Skip to content

Viewing Data Analytics

SailPoint Accelerated Application Management (SAAM) analytics are a flexible method for administrators to log, query, and visualize data insights for security teams to track priority risks for their organization.

The SAAM platform provides aggregated data in both streaming log and visualized dashboard representations. All data represented in SAAM is sourced from a centralized audit log and presented in either a visualization or streaming log format.

Activity Logs

When a user views a website in their browser, the browser extension records metadata of the activity such as browser version and URL of the website, and stores it as an event in the activity log.

Logs can be filtered based upon the web category of user event. Log web filters include:

  • All - All audit logs associated with a SAAM tenant.
  • Identity - Identity specific user events that displays typed usernames, login methods, application URLs, and identity risks.
  • GenAI -- User events that show Generative AI specific applications, users, and any data activity associated with it.
  • Data - Data-specific user events around user download/upload events, applications/URLs used, and filenames.
  • OAuth - Authorization specific user events that show whenever user's perform authorization-level events and scopes associated from a provider such as Microsoft, Google, etc.

Log queries can be created to further filter the activity log, and you can create a visualization to show a graphical representation of the log data.

To view an activity log:

  1. Select Logs from the left hand pane.
  2. Select Web and choose the desired web filter tab.
  3. Select an entry to view the events metadata.

Building a Basic Log Query

Basic log queries can be created by selecting the filter dropdowns to refine your search criteria.

To build a basic log query:

  1. Select Logs from the left hand pane.
  2. Select Web and choose the desired web filter tab.
  3. Select the filter dropdowns to refine your search.
    • Last 7 days - select the desired time frame for the logs to be evaluated within.
    • Department - select the desired department.
    • Log Level - select the desired log level.
  4. Select More Filters to further filter based upon specific domains, users, risky actions, and applications.

The log results are displayed based upon your selected log query. To save your query, select the Database icon next to the Log search box, and select Save as new query.

Building Advanced Log Queries

Custom log queries can be created using the log search box. Log queries for specific use cases can be built using predefined log query syntax's and combined with AND, OR, NOT, AND NOT, and TO operators.

To build an advanced log query:

  1. Select Logs from the left hand pane.
  2. Select Web and choose the desired web filter tab.
  3. Enter the required syntax into the search box.
  4. Select the Database icon next to the Log search box, and select Save as new query.

Once the advanced log query has been saved, you can create a visualization to view a graphical representation of the log data.

The table below shows example advanced queries for common use cases.

Category Use Case Syntax Example
App-Based Log Query Parse out for all logs associated with Microsoft apps, excluding SharePoint. app:Microsoft AND NOT app:"Microsoft Sharepoint"
Risk-Based Log Query Users entering weak corporate credentials.

NOTE: Password strength is determined by a zxcvbn password strength evaluator.		 action.keyword:"Risky Sign-in" AND password_strength:{1 TO 3} AND is_business:true

The syntax example surfaces whenever a user has performed a Risky Login action (action.keyword), has a very weak, weak, or medium password (password_strength:{1 TO 3}), and only looks for corporate credentials with a corporate username (is_business:true).
Reused Passwords Query Surface corporate credential reuse where SAAM has a medium or high confidence level of this risk. action.keyword:"Risky Sign-in" AND is_business:true AND reused_passwords:* AND NOT risk_confidence:RISK_CONFIDENCE_LOW

This syntax example surfaces corporate credential reuse (action.keyword,is_business,reused_password:*filters) and prioritizes more accurate confidence of credential reuse (risk_confidence). Note that in this query a wildcard character is used next to the reused_passwords attribute to cover all applications that a user re-uses their password against. Additionally, this query uses a series of AND operators to connect the query as well as an AND NOT operator to remove all logs that have a low confidence associated with password reuse.

Viewing a Specific User's Session

You can view the user details for a specific event. This allows an administrator to trace the URL path the user followed to get to the logged event. This can be helpful when tracing context on how a user navigated and logged into an application.

To follow a specific user's session:

  1. Select Logs from the left hand pane.
  2. Select Web and choose the desired web filter tab.
  3. Right-click on the desired log and select Follow Session.
  4. Select X next to Session to return to the previous log view.  

Log Query Syntax

The table below shows commonly used log query syntax's that can be constructed within the log search box. These can be combined using AND, OR, NOT, and AND NOT operators. These operators must be capitalized within the format of a log query.

