Viewing a device's events
On the History page, you can view a device's events over a particular period of time. The following types of events are available:
- Location updated events
- User updated events
- System updated events
- Rule triggered events
- Action events
Permissions
To view a device's History tab, your user role needs to be granted View permissions for Audit Event History. All administrator roles are granted this permission.
Accessing the History page
To view the event information for a device:
- On any page that shows linked device identifiers in the first column of the results grid, such as the All Devices page in the Devices area, click the link for the device that you want to view. Summarized information about the device shows in the page header.
- Click History.
A new page opens to show a timeline of the device's events, and an overview of the first event in the timeline.
About the timeline
You can use the timeline to view the device's events.
By default, the timeline shows a history of the device's events over the last 30 days, in descending chronological order, but you can change the date range. Events in the History page have the same data retention period as events in Event History.
Depending on the device's event history, one or more of the following items may show on the timeline:
Location updated events
A location updated event occurs when the device moves from one Wi-Fi or OS location to another. Learn more
The timeline shows:
- The full street address of the device's new location
- The date and time when the location was detected on the device
-
The geotechnology used
To filter the timeline to only show location updated events, click 
.
If you don't have Address-level View permissions for Geolocation, the timeline only displays the name of the city the device moved to.
- Location updated events are logged only when the Geolocation Tracking policy is activated in the device's policy group, and the device changes its location by more than 100 meters.
- For stolen devices, location updated events are not logged while the theft investigation is open. Note that after it's closed, location information that was collected during the investigation is not included in the device's location history.
User updated events
A user updated event occurs when user information is updated on the device. The timeline shows what device user information was updated and the new value. To filter the timeline to only show user updated events, click 
.
The following types of user updated events are supported (depending on the device platform):
- Username Username of the user who was logged in to the device when an agent connection occurred. If no user was logged in during the most recent agent connection, the last detected username shows. If you are viewing a report and want to see if a user was logged in during the most recent connection, add the Current Username column to the report. If no user was logged in at the time of the connection, "No Data" or two em dashes (— —) show in the column.
- Domain The name of the device's Windows domain, if applicable.
System updated events
A system updated event occurs when system information was updated on the device. The timeline shows the property that was updated and the new value. If multiple device properties were updated at the same time, all the changes show in the timeline event. To filter the timeline to only show system updated events, click 
.
The following system updated events are supported (depending on the device platform):
- System serial number
- System type
- System manufacturer
- System model
- Device name The name assigned to the device in the operating system. For Chromebooks, device name is not applicable and therefore shows as "Chrome" in the Secure Endpoint Console.
- Full system name The name assigned to the device in the operating system. For Chromebooks, device name is not applicable and therefore shows as "Chrome" in the Secure Endpoint Console.
- Local IP addresses The local IPv4 Internet Protocol address that identifies a device that is connected to a private network.
- Public IP addresses The public IPv4 Internet Protocol address that identifies a device that is connected to the Internet.
Also see About Public IP location updated events.
- Boot device
- System locale
- System directory
- System integrity protection status
- Time zone
- Public IPv6 address
Also see About Public IP location updated events.
- Local IPv6 address
Rule triggered events
Rule triggered events occur when a rule was triggered for the device. The timeline shows the rule that was triggered. To filter the timeline to only show rule triggered events, click 
.
To view rule triggered events, your user needs to be assigned a role with View or Manage permissions for Rules. In addition, the following permissions are required:
- Offline freeze rule events: Perform permissions for Freeze Device and Remove Freeze
- Location rules events: Address-level View permissions for Geolocation
Action events
An action event occurs when a device action is run on the device. The timeline shows the type of action that occurred. A single device action may create multiple events. For example, when a Freeze request is created for the device, a Device freeze requested event is logged for the device. When the device is actually frozen, a Device frozen event is logged for the device. Each of these events appears separately on the timeline and may have different dates. To filter the timeline to only show action events, click 
.
