Security Audit Log

ActivTrak Product Team

published November 05, 2019 22:01

updated March 23, 2026 16:29

The Security Audit Log provides Administrators with a record of any changes or logins made to the account. The Security Audit Log is available in all paid plans.

Note: If an Admin is deleted from the account, the logs in the Security Audit Log for that Admin will not be deleted.

Access the Log
Access Log of Non-reporting Agents
Create an Alarm
Commonly Logged Events

Access the Log

From the navigation, click on Settings > Security > Audit

This report will show any actions performed on the account, including logins, user deletions, alarm creations, Agents not reporting, and more.

Similar to other reports, the Security Audit Log can be filtered and exported to a CSV file.

Access Log of Non-reporting Agents

The Security Audit also periodically scans for computers that are considered actively reporting but have gone dormant for more than a typical holiday weekend or out-of-office event. This simplifies account administration, allowing Admins to quickly identify computer Agents that may need upgrading or restarting.

Active Agents are defined as those that have logged activity within the last 30 days. Non-reporting active Agents are those that have stopped logging activity for 7 days or more. Contact ActivTrak Support to modify and customize these default thresholds to your organization’s needs.

The relevant data fields for the audit log entry appear as:

Date/Time	UTC time when the report was run
ActivTrak ID	“last-activity-monitor-user@bgrove.com”
Event	ComputersNotReporting
Description	“Active computers (logging last 30 days) not reporting in last 7 days”
Action Type	Update
Action Data	Move the cursor to the eye icon to view action data and open a separate window with the list of identified Computer Agents

This scan runs weekly on Sundays and produces a single audit log entry for all computers that match the criteria. If all Agents are reporting properly or do not meet the non-reporting criteria, no audit log entry will be added that week.

Create an Alarm

Security Audit Alarms monitor critical security events in your ActivTrak account and send instant notifications when specific actions occur. These alarms help you track important changes, such as user role modifications, data exports, and configuration updates. Learn more about Security Audit Alarms in our ActivTrak Alarms Overview article.

Commonly Logged Events

The following is a non-exhaustive list of items you may find or search for in the Event column of the Security Audit Log:

Generic actions

UserLogin	App Access user logged in
ChangePassword	App Access user changed password via ActivTrak Profile page or Admin changed password for a user via App Access page, distinguished by ActivTrak ID
ForgotPasswordEmailSent	clicked Forgot password? link
ForgotPasswordReset	reset password from email link
DownloadAgent	downloaded the agent directly or generated a download link
Export	exported data (name of report and filters included in Action Data)

Insights

CreateInsightsSchedule	created or reassigned a subscription
DeleteInsightsSchedule	deleted a subscription
InsightsGroupLevelGoal	changed a group-level goal under Benchmarks & Goals
InsightsAccountLevelGoal	changed an account-level goal under Metrics Config
InsightsLocationIps	added or removed an IP range under Location Config
InsightsLocationIpsExhaustive	toggled whether “Office” IPs are exhaustive on or off

Integrations

UpdateGroupMembers	synced groups with Azure AD via the integration; note that this event name also shows when users and/or computers in a group are changed manually in the UI, but the ActivTrak ID associated with the integration will be aad-integration-user@bgrove.com as opposed to an App Access user’s ActivTrak ID
IngestGoogleCalendarData	synced Google Calendar via the integration
IngestOutlookCalendarData	synced Outlook Calendar via the integration

Alarms

DeleteAlarm	deleted an alarm
SaveAlarm	saved an alarm
DeleteSelectedScreenshots	deleted screenshot(s)

Settings > Account Configuration

SensitiveDataUpdate	changed between Basic, Advanced, or Full Details
UpdatePassiveSettings	changed passive start or passive stop
UpdateActiveTimeSettings	changed active cap
UpdateRealtimeSettings	toggled screen views on or off, either under Account Configuration or under Team Pulse

Settings > Classification

UpdateClassification	assigned or changed the productivity or category of an app or site
AddCategory	created a new category
DeleteCategories	deleted a category
UpdateCategories	changed a category name

Settings > Access > App Access

CreateNewUser	added a new App Access user
DeleteUsers	deleted an App Access user
UpdateUserPrivilege	changed an App Access user’s role; note that this event name also shows when the pages a role can view are changed, but the Description and Action Data columns will provide distinguishing information
UpdateViewableGroups	changed an App Access user’s viewable groups
UpdateUser	changed whether SSO is required for an App Access user; note that this event name also shows when a tracked user’s alias is changed, but the Description and Action Data columns will provide distinguishing information

Settings > Access > Role Access

UpdateUserPrivilege	changed which pages a role can view; note that this event name also shows when an App Access user’s role is changed, but the Description and Action Data columns will provide distinguishing information
PrivateModeDisabled	(for Advanced/Premium plans only) disabled Private Mode
PrivateModeEnabled	(for Advanced/Premium plans only) enabled Private Mode

Settings > Users & Groups

AddUsersToDoNotTrack	added user(s) to DNT manually (log will not trigger for users added to DNT via the Azure AD integration); note that adding users to DNT also deletes historical data, so a DelayedDelete event will log immediately after with the same timestamp
RemoverUsersFromDoNotTrack	removed user(s) from DNT (which can only be done manually and not via the Azure AD integration)
UserModification	switched a user's tracking from the Users page (“Tracking”: false indicates the user was set to untracked, “Tracking”: true indicates the user was set to tracked); note that this event name is only generated by Early Access (EA) customers of Next-Gen User Management
DelayedDelete	deleted a user or computer and all its associated data
DeleteSomeComputers	deleted tracked computer(s)
DeleteSomeUsers	deleted tracked user(s)
UninstallAgentRemotely	uninstalled the agent from a device from the Computer Agents page; note that remote uninstalls performed in this way also delete historical data, so a DelayedDelete event will log immediately after with the same timestamp
UserMerge	scheduled or canceled a user merge
UpdateUser	changed a tracked user’s alias; note that this event name also shows when an App Access user’s SSO setting is changed, but the Description and Action Data columns will provide distinguishing information
CreateNewGroup	created a group
DeleteGroup	deleted a group
UpdateGroupMembers	changed users and/or computers in group; note that this event name also shows when groups are updated via sync with Azure AD, but the ActivTrak ID associated with the integration will be aad-integration-user@bgrove.com as opposed to an App Access user’s ActivTrak ID
UpdateGroupName	changed group name
UpdateGroupSettings	toggled on-prem ActiveDirectory groups on or off

Settings > Blocking

UpdateBlockingDomain

added, modified, or removed a domain under Blocking

Settings > Schedules

CreateSchedule	created a new schedule
DeleteSchedule	deleted a schedule
MoveUsersToSchedule	moved user(s) to a different schedule
UpdateSchedule	changed tracking hours of an existing schedule

Settings > Time Zone

ChangeTimezone

changed account time zone