Overview
The User Activity page centralizes up to 30 days of governed GenAI events across your workforce. It helps administrators understand usage, assess risk, investigate potential policy violations, and export records for audit or analysis. Events reflect SurePath AI’s interception of GenAI traffic and include rich context such as user identity, intent, risk level, policy outcome, and request/response details when available.
Available actions and information
Review who used which GenAI services, when, and for what purpose
See risk levels and any violations associated with each request
Open detailed fly-outs for full request context and conversation content
Filter and search to isolate relevant activity
Export a CSV of the currently filtered events for offline analysis or sharing
Prerequisites and access
Administrative access to the SurePath AI admin interface
Identity configuration that maps events to named users (e.g., X‑Authenticated‑User header via SASE or user authentication)
User Activity event list details
Each row in the event list represents a single governed request.
User: Displays the user’s name and email for every request. This identity is derived from your configured authentication method (e.g., SASE header or user authentication) so investigations are tied to a specific person.
Intent: Shows the purpose of the intercepted request as determined by SurePath AI’s intent classification. Intent helps administrators understand what the workforce is using GenAI for (e.g., General, Marketing, Product management) and to track adoption by use case.
Service: The destination GenAI service associated with the event (e.g., ChatGPT, Microsoft 365 Copilot, Claude, Perplexity).
Risk Level: The assessed risk for the request (e.g., Low, Medium). Risk reflects input and output analysis and the presence of any policy detections.
Violations: Any violations identified by policy, when present. If none were detected, this field reads “none.”
Result: The action/outcome taken for the request. See Results glossary below for precise meanings.
Time: The timestamp of the event.
Actions: Quick actions to investigate the event:
Chat bubble icon: opens the Conversation History fly-out to display the user prompt and the service response if available.
Right‑pointing arrow: opens the User Event Details fly-out with technical and policy details about the request.
Results glossary
INTERCEPT: The request was allowed to proceed unaltered through SurePath AI policy.
REDACT: Data was removed from the request due to SurePath AI policy before forwarding to the service.
LOGIN: The user authenticated with SurePath AI before reaching the GenAI service to ensure access was allowed by policy. Conversation content may be available if a prompt occurred after login in the same session.
ACCESS: The user accessed a GenAI service; a prompt may or may not have occurred. When a prompt did occur, conversation content can be available.
PORTAL: The user was not allowed to access a specific GenAI service and was redirected to the SurePath AI portal.
BLOCK: The request was blocked by SurePath AI policy and was not forwarded to the destination service.
ERROR: The request could not be processed due to an error (for example, network, destination service, or policy evaluation failure). Review the event’s details and trace ID for troubleshooting.
Working with events
Filtering
At the top of the page, select Filters to narrow the events displayed. Filters can be combined to focus your investigation (for example, all redactions for a specific team over the last week).
Common filter categories include: Date, Result, Violation, User, Risk Level, and Service.
After choosing one or more filters, apply them to update the event list. All other actions (search and export) operate on the filtered set.
Search
Use the search text box to look for specific words in intercepted GenAI prompts. This helps quickly locate conversations that mention a product name, client, or sensitive topic.
Conversation History fly-out
Click the chat icon in the Actions column to open the Conversation History fly-out. When available, it shows the user’s prompt and the model/service response for that event, allowing point‑in‑time review of exactly what was sent and returned.
Note: Conversation visibility depends on policy configuration and the specifics of each event. If conversation content is not available, the chat icon that opens the Conversation History fly-out will be greyed out.
Permissions
Conversation History can be disabled for specific administrators. Disable the permission named "View User Event Conversation History" within the Admin User's Permissions to prevent access.
Configuration steps:
In the admin console, go to Users & Groups > Admin Users.
Select the administrator to update.
Click the Edit button and toggle off View User Event Conversation History in the Permissions section.
Save changes.
User Event Details fly-out
Click the right‑pointing arrow in the Actions column to open the User Event Details fly-out. This view provides deeper context for investigations, including:
User identity, service name, and classified intent
Policy review (PII entities, content controls, routing, and any violations)
Risk Assessment with input and output analysis
Request details such as type (browser/API), request domain, start/end time, duration, IP addresses, user agent, and the event’s trace ID
Exporting events
At the bottom of the page, click EXPORT to download a CSV containing all events matching the current filters. This is ideal for sharing, ad‑hoc analysis in spreadsheets, or importing into other tools. For automated exports and long‑term retention, see the separate “Exporting User Activity Logs” guide.