Once you toggle Allow user authentication data on in Control Hub, user sign-ins and sign-outs are logged and can be retrieved through the public API. You can then view and analyze the data in security applications such as UEBA and SIEM, which can run their machine learning algorithms to discover suspicious and malicious behaviors, detect attack vectors, and identify compromised passwords.

Webex stores the data for 12 months.

View user activities through Webex API

This feature is only available to customers with Pro Pack for Control Hub.
1

Sign in to Control Hub, then under Management, select Organization Settings.

2

In the User authentication data section, toggle Allow user authentication data on.

3

Go to List Security Audit Events to retrieve the data.

View user activities in Control Hub

You can also view and troubleshoot sign-in issues for your users by reviewing their sign-in and sign-out activities in Control Hub.

1

Sign in to Control Hub and go to Management > Security > Audit.

2

Click the Authentication activities tab.

User activities are displayed under the following columns:
  • Status—Indicates whether the sign-in/sign-out attempt was successful or not, such as Success, Failure, and N/A. N/A usually occurs when a user logs out and SLO (Single Logout) configuration is unavailable across Federated IdPs.
  • Time—The timestamp of when the sign-in or sign-out activity occurred.
  • Email address—The email address of the user who signed in or out.
  • Sign in/sign out—The type of activity that was logged.
  • Service—The name of the application accessed by the user, such as Control Hub or Webex Teams iOS. It represents the OAuth client's name that is registered to the Webex identity platform by the Cisco developer or partner developer. If N/A is displayed, it means that this information isn’t maintained or passed from the IdP to the Webex identity platform, as this is part of the SLO in SAML.
  • IP address—The IP address of the user at the time of the activity.
  • Method—Indicates the method of authentication used for signing in. Interactive refers to manual user authentication. It's done by the user. Non-interactive refers to automatic user authentication. It's done for the user.
3

Filter by user activity, specific dates, email address, IP address, or service, to narrow your search results.