home

Mobile Endpoint Security

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Monitor the Audit Trail

  • Click Settings > Audit Trail to open the Audit Trail module.

The Audit Trail module logs administrative actions taken on your Lookout tenant. Review the audit trail regularly to ensure operations are normal and does not show suspicious actions. It includes the following columns:

  • Time: The time of the action, displayed in local time. When you export audit events as a CSV file, the listed times are in UTC.
  • Actor: The administrator who took the action, including their access level.
  • Type: The event type. One of the following:
    • Admin: Created a new MES SMB Console administrator. See the "Tenancy" audit event type to review when the new administrator is actually assigned to the current tenant.
    • Login: User logged in to the console.
    • Policy: Changed a security policy in the Protections module, either by modifying the severity level or by adding a trusted signer / modifying the minimum OS Out-of-Date version, etc.
    • Device: Marked a device as Disconnected, removed the Disconnected status from a device, or deleted a device.
    • Device Group: Changed a device's Device Group.
    • Invite: Sent an email invite
    • Enterprise: Modified the tenant.*
    • Export: An administrator exported data from the console.
    • Feature: Enabled or disabled a feature on the tenant.*
    • Product Settings: Modified product settings on the tenant.*
    • Issue: Updated or ignored an issue.
    • Tenancy: Added an administrator to the active MES SMB Console tenant, or removed them from it.

      * These actions are typically taken by the Lookout Enterprise Support team and have an Actor of "Lookout System".

  • Event Details: Additional information, such as the permissions level change for an administrator.
  • Target: The target of the change. This might be the tenant itself, the modified issue, or the administrator who had their access level modified. For users, this is the email address if available, otherwise it is the device GUID.

You can sort the columns by Time, or export this information to a CSV file by clicking the Export List link in the upper-right. You can search the list by email and event type.