The System Audit Page is where the activity in your ThreatLocker organization is logged.
Navigate to the sidebar and select the Administrators tab. This will take you to the Administrator page. Select the Audit tab at the top right of the page to view the System Audit page.
You can view this System Audit per organization or all your organization's activity by selecting 'Include Child Organizations' in the parent organization's System Audit.
Search Filters
Much like the Unified Audit page, there are multiple filters you can apply when searching this audit to refine your search results. Select the desired filters and then click the 'Search' button.
Start Date and End Date
By default, the start and end date will be midnight to midnight of the current date, but you can select a specific start date and/or end date.
Username
You can search for the activity of all users or a specified user. Type in the username or leave blank to search for all.
Action
By default, the Action type is set to search for any action. You can search for a specific activity by selecting an action from the dropdown menu.
- Read - shows what was viewed in your ThreatLocker account (e.g. Computers Page, Approval Center, Permit Application)
- Modify - shows any changes made in your ThreatLocker account (e.g. Maintenance Mode, Storage Policy, or Application Policy).
- Create - shows any newly created item in your ThreatLocker account (e.g. Application Policy, Maintenance Mode, or Storage Policy).
- Delete - show any item that was deleted from your ThreatLocker account (e.g. Application Policy or Organization).
- Logon - shows any logon attempt, whether successful or not.
- Logoff - shows any logoff.
IP Address
You can filter by IP address. You can input an entire IP address or use wildcards when typing the address (e.g. 71.42.17*).
Details
You can input text into the 'Details' field to search for any entry with that text in the 'Details' section (e.g. steam).
Effective Action
Any action will be selected by default, but you can select a specific action from the dropdown menu to view only those actions.
Display Table
The table will display your results. They will be organized by date, with the most recent activity at the top of the table.
The results will show the date and time of the activity, the username that attempted the activity, the action, the IP address and location the user logged in from, details of what was attempted, and the effective action (e.g. permitted or denied).
The screenshot below shows the login activity. In the details section, it shows a Login with SMS Authentication, with the bottom attempt failing and the top attempt succeeding.
Export
The top right corner of the table has an export button, which will download your results as a .csv file.