The Audit Trail module logs actions taken on your Lookout tenant. It includes the following columns:

• Time: The time of the action, displayed in local time. When you export audit events as a CSV file, the listed times are in UTC.
• Actor: The administrator who took the action, including their access level.
• Type: The event type. One of the following:
  • Admin: Created a new MES Console administrator. See the "Tenancy" audit event type to review when the new administrator is actually assigned to the current tenant.
  • Login: User logged in to the console.
  • Policy: Changed a security policy in the Protections module, either by modifying the severity level or by adding a trusted signer / modifying the minimum OS Out-of-Date version, etc.
  • Device: Marked a device as Disconnected, removed the Disconnected status from a device, or deleted a device.
  • Device Group: Changed a device's Device Group.
  • Invite: Sent an email invite
  • Enterprise: Modified the tenant.*
  • Export: An administrator exported data from the console.
  • Feature: Enabled or disabled a feature on the tenant.*
  • Product Settings: Modified product settings on the tenant.*
  • Issue: Updated or ignored an issue.

  • Tenancy: Added an administrator to the active MES Console tenant, or removed them from it.

    * These actions are typically taken by the Lookout Enterprise Support team and have an Actor of "Lookout System".

• Event Details: Additional information, such as the permissions level change for an administrator.

• Target: The target of the change. This might be the tenant itself, the modified issue, or the administrator who had their access level modified. For users, this is the email address if available, otherwise it is the device GUID.

  You can sort the columns by Time, or export this information to a CSV file by clicking the Export List link in the upper-right. You can search the list by email and event type.