Security Audit Log

The Security Audit Log provides Administrators a record of any changes or logins made to the account.

NOTE: If an Admin is deleted from the account, the logs in the Security Audit Log for that Admin will not be deleted.

The Security Audit Log is available in all paid subscription plans.

Learn about:

Access the Log

From the navigation, click on Settings > Security > Audit.

This report will show any actions that have been performed in the account including logins, user deletions, alarm creations, Agents not reporting and more.

SAA.gif

Similar to other reports, the Security Audit Log can be filtered and allows you to export the information to a CSV file.

Access Log of Non-reporting Agents

The Security Audit also periodically scans for computers considered actively reporting that have gone dormant for a period longer than a typical holiday weekend or out-of-office event. This simplifies account administration, allowing Admins to quickly identify computer Agents that may need to be upgraded or restarted.

Active Agents are defined as those that have logged activity within the last 30 days. Non-reporting active Agents are those that have stopped logging activity for a period of 7 days or more. Contact ActivTrak Support to modify and customize these default thresholds to your organization’s needs.

The relevant data fields for the audit log entry appear as:

Date/Time

UTC time when the report was run

ActivTrak ID

“last-activity-monitor-user@bgrove.com”

Event

ComputersNotReporting

Description

“Active computers (logging last 30 days) not reporting in last 7 days”

Action Type

Update

Action Data

Move the cursor to the eye icon to view action data and open a separate window with the list of identified Computer Agents

 

This scan runs weekly on Sundays and produces a single audit log entry with all computers matching the criteria. If all Agents are reporting properly or do not meet the non-reporting criteria, no audit log entry will be added that week.

ActivTrak-Security-Audit-ComputersNotResponding-Event_Anonymized.gif

Agent_security.png

You can also create an alarm to be actively notified of these entries. See details in the following section.

Create an Alarm

The Security Audit Log also allows alarms to be created based on certain conditions. You can create one of these alarms either by going to Alarms and selecting "Security Audit" when making a new alarm or by clicking on "Create Alarm" at the top of the log.

The interface of the alarm creation page is very similar to an Activity Alarm, but the fields set to trigger the alarm are different:

ActivTrak ID This is the login for the user, i.e., example@youremail.com
Public IP Address The public internet protocol address a user logged in from
Description A detailed description of the activity performed (logged in, deleted users, etc).
Event The Activity performed.
Action Type The type of action taken (logging in, deleting something, creating, etc).

 

Now that the alarm triggers have been set, the action taken must be configured. The Security Audit Alarm provides the option to receive an email notification once it's triggered.

The subject line and email content can both be filled with fields that will change based on who triggers the alarm and when it was triggered. 

SAA2.gif

Commonly Logged Events

The following is a non-exhaustive list of items you may find or search for in the “Event” column of the Security Audit Log:

Generic Actions

  • UserLogin - App Access user logged in
  • ChangePassword - App Access user changed password via ActivTrak Profile page or Admin changed password for a user via App Access page, distinguished by ActivTrak ID
  • ForgotPasswordEmailSent - clicked Forgot password? link
  • ForgotPasswordReset - reset password from email link
  • DownloadAgent - downloaded the agent directly or generated a download link
  • Export - exported data (name of report and filters included in Action Data)

Insights

  • CreateInsightsSchedule - created or reassigned a subscription
  • DeleteInsightsSchedule - deleted a subscription
  • InsightsGroupLevelGoal - changed a group-level goal under Benchmarks & Goals
  • InsightsAccountLevelGoal - changed an account-level goal under Metrics Config
  • InsightsLocationIps - added or removed an IP range under Location Config
  • InsightsLocationIpsExhaustive - toggled whether “Office” IPs are exhaustive on or off

