Generating an Adaptive Access activity report

You can generate an Adaptive Access activity report from the IBM® Security Verify administrative console.

1. Select Reporting & diagnostics > Reports.
   The tiles for authentication activity, application usage, administrator activity, and multi-factor authentication activity are displayed. The Adaptive access tile shows the summary information for the past 24 hours.
2. Select the View Report link on the Adaptive access tile.
   The summary report for the current day displays

   • The number of total invocations
   • The number of very high risk attempts
   • The number of high risk attempts
   • The number of medium risk attempts
   • The number of low risk attempts

   A color-coded, scalable graphical representation of the number of invocations for the selected time period is displayed. You can move the mouse pointer along the date line to see daily summaries of the risk levels that were detected. The time period can be up to 90 days. The graph scale is based on the data sets and the time is displayed invocation as local time.

   The authentication activity for individual users is also displayed. See Table 1. Select an event to see the details associated with it. See Adaptive Access event details.

3. After the graph, the authentication activity for individual users is displayed.

   Table 1. Individual activity information

   Information	Attributes	Descriptions
   Time Stamp	time	The date and time that the adaptive access event occurred.
   User	User name data.username Realm data.realm	Includes the User name The Unique identifier for logging in to Verify. It can be the same as the email address of the user. Realm The identity source attribute that helps distinguish users from multiple identity sources that have the same user name. This information is displayed in the Users & Groups > Users tab, and in the Edit User dialog box. For the following identity sources: Cloud Directory, the realm value is cloudIdentityRealm. IBMid, the realm value is www.ibm.com. SAML Enterprise, the realm value can be any unique name that you assigned when you created the identity source. OnPrem LDAP, the realm value can be any unique name that you assigned when you created the identity source.
   Risk level	data.risk_level	Very high High Medium Low
   Reason	data.decision_reason	Access from a device pending MFA A device was prompted for MFA and the MFA was not completed. In the next session on the same device for the same user, MFA is prompted again. The risk score remains the same from the last session. Access from a known and trusted device The access was made with a device that was previously used by the user. It is a trusted device based on Trusteer’s device intelligence. Access from a known device with a new connection The access was made with a device that was previously used by the user. However, access is through a different internet service provider (ISP), a different geographical location, or a different connection method. Access with a change in device attributes The access was made by using a new device or a known device with significant change in its attributes. Both hardware and software attributes are examined to determine a change in device attributes. Access with a user behavior change Trusteer’s risk engine learns the user behavior by analyzing the access patterns. When change in the user behavior is noticed, an alert is sent. An example of a behavior change is accessing for the first time after working hours. Access including risky device indication The device attributes were determined as risky based on Trusteer’s security intelligence. Trusteer’s security intelligence constantly expands and updates based on deep research and data analysis. Risk service unavailable - medium risk applied The system was unable to complete the risk assessment. The policy action for medium risk level was applied.
   Policy action	data.policy_action	Block (Override) The block action overrides all other decisions in the policy. MFA (Override) The MFA action overrides all other decisions in the policy. Allow (Override) The allow action overrides all other decisions in the policy. Block and redirect The user cannot access the application and is redirect to the specified URL or URI. Block The user is denied. MFA always Always require MFA, even in the same session. MFA per session If not already done, force MFA. Continue The user is allowed without updating the Adaptive user record. Allow The user is allowed.
   Policy	data.policy_name data.policy_id	The policy name and ID that are applied to the event.
   Application	data.applicationname	The name of the application that is accessed.
   Location	data.city data.region data.country	The city, state, and country where the event occurred.
   Device	data.browser data.os	The browser and operating system that were used by the device.
   Client IP	data.origin	The IP address of the device that made the authentication request. The details contain an X-Force IP report link to evaluate the threat value of the address.

   Select an event to see the details associated with it. See Adaptive Access event details.

4. Optional: Select Filters to filter the results.
   You can search by

   Identity

   Filter selections are user name and realm.

   Source

   Filter selections are client IP and location.

   Event details

   Filter selections are risk level, policy name, policy ID, application name, reason, and session ID.

   You can use any combination of filters to refine your results. Select Apply filters to modify the report. The selected filters are displayed above the graph. You can clear the filters by selecting the Reset link.

   Note: The search fields are case-sensitive.
5. Change the date range for the report.
   Select the From and To dates to display the calendar drop downs and select the dates for the report. You can't go back more than 90 days.

   Note: The To date cannot exceed the current date.
6. Select Run Report.
   The Report information is refreshed.
7. Optional: Generate a CSV file for the report.
   1. Click Generate CSV.
   2. Follow the directions in Downloading a CSV report.