The User Activity Database

The user activity database on the Secure Firewall Management Center contains records of user activity on your network detected or reported by all of your configured identity sources. The system logs events in the following circumstances:

  • When it detects individual logins or logoffs.

  • When it detects a new user.

  • When a system administrator manually delete a user.

  • When the system detects a user that is not in the database, but cannot add the user because you have reached your user limit.

  • When you resolve an indication of compromise associated with a user, or enable or disable indication of compromise rules for a user.

Note

If the TS Agent monitors the same users as another passive authentication identity source (such as the ISE/ISE-PIC), the management center prioritizes the TS Agent data. If the TS Agent and another passive source report identical activity from the same IP address, only the TS Agent data is logged to the management center.

You can view user activity detected by the system using the Secure Firewall Management Center. (Analysis > Users > User Activity.)