Activity & Alerts
How the immutable activity log tracks every event in your tenant, and how email alerts keep your team informed of new findings.
Applies to: Pro (full log), All plans (alerts)Module: Activity & Alerts
The full activity log requires the Pro plan. Email alert subscriptions are available on all plans (Free plan: 1 recipient, Pro and above: unlimited).
Activity log
Every action in your tenant is recorded in an immutable audit trail. Events are written once and cannot be modified or deleted — by anyone, including IdentityOps staff. Each event includes a timestamp, actor (system or user), action type, and contextual metadata.
Event categories
Events are organized into nine categories. You can filter the activity log by any category to focus your review.
Scan: Scan completions, failures, manual triggers, and baseline establishment.
License: License scan completions, failures, and manual triggers.
Auth: Consent grants, consent status changes, permission denials, and new member joins.
Alert: Alert generation, delivery, delivery failures, and subscription changes.
Lifecycle: App lifecycle transitions, archival/unarchival, ownership confirmations, and risk acknowledgement expirations.
Config: Tenant profile updates, SSO configuration changes, and user tag management.
Developer: API key creation and revocation, webhook endpoint management.
Team: Member invitations, role changes, removals, and invite revocations.
Billing: Subscription upgrades, cancellations, restorations, and payment method updates.
Impact levels
Each event is classified by impact level, which affects its visual prominence in the log and helps you prioritize review.
Critical
High security or access relevance. Consent changes, permission denials, credential expirations.
Operational
Process-relevant events. Scan completions, alert deliveries, lifecycle transitions.
Informational
FYI events. Configuration changes, profile updates, routine operations.
Session grouping
Related events that occur within a 5-minute window are automatically grouped into sessions. For example, a manual scan trigger, scan completion, and subsequent alert delivery appear as a single expandable session rather than three separate entries. This keeps the log clean while preserving full detail when you need it.
24-hour summary
The top of the activity page shows a summary of the last 24 hours: total events, scans completed, configuration changes, and critical events. This gives you a quick pulse check without scrolling through the full log.
Email alerts
Alert subscriptions let you receive email notifications when scans detect new findings. Each subscription has an email address and a severity threshold that controls which alerts are sent.
Severity thresholds
Critical only
Only sends alerts when critical-severity findings are detected. Best for executives or secondary contacts who should only hear about urgent issues.
Warning and above
Sends alerts for both warning and critical findings. Recommended for primary administrators who want full visibility.
Managing alert subscriptions
Alert subscriptions are managed in Settings. You can add recipients, change severity thresholds, or remove subscriptions at any time. Changes to alert subscriptions are logged in the activity trail.
On the Free plan, you can configure one alert recipient. On Pro and above, there is no limit on the number of recipients.
Actions you can take
Filter by category: Narrow the activity log to a specific event type (Scan, Auth, Billing, etc.).
Filter by impact: Focus on Critical events for security review, or Informational for routine auditing.
Filter by actor: Distinguish between System-generated events (scans, alerts) and User-initiated actions (config changes, lifecycle transitions).
Export to CSV or JSON: Download the full activity log for compliance reporting or external analysis.
Where teams usually go next