The following types of action events are supported:
- Cryptographic wipe events
- File Delete events
- Freeze and Remove Freeze events
- Manage Supervisor Password events
- Message events
- Offline Freeze rule events
- Reach Script events
- Reported missing or stolen events
- Run playbook events
- Unenroll events
No changesDays with no events show as follows in the timeline:
- No changes: no events were logged that day, but events were logged the day before and the day after
- No changes for <#> days: no events logged for two or more consecutive days
- No events to show in this time range: no events logged during the selected date range
Viewing event details
To view more information about an event, click anywhere in the event background. The event's overview opens to the right of the work area. The overview displays the type of event, the device name and the date the event occurred. Rule triggered events show the rule that was triggered instead of the device name.
In addition, the following information about each event type is available:
Location updated eventsThe overview shows all location information available when the device's location changed.
If you don't have Address-level View permissions for Geolocation, the overview shows a warning that additional permissions are required.
Depending on the geolocation technologies available on a device, primary and supporting locations may be shown. For example, if Wi-Fi and OS Location are available, the Wi-Fi location is shown as the primary location and OS Location is secondary.
When multiple technologies are available, the following priority order is applied:
- Wi-Fi
- OS Location
For information about IP Location, see About Public IP location updated events under System updated events.
If a device changes its location by less than 100 meters, no event is logged.
The overview contains the following information:
-
Map: a map showing the device's current location
The following icons may show on the map:
Primary location 
Secondary location 
Secondary location more than 100 kilometers from primary location Secondary location markers are shown for OS locations only. Markers are not shown for IP locations due to their low accuracy.
-
Location: the address of the location that the device moved to, and the geolocation technology used
Click the
icon to view more details, such as:- The estimated accuracy (in meters) of the location
-
Details about any other technologies that sent secondary location information (if available)
If the secondary location is less than 100 meters from the primary location, Similar results via <technology> is shown instead of a distance. Similarly, if the location is more than 100 kilometers from the primary location, and therefore may be inaccurate, the following warning shows:
Significant gap between locations. - The SSID and BSSID of the Wi-Fi access point the device is connected to, if applicable (indicated by a
icon) -
The count of nearby Wi-Fi access points that may have been used to calculate the device's primary location, if applicable
To view the SSID and BSSID of each nearby access point, click Show. A signal strength icon (e.g.
) indicates the strength of each access point's signal.Downloading an access point report
To download a report of all detected Wi-Fi access points, click Download. The report includes the following columns:
- Connected
- SSID
- BSSID
-
Signal Strength
The value in the Signal Strength column is always a negative number, and the higher the value, the better the signal. For example, -30 (dBm) is a very strong signal, while -85 (dBm) is very weak.
The report is sorted in descending order by the Signal Strength column.
If the device supports Wi-Fi, but a Wi-Fi location is unavailable in the payload, the detected reason shows (for example, Wi-Fi adapter is disabled or Location not found).
To view the detected reason for all devices without a Wi-Fi location, add the Geolocation technology > Wi-Fi error column to the Devices page.
-
Shows available IP addresses for each detected network adapter
- Public addresses The public IPv4 Internet Protocol address that identifies a device that is connected to the Internet.
- Username Username of the user who was logged in to the device when an agent connection occurred. If no user was logged in during the most recent agent connection, the last detected username shows. If you are viewing a report and want to see if a user was logged in during the most recent connection, add the Current Username column to the report. If no user was logged in at the time of the connection, "No Data" or two em dashes (— —) show in the column.
- Device name The name assigned to the device in the operating system. For Chromebooks, device name is not applicable and therefore shows as "Chrome" in the Secure Endpoint Console.
User updated events
- Updated property name
- Old value and new value of the property
System updated events
- Updated property name
- Old value and new value of the property
If multiple device properties were updated at the same time, each change is shown in the overview.
About Public IP location updated eventsIf the Geolocation setting is enabled, and Wi-Fi and OS locations were unavailable or invalid when the location change occurred, an IP location is reported, and a Public IP location updated event is logged. Learn more
IP locations are based on a device's public IP address, and location accuracy is typically low. For this reason, the map is not shown.
