As an admin of an organization with Credential Protection, reviewing your Activity Log export helps you trace and manage security events within your organization. This guide explains the CSV columns in the export, how each value is determined, and how to correctly read the rows.
Check the Credential Protection logs available to export
The Credential Protection features have several activity logs you can export:
| Log entry | Description |
| Credential Risk Detection |
An admin turned Risk Detection on or off An employee logs in to a website with a compromised password using Dashlane An employee logs in to a website with a weak password using Dashlane An employee logs in to a website with a compromised password while not logged in to Dashlane An employee logs in to a website with a weak password while not logged in to Dashlane An employee logs in to a website with a compromised password while not having a Dashlane account An employee logs in to a website with a weak password while not having a Dashlane account |
| AI Phishing Alerts |
An employee dismissed an AI phishing alert An employee accepted an AI phishing alert An employee entered a password on a site they received an alert about |
| Risk Notifications |
An admin installed or uninstalled a messaging-platform integration (Slack) An admin activated or deactivated a notification A batch of notifications was sent to team members A member received a notification |
| Credential Risk Alerts |
An admin activated or deactivated a Credential Risk Alert An employee received an alert prompting them to change an at-risk password An employee changed an at-risk password following an alert |
Key concept: Login vs. Non-login events
The important thing to understand about the export is that not all events are the same type. The type of event determines which values are populated in the identity columns. It is common for the same employee to appear with different User Identity values across different event types in the same export. This variance is expected behavior due to the login vs. non-login event logic.
-
Login events:
These occur when an employee types a credential (email or username) into a field on a website that Dashlane flagged as at-risk. Because a credential was captured, the User identity shows what was actually typed, which is the most precise identity signal. Examples: Risk detection logs or AI Phishing Detection, where the user submitted credentials.
-
Non-login events:
These occur when no credential was entered on a website. Identity is inferred from the vault login status or device context. The User identity reflects who was logged into Dashlane, or falls back to the device name. Examples: risk notifications received, devices added, admin actions, invite events, and AI phishing alerts dismissed without credential input.
Column definitions
The export contains four Identity columns. Here is what each captures:
-
User Identity:
This is the primary identifier for the person behind the event. For login events, it captures the exact value typed in the username or email field on the website. It may be a full email or a username without a domain. For non-login events, if the employee is logged into their vault, the vault email is shown. If they are logged out or have no vault, the device name is shown as a fallback.
-
Device Name:
This is the name of the managed device where the event was captured, as set by admin or MDM policy. It is populated for every event, regardless of type, and is the most stable identifier in the export. On shared or unmanaged devices, this may be a numeric identifier.
-
Associated Dashlane vault:
This is the email the employee uses to log into their Dashlane vault, only if they were logged in at the time of the event. Use this column to cross-reference the User Identity against your Dashlane user directory. It shows N/A if the employee was logged out or had no vault.
-
Account type:
This classifies the credential used based on whether its domain matches a company-verified domain in Dashlane.
Account type values
Account type is only meaningful for login events. It tells you whether an at-risk credential was a work account or a personal one. The Account type is based on domain matching, so it works best if you have at least one verified domain.
Domain verification for professional plans
-
Professional:
The domain in the username matches a company-verified domain. If a domain is captured but doesn't match the verified list, it may still be considered a "Vault event" and shown as Professional.
-
Personal:
A domain was captured, but it does not match any verified company domain. This means the employee used a non-work email on that website. Whether this is a concern depends entirely on your organization's policy.
-
Unknown:
No domain could be captured from the username, or this is a non-login event. All non-login events return Unknown by design because no credential domain is captured.
-
N/A:
The Account type was not applicable or not captured. An employee dismissed an AI phishing alert on a flagged domain but left the site before entering any credentials. No credential was captured (not a login event), and the employee was not logged into Dashlane. As a result, User Identity uses the device username, and Vault User is N/A. The Device Name is the only identifier available.
Examples and expected behavior
Here is how to interpret common scenarios and edge cases in your export:
-
Work email used on at-risk site:
If a logged-in employee types their work email on an at-risk site, both the User Identity and Dashlane Vault columns will match. Account type will be Professional.
-
Personal email used on at-risk site:
The Dashlane Vault column shows the employee's Dashlane email, while the User Identity shows the personal email they entered. Account type will be Personal. This is expected behavior. Use the Dashlane Vault to identify the employee, and the User Identity to understand what credentials need attention.
-
Username-only credential without a vault session:
If an employee uses a bare username (no domain) and is not logged into Dashlane, the Account type is Unknown and Dashlane Vault is N/A. The User Identity will show the bare username. The Device Name is the only available cross-reference.
-
AI phishing alert dismissed without entering credentials:
Since no credentials were captured, this is a non-login event. If the employee was not logged into Dashlane, the User Identity will show the device name, the Dashlane Vault will be N/A, and the Account type will be Unknown. This is expected by design; use the Device Name to identify the machine.