Applies To: ThreatSync+ NDR, ThreatSync+ SaaS
The Users page in the ThreatSync+ UI shows details about user activity and threat detection in Microsoft 365 and VPNs. You can use the information on this page to view detailed information about unusual Microsoft 365 or VPN user activity, login history, and you can perform enable and disable actions on specific Microsoft 365 users.
The Users page enables you to see which users in your organization have the highest threat scores that represent potential risks based on the activity detected by ThreatSync+.
Microsoft 365 user activity is only available with a ThreatSync+ SaaS or Total NDR license. VPN user activity is only available with a ThreatSync+ NDR or Total NDR license. For more information, go to About ThreatSync+ SaaS Licenses, About ThreatSync+ NDR Licenses, and About Total NDR Licenses.
To open the Users page, from the ThreatSync+ UI:
- Select Monitor > ThreatSync+ > Users.
The Users page opens and shows a list of users in the table.
The Users page shows these details:
- Origin — The application related to the user action. For example, Microsoft 365 or VPN.
- User ID — The ID of the user.
- Location Last Known — The city, state or province, and country of the last known user location.
- Access IP — The source IP address of the user for a specific date and time.
- Threat Score — The threat score associated with the user at the time of the activity. For more information, go to User History.
- Name — The name of the user.
- Time Last Seen — The date and time of when the user was last seen.
- Enable State — The remediation status of the Microsoft 365 user.
- True — Remediation is enabled.
- False — Remediation is disabled.
- NA — The user status cannot be found.
User Details Page
To view details about specific user activity, click a user to open the User Details page.
If there are no policy alerts during the selected time period, user details are not available.
The User Details page shows information about login history, user history, and remediation status of the selected user. This information includes the user ID associated with the Microsoft 365 or VPN user and the current user threat score. The user threat score represents your exposure to cyberattack through Microsoft 365 or VPN activity.
Perform Actions on Microsoft 365 Users
ThreatSync+ SaaS for Microsoft 365 includes both manual and automatic remediation actions.
Before You Begin
Before you can perform remediation actions, you must enable remediation in your Microsoft 365 cloud integration. You can enable remediation for an existing Microsoft 365 cloud integration or enable remediation when you add a new cloud integration.
To enable user remediation for an existing cloud integration:
- Select Configure > ThreatSync+ Integrations > Cloud Integration.
The Cloud Integration page opens. - Click the name of the cloud integration you want to edit.
The Cloud Integration Details page opens with the Overview tab open by default. - Select the Settings tab.
- To enable the ability to disable or enable Microsoft 365 users, select Enable Remediation.
If you enable or disable remediation for an existing cloud integration with Microsoft 365, you must reactivate the integration and provide consent for the integration again.
- Click Save.
To enable remediation for a new cloud integration, go to Create a Cloud Integration.
Perform Manual or Automatic Actions on Users
On the Users page, you can perform these manual actions:
- Enable User/Disable User — Enables or disables a user in Microsoft 365. When you select this action, the user is disabled or enabled in Microsoft 365. If you disable a Microsoft 365 user, they can no longer log in to their Microsoft 365 account.
To perform automatic remediation through ThreatSync+ SaaS policies, go to Add Custom ThreatSync+ Policies — ThreatSync+ SaaS.
To view the user remediation history of a user, go to ThreatSync+ Audit Logs.
Login History
The Login History section shows these details:
- Login Time — The time and date of the user login.
- Origin — The application the user logged in to. For example, Microsoft 365 or VPN.
- From IP — The source IP address of the user activity.
- Location Last Known — The city, state or province, and country of the last known user location.
User History
The User History section shows these details:
- Date — The date and time a specific action took place.
- Action — The action associated with a specific user. Actions include:
- Threat Score Update — The threat score is updated after new user activity.
- Threat Score Initialization — The first recorded threat score of the user.
- Enabled — A user is able to log in to Microsoft 365 and connect to Microsoft 365 services.
- Disabled — A user cannot log in to Microsoft 365 and connect to Microsoft 365 services.
- Origin — The application related to the user action. For example, Microsoft 365 or VPN.
- Location Last Known — The city, state or province, and country of the last known user location.
- Access IP — The source IP address of the user for a specific date and time.
- Threat Score — The threat score associated with the user at the time of the activity. The User History table shows how the threat score changes over time based on user activity. The current user threat score is at the top of the User Details page and it contributes to the overall Network Threat Score. For more information, go to Network Threat Score.
To view additional user pages, such as policy alerts, Smart Alerts, zones, and device activity associated with a user action, click the Access IP address.
You must have a ThreatSync+ NDR or Total NDR license to view Access IP address user details. For more information, go to About ThreatSync+ NDR Licenses and About Total NDR Licenses.
The Total Users and User Activity widgets on the Summary page also show additional user information. For more information, go to About the ThreatSync+ Summary Page.
The Total Users and User Activity widgets on the Summary page are only available with a ThreatSync+ SaaS or Total NDR license.