Integrations

  • UpdateGroupMembers - synced groups with Azure AD via the integration; note that this event name also shows when users and/or computers in a group are changed manually in the UI, but the ActivTrak ID associated with the integration will be aad-integration-user@bgrove.com as opposed to an App Access user’s ActivTrak ID
  • IngestGoogleCalendarData - synced Google Calendar via the integration
  • CreateSchedule - synced Outlook Calendar via the integration; note that this event name also shows when a new schedule is created manually in the UI, but the ActivTrak ID associated with the integration will be aad-integration-user@bgrove.com as opposed to an App Access user’s ActivTrak ID

Alarms

  • DeleteAlarm - deleted an alarm
  • SaveAlarm - saved an alarm
  • DeleteSelectedScreenshots - deleted screenshot(s)

Settings > Account Configuration

  • UpdatePassiveSettings - changed passive start or passive stop
  • UpdateActiveTimeSettings - changed active cap
  • UpdateRealtimeSettings - toggled screen views on or off, either under Account Configuration or under Team Pulse

Settings > Classification

  • UpdateClassification - assigned or changed the productivity or category of an app or site

Settings > App Access

  • CreateNewUser - added a new App Access user
  • DeleteUsers - deleted an App Access user
  • UpdateUserPrivilege - changed an App Access user’s role; note that this event name also shows when the pages a role can view are changed, but the Description and Action Data columns will provide distinguishing information
  • UpdateViewableGroups - changed an App Access user’s viewable groups
  • UpdateUser - changed whether SSO is required for an App Access user; note that this event name also shows when a tracked user’s alias is changed, but the Description and Action Data columns will provide distinguishing information

Settings > Role Access

  • UpdateUserPrivilege - changed which pages a role can view;  note that this event name also shows when an App Access user’s role is changed, but the Description and Action Data columns will provide distinguishing information
  • PrivateModeDisabled - (for Advanced/Premium plans only) disabled Private Mode
  • PrivateModeEnabled - (for Advanced/Premium plans only) enabled Private Mode

Settings > Users & Groups

  • DelayedDelete - deleted a user or computer and all its associated data
  • DeleteSomeComputers - deleted tracked computer(s)
  • DeleteSomeUsers - deleted tracked user(s)
  • UninstallAgentRemotely - uninstalled the agent from a device from the Computer Agents page; note that remote uninstalls performed in this way also delete historical data, so a DelayedDelete event will log immediately after with the same timestamp
  • UserMerge - scheduled or canceled a user merge
  • UpdateUser - changed a tracked user’s alias; note that this event name also shows when an App Access user’s SSO setting is changed, but the Description and Action Data columns will provide distinguishing information
  • CreateNewGroup - created a group
  • DeleteGroup - deleted a group
  • UpdateGroupMembers - changed users and/or computers in group; note that this event name also shows when groups are updated via sync with Azure AD, but the ActivTrak ID associated with the integration will be aad-integration-user@bgrove.com as opposed to an App Access user’s ActivTrak ID
  • UpdateGroupName - changed group name
  • UpdateGroupSettings - toggled on-prem ActiveDirectory groups on or off

Settings > Users & Groups > DNT

  • AddUsersToDoNotTrack - added user(s) to DNT manually (log will not trigger for users added to DNT via the Azure AD integration); note that adding users to DNT also deletes historical data, so a DelayedDelete event will log immediately after with the same timestamp
  • RemoverUsersFromDoNotTrack - removed user(s) from DNT (which can only be done manually and not via the Azure AD integration)

Settings > Blocking

  • UpdateBlockingDomain - added, modified, or removed a domain under Blocking

Settings > Scheduling

  • CreateSchedule - created a new schedule; note that this event name also shows when the Outlook calendar is synced, but the ActivTrak ID associated with the integration will be aad-integration-user@bgrove.com as opposed to an App Access user’s ActivTrak ID
  • DeleteSchedule - deleted a schedule
  • MoveUsersToSchedule - moved user(s) to a different schedule
  • UpdateSchedule - changed tracking hours of an existing schedule

Settings > Time Zone

  • ChangeTimezone - changed account time zone

Was this article helpful?

0 out of 1 found this helpful

Comments

No comments