Tracking Suspicious SaaS Activities
To access the Suspicious SaaS Activities page, go to the SaaS menu and select Suspicious SaaS Activities.
The Suspicious SaaS Activities page displays all suspicious activities across all applications managed in SaaS Management. The suspicious activities data is updated once a day and only contains usage within the last 30 days.
The following table describes the options that display on the Suspicious SaaS Activities page in the Activity Type column.
|
Activity Type |
Description |
|||||||||
|
Unauthorized |
A user is inactive in the HR Roster and is using an application. Unauthorized activities might be a security risk. Immediately deactivating these unauthorized users from an application helps protect your organization from unauthorized access to company and employee information. |
|||||||||
|
Unrecognized |
A user is not listed in the HR Roster and is using an application. The user’s account may have been created in the SaaS application outside of the normal provisioning process. |
|||||||||
|
Recognized |
This option is only used by a user with the Administer SaaS role or the Manage SaaS applications & users role to identify unrecognized suspicious activities as recognized. Examples:
|
|||||||||
|
Unknown |
An Unknown condition occurs when SaaS Management receives an activity that cannot map to a member on the Application Roster. This is a unique scenario that typically occurs for most managed applications during first-time integration runs. During the first-time Application Access integration task run, SaaS Management pulls in the last 30 days’ events. In contrast, the first-time Application Roster integration task run typically pulls in the current list of app users. Therefore, it could be that SaaS Management recorded activities within the last 30 days associated to users that are no longer on the current list of app users (that is, SaaS Management cannot map the activity to a member on the Application Roster). |
The following subsections explain how to track suspicious SaaS activities across all managed SaaS applications or for a specific managed application.
| • | Tracking Suspicious Activities Across All Managed SaaS Applications |
| • | Tracking Suspicious Activities for a Specific Managed SaaS Application |
Tracking Suspicious Activities Across All Managed SaaS Applications
Important:The Flexera One Administer SaaS role or the Manage SaaS applications & users role is required to deactivate Unauthorized users and to identify Unrecognized suspicious activities as Recognized. For details, see Flexera One Roles.
Complete the following steps for tracking suspicious activities at an organizational level for all managed SaaS applications.
Tracking suspicious activities across all managed SaaS applications:
| 1. | Go to the Suspicious SaaS Activities (SaaS > Suspicious SaaS Activities) page. |
| 2. | Click the Select button. |
| 3. | Select the appropriate suspicious activities for filtering users: |
| • | Unauthorized |
| • | Unrecognized |
| • | Recognized. |
| 4. | Apply any other necessary user filters in the Activity Type table. |
| 5. | Click the Export CSV button. |
| 6. | Send the CSV file to your organization’s contacts with the Administer SaaS role or the Manage SaaS applications & users role to deactivate Unauthorized users or to identify opportunities for further action for Unrecognized users. |
Tracking Suspicious Activities for a Specific Managed SaaS Application
Important:The Flexera One Administer SaaS role or the Manage SaaS applications & users role is required to deactivate Unauthorized users and to identify Unrecognized suspicious activities as Recognized. For details, see Flexera One Roles.
The following instructions help narrow your focus of tracking suspicious activities to a specific managed SaaS application.
To track suspicious activities for a specific managed SaaS application:
| 1. | On the Suspicious SaaS Activities (SaaS > Suspicious SaaS Activities) page, click the appropriate application name in the App column. |
| 2. | When the application’s Overview Tab opens, click the Suspicious Activities Tab. A table displays the user accounts that could be considered suspicious or require further action. |
| 3. | In the Activity Type column, select the appropriate suspicious activities for filtering users: |
| • | Unauthorized |
| • | Unrecognized |
| • | Recognized. |
| 4. | Apply any other necessary user filters in the Suspicious Activities table. |
Note:When filtering suspicious activity by the User column, either the user’s email address or the user’s unique ID displays. The user’s unique ID displays when an email address is not returned from the application’s API integrated with SaaS Management.
| 5. | Click the Export CSV button. |
| 6. | Send the CSV file to your organization’s contacts with the Administer SaaS role or the Manage SaaS applications & users role to deactivate Unauthorized users or to identify opportunities for further action for Unrecognized users. |