The following is an example log query that combines multiple attributes: action.keyword:sign-in AND NOT login_method:("Enterprise single sign-on", "Auto detected") AND is_business:true AND NOT app:{{list.IdP}}

Query Attribute Description Values Examples
app Application Name tied to a SAAM Log event. This can be presented as the direct application name, a partial name with a wildcard, or referencing a list using brackets. Any Application Name or List value

Google

{{list.idp-apps}}

 app:Dropbox

app:Microsoft*

app:{{list.idp-apps}}
app_labels Application category associated with application log events. Any application category value

"Cloud Storage"

"Project Management"

"File Sharing"

 app_labels:"Cloud Storage"

app_labels:"Cloud Storage" OR app_labels:"File Sharing"
action.keyword Action a user is performing on a SAAM Log event. Browse

Sign-in

"Risky Sign-in"

"Credentials Submitted"

Download

Upload

Share

"Authorization Success"

 action.keyword:Browse

action.keyword:"Credentials Submitted"
user A username identifying which user is associated with a login event. This is the user that the SAAM extension has authenticated. paul.bunyan user:paul.bunyan
session_user The account’s username. The value a user enters into a login form on a web page, or retrieved through SSO. paul.bunyan@company.com

paul*

admin

 session_user:"paul.bunyan@company.com"

session_user:paul*
profile_user The username associated with the end user's browser profile. This is not a commonly-used log filter attribute. paul.bunyan@gmail.com

 profile_user:"paul.bunyan@gmail.com"
url URLs associated with SAAM log events. [www.bing.com](http://www.bing.com/)

*google.com

mail.google.com/u/0

 url:[www.bing.com](http://www.bing.com/)

url:*google.com

url:"mail.google.com/u/0"
domain Domains associated with SAAM log events. bing.com

*microsoft.com

 domain:bing.com

domain:*microsoft.com
is_business A boolean value that determines if a username is within the corporate domain. If this is set to true it will only display log query events for usernames that match the list of business domains. i.e. if the domain of company.com is in the list of business domains, all users with a username of user@company.com will display. Setting this to false will remove all business accounts from this. true

false

 is_business:true

is_business:false
login_method Attribute that determines how a user authenticated into an application. "Login form"

"Enterprise single sign-on"

"Consumer single sign-on"

"Auto detected"

 login_method:"Login form"

login_method:("Enterprise single sign-on", "Auto detected")
permissions Scope associated with Permissions allowed with a user's authorization event. Any OIDC scope associated with an authorization event

openid

profile

offline_access

 permissions:offline_access
credential_risk_types Attribute that determines what type of risky sign-in associated with a SAAM login event. Reused

Weak

Compromised

"Shared account"

"No pwd manager"

"No MFA"

"Contains keyword"

 credential_risk_types:Weak

credential_risk_types:Reused AND NOT credential_risk_types:"No pwd manager"
password_compromised A boolean value determining if a user's credentials are compromised. true

false

 password_compromised:true

password_compromised:false
password_contains_keyword A boolean value determining if a user's credentials contain a value populated within the password-substrings list. true

false

 password_contains_keyword:true

password_contains_keyword:false
password_strength Numerical Attribute from 0-6 that represents password strength as outlined against the zxcvbn password strength evaluator. Use brackets and a TO operator to define a range of values.

0: Single Sign-On
1: Very Weak
2: Weak
3: Medium
4: Strong
5: Very Strong

 0

{1 TO 5}

 password_strength:0

password_strength:{1 TO 5}
reused_passwords Application name where Reused Password occurs. Set this to a wildcard value to query all apps with password reuse.Query this on a per-app basis to query around which apps specifically are having a reused credential risk. *

Microsoft*

Google

 reused_passwords:*

reused_passwords:Microsoft*

NOT reused_passwords:Google
risk_confidence Confidence of the SAAM platform around Risk level. RISK_CONFIDENCE_LOW

RISK_CONFIDENCE_MEDIUM

RISK_CONFIDENCE_HIGH

 risk_confidence:RISK_CONFIDENCE_HIGH

NOT risk_confidence:RISK_CONFIDENCE_LOW
download_file_type Type of file performed via a file download event. Wildcard and NOT logic are available to perform against this log attribute query. pdf

