Reviewing Admin logs

The Admin log page will display all admin activity within the Forcepoint ONE SSE.

You can access the Admin logs by navigating to Analyze > Logs > Admin.



Admin Activity/Actions Tracked

For the admin logs, Activity is the high level activity that the admin was doing while action is the subcategory or more refined thing that was interacted with. For example The Critical activity is a high level tag for an error/issue whereas the Deviceprofileerror Action is the more specific item that had the issue.

Activity Name Description
Add Adding items to the Forcepoint ONE SSE platform (users, objects, apps, etc).
Config Editing the Forcepoint ONE SSE portal setting configurations.
Critical An error/issue was identified.
Deactivate Admin has deactivated a user on the IAM page.
Delete Deleting items on the Forcepoint ONE SSE platform (users, objects, apps, etc).
Edit User info has been edited
Endpoint Log related to an endpoint device with the agent installed.
Error An error/issue was identified
Login Admin logged into the Forcepoint ONE SSE portal
Logout Admin logged out of the Forcepoint ONE SSE portal
Restarting AD sync was restarted
Search Log related to AD sync and searching/finding users/groups.
Start AD sync was started
System Log related to the Forcepoint ONE SSE system.

Action is the more defined action that was taken if applicable. Activities such as Login/Logout will not have an associated action.

Action Name Description
Admin
Agent Logs related to the Forcepoint ONE SSE endpoint agent.
Alert Alerts of events and issues.
AppConfig Admin has made an edit to an application setting configuration.
AppPolicy Admin has made an edit to an application's policy.
ConfirmDeactivation A user requires confirmation for deactivation.
Customdomaincategory Admin has made a change to a custom domain category object
Customregion Admin has made a change to the custom region (location) object
Datapattern Admin has made a change to a data pattern object
Deviceprofileerror Errors directly related to the Forcepoint ONE SSE endpoint agent on a user's device.
Directory All logs related to the Forcepoint ONE SSE Directory Sync integration.
Group Admin has made a change to a group settings
Groupmigrationtype
Inactivity Admin was logged out due to inactivity
Membership User's group membership was modified
Notification A notification was sent to an admin.
NotificationObjects An admin modified a notification object
OauthApp Admin modified an OAuth Application
ProfileMatch Endpoint device logging in matched a device profile object policy (managed vs unmanaged device detection).
Syncconfig Admin made changes to the Active Directory Sync configuration settings.
Timeout Admin timed out due to inactivity and was logged off.
User All logs related to events around a user account (user account was created, modified, deactivated, deleted, etc)

The page is setup similarly to the Proxy logs page where you see a map display of admin login locations, the filter card for filtering events or data/time range and the event logs listed below.



The Event logs will display all admin actions including logins, logouts, device profile matches, configuration/settings changes, etc.