License editions: To understand the applicable license editions, see Plans & Pricing.
Introduction
With the organization's employees spread across the globe, it is critical that only the authorized people in the organization have access to the relevant backed-up data. If you leave this to chance, you risk insider threats or ransomware and several sleepless nights.
The Access Events dashboard shows you upfront the count of all administrator login events, data access events, API requests and nudges you to take remedial actions if required. This data helps you gain situational awareness about the backed-up data by gathering events from all products.
❗ Important
Only Druva Cloud administrator can view the Access Events dashboard.
The dashboard displays the following:
The total count of administrator logins and API requests from new locations.
The restore and download activities performed by administrators and End users with inSync Client
The locations from where administrators have logged into the Druva management console. The locations are displayed on a map for easy visual reference. The list of administrators with finer details and do a more detailed analysis of the login activity.
The locations from where administrators have made an API request with several important details.
By default, the data is displayed for the last 7 days. You can increase the period from 7 days to 30 days.
💡 Tip
Viewing data for two different periods helps you identify if anything has gone awry in between.
Know your Access Events Dashboard
Let’s take a look at the details that you can view on the Access Events dashboard.
Data Access Events
Whenever any of the following activities are initiated, it's termed as a Data Access event:
An administrator restores data or downloads data from:
Microsoft 365 - Only Download data action for
Google Workspace - Only Download data action for
An inSync Client user restores or downloads data using inSync Client or inSync Web.
An inSync Client user downloads Microsoft 365 or Google Workspace data using inSync Client or inSync Web.
💡 Tip
Support for events generated when an inSync administrator downloads Legal Hold data and when an inSync administrator does bulk export is planned for future releases.
Below the map, there is a list of administrators and inSync Client users (only applies for endpoints) who triggered a data access event in the selected time frame. There can be the following types of data access:
Admin Restore: Denotes that an administrator initiated a data restore activity.
❗ Important: In the case of VMware, the IP address details are not displayed for admin restore access.
Admin Download (Only for Endpoints, Microsoft 365, and Google Workspace): Denotes that an administrator initiated a data download activity.
User Restore (Only for Endpoints): Denotes that the inSync Client user initiated a restore.
User Download (Only for Endpoints, Microsoft 365, and Google Workspace): Denotes that the inSync Client user initiated a download.
Click the name to view the details of all the events triggered by that individual in the selected time frame. The details page also displays the status of the initiated activities.
This information helps you understand who tried to access the backed-up data during the defined period.
Actions you can take
If you find something suspicious while viewing a user's activity details, you can reset the user's password. Click the Manage User button to navigate to the User Details page and reset the password. This will prevent unauthorized people from gaining access to that user's data.
Similarly, if you notice something suspicious about an administrator's activities, you can reset the administrator's password. Click the Manage Administrator button to navigate to the Admin Details page and reset the password.
Admin Login Events
This card displays the count of new locations from which Druva administrators attempted to log in to the Management Console. The map shows the geo-locations of the login attempts that were tracked.
You can select All Locations to view the count of Druva administrators who attempted to log in to the console at least once.
The list of administrators who attempted to log into the console is displayed below the Admin Login Events section. This information helps you to nnderstand which administrators have attempted to log in to the console at least once. The list also displays the following:
Job ID: Displays the ID generated by the system at the time when the login was attempted. You can use this ID to identify the attempt with the email alerts that you receive.
IP address: The IP address of the device that the administrator used to log in.
Location: The city and the country from where the administrator attempted to log in.
Login Result: If the login succeeded or failed.
Login Time: The timestamp of the activity.
Actions you can take
If you find anything suspicious, click the name of the administrator and view the detailed login activity.
If you think the behavior is unusual, on the administrator details page, click the Reset Password button to reset the administrator's password.
API Requests
This card displays the count of API request attempts made by Druva administrators from the new locations. The map shows the new geo-locations from which the API requests were made.
You can select All Locations to view the count of API requests that were made at least once.
The details and the count of the API requests are displayed below the API Requests section. This information helps you to understand which API requests were made at least once. The list also displays the following:
Client ID: The ID used for that API request. Client ID and Secret Key are equivalent to user name and password. Valid credentials provide access to all the Druva APIs and in turn, access to data stored within your Druva environment.
Credential Name: The name that was used to generate the Client ID for these API requests.
Unique IP Count: The total number of unique IP addresses from where the API requests were made.
Total API Requests: The total number of API requests made using the associated Client ID.
Actions you can take
If you find anything suspicious, click the name of the Client ID and view the detailed activity. Click any IP address to view the count of API requests made for each API group.
If you think that the behavior is unusual, on the Client ID details page, click the Edit Credentials button to view the details of the API credentials and take necessary measures.