*ml

html

 download_file_type:pdf

download_file_type:*ml

NOT download_file_type:html
upload_file_type Type of file performed via a file upload event. Wildcard and NOT logic are available to perform against this log attribute query. pdf

*ml

html

 upload_file_type:pdf

upload_file_type:*ml

NOT upload_file_type:html

Creating Visualizations

Visualizations are a way to create a graphical representation of log data that the SAAM platform has captured. There are two methods of constructing visualizations:

  • Visualization Preview - A temporary visualization of log data for a quick visualization of streaming log data.
  • Visualization Library - A more permanent graphical view of log data. This can be shared with other administrators and be used within Dashboards.

To create a visualization preview from the log menu:

  1. Select the visualization icon  from the top right.
  2. Select Visualization type from the left pane.
  3. Select the type of visualization. Options include Bar, Counter, Donut, Line, Pie, and Table.
  4. Additional fields are displayed based upon the selected visualization type.
  5. Configure the additional fields that are required.

You can break down data on a per slice, axis, or row/column basis depending on the visualization type selected.

To create a table of apps visualization from the visualization library:

  1. Go to  Settings > Visualization Library.
  2. Select + New visualization.
  3. In the New visualization window choose Web visualization and select Create.
  4. Select the type of vitalization. Option include Bar, Counter, Donut, Line, Pie, and Table.
  5. Additional fields are displayed based upon the selected visualization type.
  6. Configure the additional fields that are required.
  7. Select Save in the top right corner of the visualization editor.
  8. Enter a name.
  9. Select Save to save the visualization.

Viewing Dashboards

SAAM comes with out-of-the-box dashboards, providing visibility into SaaS usage, security posture, and identity hygiene across your organization. Each dashboard presents interactive widgets, trend charts, and data.

To view an out-of-the-box dashboard:

  1. Go to Dashboards.
  2. Select the desired dashboard tab from the dashboard ribbon.

SaaS Sprawl Dashboard

The SaaS Sprawl dashboard provides an overview of your organization’s SaaS footprint and helps identify unmanaged or high-risk applications that warrant review. A summary of all known SaaS applications are shown where employees have at least one account authenticated with corporate credentials. Applications represented here exclude unmapped domains and focus on SaaS platforms and custom apps discovered through the browser extension and IdP connector.

Key insights include:

  • Total SaaS apps and total discovered accounts across the environment.
  • SSO adoption rate, highlighting the percentage of SaaS applications accessed through SSO versus direct login.
  • A ranked list of applications recommended for onboarding prioritized by risk score, suggesting which apps should be onboarded to your IdP for centralized access control.
  • Recently adopted SaaS applications, helping you track emerging SaaS usage trends or newly introduced services.

SSO Bypass Dashboard

The SSO Bypass dashboard highlights SSO coverage gaps, focusing on applications that were onboarded to your IdP but still allow local (non-SSO) logins. This helps ensure that once applications are integrated with your IdP, employees are consistently authenticating through managed SSO and not bypassing it through direct credentials. In order to reach this goal you will need to work with the relevant application owners on blocking local access to their apps, where applicable.

In some cases, local access is limited to specific tenants or instances of an application. To investigate such cases, use the Activity Logs to drill down into user and tenant level details.

Gen AI Dashboard

The Gen AI dashboard focuses on Generative AI usage across your organization, categorized by tool type, helping you understand how Gen AI is adopted across your organization and assess its security implications.

Key insights include:

  • The total number of Gen AI applications in use.
  • The number of users interacting with Gen AI tools.
  • File uploads to Gen AI services, helping detect potential data exfiltration.
  • Categorized usage breakdowns, including:
    • Text generation tools, such as ChatGPT.
    • Code AI tools.
    • Note-taking or summarization AI tools.
    • Risky AI apps, where data handling or privacy posture requires special attention.

IdP Security Dashboard

The IdP Security dashboard focuses on gaps and weaknesses within your IdP configuration, helping you maintain strong identity governance. The dashboard provides a quick compliance overview and helps identify remediations to strengthen identity security posture.

Key insights include:

  • Inactive accounts that remain enabled in the IdP.
  • Weak MFA enforcement or inconsistent MFA enrollment.
  • Administrative accounts that do not comply with internal security policies, for example those not following a password rotation policy.