Identity provider activity

If authentication is required or optional within a policy and you assign users or groups to access control features in a policy, you can report data on identity provider activity. This includes identity provider sessions where a:
  • Login was attempted
  • Login was successful
  • Login failed
  • A session was restarted as a result of updating a user group.
You must be an ETP super administrator or a user with a specific permission to view this report. For more information, see Enterprise Threat Protector roles.
Note: If a user skips authentication, ETP cannot report username and group information. This information is only recorded in the report when the user authenticates. For more information on authentication, see Authentication policy.
When navigating this report:
  • Any applied date or data filter defines the data that is shown. You can filter data based on the selected date or date range, the time of day you enter, and the actual filters applied to data on the page. You can create a filter where you include or exclude data from the listed activity.
  • By default, the data table shows session start time, location, whether authentication is required, internal client IP address, logged activity, and username for a successful login.
  • All the details for the report appear in the table. Aside from viewing this data and adding additional data points to the table, you can add data to a filter to help you review identity provider activity.

If you are a delegated administrator, the data that appears on this page is based on the locations you created and are allowed to access. A tenant administrator cannot view the Identity Provider Activity report.