The following information about the location is shown:
- The date and time when the IP location was detected on the device
-
The city, state/province, and country of the location. Street addresses are not available.
-
A note about location accuracy
-
The public IP address and Internet Service Provider (ISP) associated with the location
Rule triggered events
- Rule status (Active or Inactive)
-
Date of the most recent rule update (as a relative date, such as 23 days ago)
Hover over the relative date to view the exact date and time in a tooltip.
- User that last updated the rule
-
Rule configurations:
-
Event that triggered the rule
For Location rules, the specified locations and/or geofence names are listed. They are also shown on a map.
- Action that the rule performs
- Device groups that the rule is assigned to
The event overview shows the current rule configuration.
If the rule has changed since the event, it may no longer accurately describes the rule that triggered the event.
If the rule has been deleted, or the device is no longer assigned to the rule, no rule information is available. -
You can click Edit to edit the settings, activate or deactivate the rule, or delete the rule when it's no longer required.
Action events
- The request ID
- The action description (if provided)
- A summary of the action event details
- The configuration details that were used to create the action request
- (Freeze requests only) The unfreeze code associated with an on-demand or scheduled Freeze request
- (Theft reports only) The theft report status, the reason for the status, and the police report file name (if it was uploaded later)
- Failure reason
For completed Cryptographic Wipe and File Delete (Delete All Files) events, you can download the Certificate of Sanitization. For completed Delete File events, you can download the log file.
If your role is granted the correct permissions, you can click View Action to open the device action request on the Action Requests page of the History area.
If your role is granted the correct permissions, you can click 
Find this event on other devices to find related events on the Events page of the History area. When you click this button, the Events page opens filtered by the event type. By default, only the last seven days of events are displayed. Modify the Date filter to expand the results.
Searching the timeline
You can search for events in the timeline using keywords.
To search the timeline:
Enter a keyword for the type of event you are searching for. You can use keywords from any of the supported event types. For example, to search for a change in the username, enter user name in the search field.
The timeline updates to show the events that match the search keywords within the specified date range.
Changing the date range
You can use the arrow keys to navigate between events in the select date range. You can change the page's date range using either the timeline or the date range field.
Adding more events to the timeline
On the timeline, you can quickly add an additional 30 days of events.
To add more events to the timeline:
At the bottom of the timeline, click Load an additional 30 days.
Any additional events are displayed in the timeline and the date in the date range field is updated to include the days that were added.
Selecting a predefined date range
To select a new predefined date range, click the date range field above the timeline and select one of the following options:
- Last 7 days
- Last 14 days
- Last 30 days
- Last 90 days
- Last 1 year
The current date is always included in the date range. For example, if you select Last 14 days, the page shows location changes that occurred today and in the 13 days prior.
Specifying a date range
To specify a date range:
- Click the date range field above the timeline and click Select.
- Click the calendar picker to open it.
-
Select a start and an end date in the calendars.
To pick a month, click the month name at the top of the calendar and select the applicable month. Alternatively, you can use the
and 
icons to navigate to it.To pick a year, click the year at the top of the calendar and select the applicable year. Alternatively, you can use the
and 
icons to navigate to it.
The calendar picker closes and the selected dates show in the date range field.
Exporting event data
You can export the device's events in CSV, Excel, or XML format. When you export events, two reports are generated. The first report contains the location updated events. The second report contains all other events. You can select a predefined date range or you can specify a custom date range.
If your user role isn't granted Address-level View permissions for Geolocation, the report that contains location updated events is not exported.
Depending on the total number of events included in your export, it may take a few minutes to export the report.
