Action — The action associated with a specific user. For example, Threat Score Update or Threat Score Initialization:
    • Threat Score Update — The threat score is updated after new user activity.
    • Threat Score Initialization — The first recorded threat score of the user.
  • Origin — The application related to the user action. For example, Microsoft 365.
  • Location Last Known — The city, state or province, and country of the last known user location.
  • Access IP — The source IP address of the user for a specific date and time.
  • Threat Score — The threat score associated with the user at the time of the activity. The User History table shows how the threat score changes over time based on user activity. The current user threat score is at the top of the User Details page and it contributes to the overall Network Threat Score. For more information, go to Network Threat Score.

To view additional user pages, such as policy alerts, Smart Alerts, zones, and device activity associated with a user action, click the Access IP address.

You must have a ThreatSync+ NDR license to view Access IP address user details. For more information, go to About ThreatSync+ NDR Licenses.

IP Address details associated with a specific user. This image shows one policy alert associated with a user.

The Total Users and User Activity widgets on the Summary page also show additional user information. For more information, go to About the ThreatSync+ Summary Page.

Related Topics

Monitor ThreatSync+

Configure ThreatSync+