Audit device activity
Review logs and events for enrolled endpoints
Audit device activity
Threatmatic logs all network flows, policy decisions, application events, and identity verifications for every enrolled device. Use the audit trail to investigate incidents, verify policy enforcement, and meet compliance requirements.
Steps
Open Device Logs
- Go to Devices
- Click on a device name
- Select the Activity tab
Understand the event types
| Event type | Description |
|---|---|
| Flow Allowed | Traffic permitted by policy |
| Flow Blocked | Traffic denied by policy |
| Policy Applied | A policy change was pushed and applied |
| App Detected | A new application was observed |
| App Blocked | An executable was blocked by policy |
| Identity Verified | User or application identity was confirmed |
| Agent Connected | Agent established contact with the control plane |
| Agent Disconnected | Agent lost contact (with timestamp and reason) |
Filter and search
Use the filter bar to narrow results by:
- Time range — last 1h, 24h, 7d, or custom
- Event type — filter to specific event categories
- Source / Destination — IP, hostname, or application label
- Policy — see all events triggered by a specific policy
Export logs
- Apply your desired filters
- Click Export
- Choose CSV or JSON
Logs can also be streamed to your SIEM via the Threatmatic webhook or syslog integration.
To investigate a specific incident, set the time range to the window in question and filter by the affected device or user — then trace flows from Identity Verified through to Flow Allowed or Flow Blocked.
Organization-wide audit log
To view activity across all devices:
- Go to Organization → Audit Log
- Apply filters as needed
The organization audit log also includes admin actions (policy changes, user invites, configuration changes).
Next steps
How is this guide?
Last updated on