System Audit Page
The System Audit Page is where the activity in your ThreatLocker organization is logged.
Navigate to Security Center > System Audit.
You can view this System Audit per organization, or you can view all your organizations' activity by selecting 'Show audit for all child organizations' in the parent organization's System Audit.
Much like the Unified Audit page, there are multiple filters you can apply when searching this audit to refine your search results. Select the desired filters and then click the 'Search' button.
Start Date and End Date
By default, the start and end date will be midnight to midnight of the current date, but you can select a specific start date and/or end date.
You can search for the activity of all users or a specified user. Type in the username or select it from the dropdown list.
By default, the Action type will be set to search for any action. You can search for specific activity by selecting an action from the dropdown menu.
- Read - shows what was viewed in your ThreatLocker account (e.g. Computers Page, Approval Center, Permit Application)
- Modify - shows any changes made in your ThreatLocker account (e.g. Maintenance Mode, Storage Policy, or Application Policy).
- Create - shows any newly created item in your ThreatLocker account (e.g. Application Policy, Maintenance Mode, or Storage Policy).
- Delete - show any item that was deleted from your ThreatLocker account (e.g. Application Policy or Organization).
- Logon - shows any logon attempt whether successful or not.
- Logoff - shows any logoff.
You can filter by IP address. You can input an entire IP address, or use wildcards when typing the address (e.g. 71.42.17*).
You can input text into the 'Details' field to search for any entry with that text in the 'Details' section (e.g. putty).
By default, any action will be selected, but you can select a specific action from the dropdown menu to view only those actions.
The table will display your results. They will be organized by date, with the most recent activity at the top of the table.
The results will show the date and time of the activity, the username that attempted the activity, the action, the IP address and location the user logged in from, details of what was attempted, and the effective action (e.g. permitted or denied).
In the screenshot below, you can see login activity. In the details section, you can see it was a Login with SMS Authentication, and you can see that the bottom attempt failed and the top attempt was successful.
There is an export button in the top right corner of the table that will download a .csv file of your results.