ThreatSync+ Users

Applies To: ThreatSync+ SaaS

The Users page in the ThreatSync+ UI shows details about user activity and threat detection in Microsoft 365. You can use the information on this page to view detailed information about unusual Microsoft 365 user activity, login history, and you can perform enable and disable actions on specific users.

The Users page enables you to see which users in your organization have the highest threat scores that represent potential risks based on the activity detected by ThreatSync+ SaaS.

This page is only available with a ThreatSync+ SaaS license. For more information, go to About ThreatSync+ SaaS Licenses.

To open the Users page, from the ThreatSync+ UI:

  • Select Monitor > ThreatSync+ > Users.
    The Users page opens and shows a list of users in the table.

Screenshot of Users page in ThreatSync+ with a SaaS license

The Users page shows these details:

  • Origin — The application related to the user action. For example, Microsoft 365.
  • User ID — The email address of the user.
  • Location Last Known — The city, state or province, and country of the last known user location.
  • Access IP — The source IP address of the user for a specific date and time.
  • Threat Score — The threat score associated with the user at the time of the activity. For more information, go to User History.
  • Name — The name of the user.
  • Time Last Seen — The date and time of when the user was last seen.
  • Enable State — The remediation status of the user.
    • True — Remediation is enabled.
    • False — Remediation is disabled.
    • NA — The user status cannot be found.

User Details Page

To view details about specific user activity, click a user to open the User Details page.

Screenshot of the Users Details page in ThreatSync+ available with a SaaS license

If there are no policy alerts during the selected time period, user details are not available.

The User Details page shows information about login history, user history, and remediation status of the selected user. This information includes the user ID associated with the Microsoft 365 user and the current user threat score. The user threat score represents your exposure to cyberattack through Microsoft 365.

Perform Actions on Users

ThreatSync+ SaaS for Microsoft 365 includes both manual and automatic remediation actions.

Before You Begin

Before you can perform remediation actions, you must enable remediation in your Microsoft 365 SaaS integration. You can enable remediation for an existing Microsoft 365 SaaS integration or enable remediation when you add a new SaaS integration.

Screenshot of the Edit page for an existing Microsoft 365 SaaS integration

To enable user remediation for an existing SaaS integration:

  1. Select Configure > ThreatSync+ Integrations > SaaS Integration.
    The SaaS Integrations page opens.
  2. Click the name of the SaaS integration you want to edit.
    The Edit SaaS Integration page opens.
  3. To enable the ability to disable or enable Microsoft 365 users, select Enable Remediation.

If you enable or disable remediation for an existing SaaS integration with Microsoft 365, you must reactivate the integration and provide consent for the integration again.

  1. Click Save.

To enable remediation for a new SaaS integration, go to Create a SaaS Integration.

Perform Manual or Automatic Actions on Users

On the Users page, you can perform these manual actions:

  • Enable User/Disable User — Enables or disables a user in Microsoft 365. When you select this action, the user is disabled or enabled in Microsoft 365. If you disable a Microsoft 365 user, they can no longer log in to their Microsoft 365 account.

To perform automatic remediation through ThreatSync+ SaaS policies, go to Add Custom ThreatSync+ Policies — ThreatSync+ SaaS.

To view the user remediation history of a user, go to ThreatSync+ Audit Logs.

Login History

The Login History section shows these details:

  • Login Time — The time and date of the user login.
  • Origin — The application the user logged in to. For example, Microsoft 365.
  • From IP — The source IP address of the user activity.
  • Location Last Known — The city, state or province, and country of the last known user location.

User History

The User History section shows these details:

  • Date — The date and time a specific action took place.
  • Action — The action associated with a specific user. Actions include:
    • Threat Score Update — The threat score is updated after new user activity.
    • Threat Score Initialization — The first recorded threat score of the user.
    • Enabled — A user is able to log in to Microsoft 365 and connect to Microsoft 365 services.
    • Disabled — A user cannot log in to Microsoft 365 and connect to Microsoft 365 services.
  • Origin — The application related to the user action. For example, Microsoft 365.
  • Location Last Known — The city, state or province, and country of the last known user location.
  • Access IP — The source IP address of the user for a specific date and time.
  • Threat Score — The threat score associated with the user at the time of the activity. The User History table shows how the threat score changes over time based on user activity. The current user threat score is at the top of the User Details page and it contributes to the overall Network Threat Score. For more information, go to Network Threat Score.

To view additional user pages, such as policy alerts, Smart Alerts, zones, and device activity associated with a user action, click the Access IP address.

You must have a ThreatSync+ NDR license to view Access IP address user details. For more information, go to About ThreatSync+ NDR Licenses.

IP Address details associated with a specific user. This image shows one policy alert associated with a user.

The Total Users and User Activity widgets on the Summary page also show additional user information. For more information, go to About the ThreatSync+ Summary Page.

Related Topics

Search Raw Logs in ThreatSync+ SaaS

Monitor ThreatSync+

Configure ThreatSync+