System Audit Page

3 min. readlast update: 06.30.2026

The System Audit page provides a centralized log of activity within your ThreatLocker organization. It records administrative actions, configuration changes, and other system events, allowing you to review who performed an action, what changed, and when the activity occurred.

Accessing the System Audit Page

  1. From the left navigation menu, select Users.
  2. On the Users page, select the Audit tab located in the upper-right corner.

The System Audit page will open, displaying your organization's audit log.

You can view audit activity for the current organization or, if you are viewing the parent organization, enable Include Child Organizations to display audit activity from both the parent organization and all of its child organizations.

Search Filters

Similar to the Unified Audit page, the System Audit page includes several filters that you can use to refine your search results. Select the desired filter criteria, then click Search to display matching audit records.

Start Date and End Date

By default, the start and end date will be midnight to midnight of the current date, but you can select a specific start date and/or end date.

Note: There is no date limitation when searching for data in the System Audit.

Username

You can search for the activity of all users or a specified user. Type in the username or leave blank to search for all. 

Action

By default, the Action type is set to search for any action. You can search for a specific activity by selecting an action from the dropdown menu. 

  • Read - shows what was viewed in your ThreatLocker account (e.g. Computers Page, Approval Center, Permit Application)
  • Modify - shows any changes made in your ThreatLocker account (e.g. Maintenance Mode, Storage Policy, or Application Policy).
  • Create - shows any newly created item in your ThreatLocker account (e.g. Application Policy, Maintenance Mode, or Storage Policy).
  • Delete - show any item that was deleted from your ThreatLocker account (e.g. Application Policy or Organization).
  • Logon - shows any logon attempt, whether successful or not.
  • Full Self Elevation – Shows when a user initiates a Full Self Elevation session, granting temporary elevated privileges on their device.

IP Address

You can filter by IP address. You can input an entire IP address or use wildcards when typing the address (e.g. 71.42.17*).

Details

You can input text into the 'Details' field to search for any entry with that text in the 'Details' section (e.g. Brother).

Effective Action

Any action will be selected by default, but you can select a specific action from the dropdown menu to view only those actions.  

Display Table

The table will display your results. They will be organized by date, with the most recent activity at the top of the table.

The results will show the date and time of the activity, the username that attempted the activity, the action, the IP address and location the user logged in from, details of what was attempted, and the effective action (e.g. permitted or denied).  

The screenshot below shows the login activity. In the details section, it shows two Logins with SMS Authentication, with both attempts succeeding.

Additionally, the following screenshot shows an example of a failed Login attempt.

Export

The top right corner of the table has an export button, which will download your results as a .csv file.

 

 

Was this article helpful?