At-Risk User Trends

The Top At-Risk User Trends widget shows the number of Office 365 users in your organization triggering high risk events over a period of time. By obtaining and aggregating high risk event data from Trend Micro Vision One and Microsoft Identity Protection, Cloud App Security allows you to learn about the risk trends of Office 365 users in your organization based on more in-depth and comprehensive risk information.


This widget is available only after you have provisioned one or more Office 365 services for your organization.

For Cloud App Security to obtain data from Trend Micro Vision One, make sure you have turned the data upload permission for the data source Email Sensor, Azure AD, or Office 365 on Trend Micro Vision One. Data contributed by Trend Micro Vision One is available only when you select the default organization.

For Cloud App Security to obtain data from Microsoft Identity Protection, make sure you first provision an account for Microsoft Identity Protection.

The high risk events fall into the following categories:

  • Suspicious sign-in activities: sign-in activities with anomalous attributes, such as IP address, location, or browser

  • Suspicious credential activities: activities indicating credential attack or compromise

  • Suspicious user activities: unusual user behavior, such as abnormal permission assignment and suspicious access or configuration

  • Admin confirmed user compromised: user compromise confirmed by administrators

Click a risk category to view or hide the number of users triggering the risk events in this category in the trend graph.

Hover over a point in the trend graph to view details about the triggering users.

Use the drop-down menu to select the time period to view.

Click Go to Operations Dashboard to view more risk information about the users in your organization.

The Operations Dashboard in Trend Micro Vision One aggregates data from wider sources and dimensions to provide you in-depth and comprehensive risk insights.