The exported reports include columns that show the following information:
Location updated events
| Column | Description |
|---|---|
| Identifier | The unique Electronic Serial Number (ESN) assigned to the Secure Endpoint Agent that is installed on the device |
| Device name | The name assigned to the device in the operating system |
| Serial number | The identification number assigned to the device by the manufacturer |
| Login Username | The name of the user that was logged in when the location was detected |
| Payload Created Timestamp | The date and time when the payload of location information was created on the device for upload |
| Location Change (Yes/No) | Indicates whether the device changed its location on a particular date |
| The following information about the last reported primary location: | |
| Primary Technology | The type of geolocation technology used |
| Latitude & Longitude | The latitude and longitude of the device |
|
Address
|
The address of the device |
| Accuracy (meters) | The estimated accuracy of the technology used to locate the device in meters |
| The following information about the last reported IP location: | |
| Latitude & Longitude (IP) | The latitude and longitude of the IP location |
|
Address
|
The address of the IP location |
| Internet Service Provider | The ISP associated with the IP location |
| The following information about the last reported secondary location, if available: | |
| Supporting Technology | The type of geolocation technology used |
| Latitude & Longitude (Supporting) | The latitude and longitude of the secondary location |
|
Address
|
The address of the secondary location |
| The device's IP addresses: | |
| Local IP | The local IP addresses (IPv4 and IPv6) of each detected network adapter when the event occurred |
| Public IP | The public IP address (IPv4) of the device when the event occurred |
| Public IPv6 | The public IP address (IPv6) of the device when the event occurred |
Other updated events
| Column | Description |
|---|---|
| Date | The date and time when the event occurred |
| Event |
The event that occurred If there are multiple property changes associated with an event, each change shows on a separate row in the exported report. |
| Actor |
One of the following:
|
| Device/Object |
One of the following:
|
| Secondary object | The name or identifier of the object that was also affected by the event, such as the request ID of a Freeze request |
| Property name | The field or property that was updated |
| Old value | The previous value associated with the property |
| New value | The new value associated with the property |
To export the History page:
- Above the timeline, click Export to open the Export History dialog.
-
Click the Format field and select one of the following options:
-
Click the Date range field and select one of the following options:
- Last 7 days
- Last 14 days
- Last 30 days
- Last 90 days
- Last 1 year
- Select
If you clicked Select:
- Click the calendar picker to open it.
-
Select a start and an end date in the calendars. You can select any end date in the past that is up to 365 days from the start date.
To pick a month, click the month name at the top of the calendar and select the applicable month. Alternatively, you can use the
and icons to navigate to it.To pick a year, click the year at the top of the calendar and select the applicable year. Alternatively, you can use the
and icons to navigate to it.
The calendar picker closes and the selected dates show in the date range field.
-
Click .
The export process starts. Depending on the size of the report, it can take a few minutes to download.
If you exported a report in error, you can cancel the export if it hasn't finished processing. To do so, click
in the export processing dialog. The report export is canceled. -
Open the downloaded reports. If the reports don't download automatically, follow the on-screen instructions that apply to the browser and operating system to save the reports to a location on your computer.
-
Navigate to the directory that you saved the report. By default, the file names include the report name, the device name, and the date and time of the export, in the following formats:
- Event_History_<device name>_yyyy-mm-dd-hh-mm.<file extension>
- Location_History_<device name>_yyyy-mm-dd-hh-mm.<file extension>
Depending on your operating system and browser, if the report names includes special characters, the special characters may be removed from the file names or replaced by underscore (_).
-
Open the reports using software that supports the reports' file formats. For example, you can use a spreadsheet application, such as Microsoft Office Excel or OpenOffice Calc, to view a XLXS file.
If you exported an XML formatted report that contains a very large amount of data, we recommend using Notepad++ to view its contents.
-
- Review the report.
| Option | Description |
|---|---|
| CSV (.csv) with column names | Exports the report (including column headers) in Comma Separated Values (.csv) file format |
| CSV (.csv) without column names | Exports the report (excluding column headers) in Comma Separated Values (.csv) file format |
| Excel (.xlsx) |
Exports the report (including column headers) in Microsoft Excel Open XML Spreadsheet (.xlsx) file format If the report contains more than 1 million rows, select the CSV format. Reports of this size are not supported in Excel. |
| XML (.xml) | Exports the report in Extensible Markup Language (.xml) file format |
