Skip to main content

Activity

See who did what across your Level organization. Activity records sign-ins, configuration changes, tag changes, and automation runs, with before-and-after detail and code diffs.

Introduction

Activity is Level's audit trail. It records who did what, when, and what changed, across your whole organization: sign-ins, configuration edits, tag changes, automation runs, monitor and script changes, API key edits, and more.

The global Activity page in the sidebar is the full record. Most sections in Level also have their own Activity tab that shows the same data filtered to that one device, automation, script, monitor policy, or settings area.

If you've ever needed to answer "who changed this and when," or "what did this automation actually do last night," Activity is where you look.

ℹ️ NOTE: Activity is a read-only record. You can search, filter, and expand entries, but you can't edit or delete them. That's the point of an audit trail.

The Activity Page

Click Activity in the left sidebar to open the global record. This is the only Activity view that uses a full table; every other view is a scoped timeline (covered below).

Global Activity

Columns

Each row is one recorded event. The table has five columns:

  • Time: the date and timestamp of the event. The table sorts by Time, newest first, by default.

  • Source: who or what initiated the event, with a sub-label. A technician shows their name and role (for example, "Level Team / Admin"). An automation trigger shows the schedule and trigger type (for example, "Hourly: 1 hour / Hourly"). A monitor that fired remediation shows the monitor name and "Remediation."

  • Activity: a plain-language description of what happened. For example, "Signed in via 2FA," "Created the action NO REBOOT," "Applied tag RAT to Avengers," or "Changed enabled on Check Uptime Daily from true to false."

  • Context: the object the event acted on, with its type underneath. Types include User, Automation, and Device. "Applied tag RAT to Avengers" shows Avengers as the device context.

  • Type: the event category. Values include Access, Automation, Automation configuration, Automation run, Tag, API key, and Custom fields, among others. The full set is the list shown in the Category filter.

ℹ️ NOTE: Source and Context are different on purpose. Source is who acted; Context is what they acted on. An automation can be the Source of a run and the Context of a configuration change, so the same automation name can show up in either column depending on the event.

Searching and Filtering

Search matches against the Activity text, so you can type a tag name, an action name, or a device name to narrow the list.

Click Filters to choose which filter controls to apply. The panel lists three: Category, Source, and Date. Check one to add it as a chip above the table. Each chip has its own dropdown and an X to remove it.

Category filters by event category, the same values shown in the Type column. It's a multi-select list with a search box and Select All. Categories include Access, API key, Automation, Automation configuration, Automation run, and Custom fields, among others. The list is alphabetical and scrolls.

Source filters by the type of actor that initiated the event: User, API Key, Device, Automation, or Trigger. It's multi-select with a search box.

Date filters by time range. Pick a preset (Today, Yesterday, Last 7 days, Last 14 days, Last 30 days, Last 6 months) or set a custom range with the start and end calendar, then click Apply. The default is All time.

💡 TIP: Add the Category filter and select Access to review sign-in history, or Automation configuration to see every change made to your automations. Pair it with a Date range to scope an audit to a specific window.

Showing and Hiding Columns

Click Columns to show or hide table columns. All five are on by default: Time, Source, Activity, Context, and Type. Click Reset columns to return to the default set.

Activity in Each Section

Most sections in Level have their own Activity tab. It shows the same kind of record as the global page, already filtered to the thing you're looking at, so you don't have to search the full table.

Scoped Activity tabs use a timeline grouped by date (Today, Yesterday, then individual dates) instead of the global table. Entries with a chevron expand to show field-level detail.

Device Activity

Open a device, then go to the Activity tab in the device's sidebar (Devices → [device] → Activity). This shows activity scoped to that one device: the automations and monitors that ran against it, and changes that affected it.

Entries name the trigger and when it ran, like:

  • "Daily: 12:00 AM triggered test on Agent Zero 1"

  • "Friday @ 12AM (Default) triggered Windows Updates on Agent Zero 1"

ℹ️ NOTE: Device Activity shows that an automation ran. To see the full result of a run (status, per-action output, rerun), use the device's automation run history. See Device Automations.

Automation Activity

Open an automation, then go to Activity (Automations → [automation] → Activity). This shows both the runs the automation triggered and the configuration changes made to it.

Activity logs two kinds of entries:

  • Runs: name the trigger and the device. For example, "Monitor: Monitoring - Global / Windows Uptime Exceeds 30 Days triggered on odd-resolution."

  • Configuration changes: record edits like "Level Team created the trigger Monitor: Jacob / Uptime Exceeds 30 Days," plus aggregate actions like "Level Team triggered 3 runs" or "Level Team canceled on DESKTOP-FD3ST4S."

Click the chevron on a configuration entry to expand it. The expanded view shows the field-level state, for example "enabled was true" and "monitor was Uptime Exceeds 30 Days."

💡 TIP: When a trigger stops firing as expected, check Automation Activity for a "deleted the trigger" or "Changed enabled ... from true to false" entry. It's the fastest way to find out whether someone changed the automation rather than the automation breaking.

Script Activity

Open a script, then go to Activity (Scripts → [script] → Activity). This records every saved change to the script, including the code itself.

A change entry summarizes what was saved, for example "Level Team saved 2 changes to Osquery Monitor - Uptime." Expand it to see each individual change.

For a code edit, the change shows the line count delta (for example "+3 −1") and a View changes link.

Click View changes to open the diff panel. It shows the edited code with removed lines in red and added lines in green, line numbers, and a Unified / Split toggle. The panel header names the script, the technician, and the timestamp.

💡 TIP: The diff panel is the audit record for script changes. Use it to confirm exactly what changed in a script before a monitor or automation started behaving differently, without restoring an old version to compare by eye.

Monitor Policy Activity

Open a monitor policy, then go to Activity (Monitors → [policy] → Activity). This records changes to the monitors inside that policy.

A change entry shows a summary like "Level Team saved 3 changes to Detect RAT." Expand it to see what changed at the field level:

  • A new monitor shows its initial settings, like "Set name to Remote Access Tool Detected," "Set severity to critical," "Set auto_resolve to true," and "Set application_names to [...]."

  • A later edit shows what changed, like "installed changed to On" and "Updated application_names: Added Action1, Atera, Datto, N-able, Pulseway, Level, Syncro."

ℹ️ NOTE: Monitor Policy Activity tracks changes to the monitors in the policy. To see alerts those monitors generated and how they were resolved, use Device Alerts or the global Alerts view.

Workspace Activity

Go to Workspace → Activity. This records workspace-level events: sign-ins, tag changes, and changes to custom fields, team, and permissions.

Entries read like:

  • "Level Team signed in via 2FA"

  • "Level Team applied tag RAT to Avengers"

  • "Level Team removed tag JACOB from Avengers"

  • "Level Team created tag NO REBOOT"

Settings Activity

Go to Settings → Activity. This records changes to your settings: API keys, webhooks, integrations, and organization configuration.

Entries record the field that changed and its before-and-after values, for example "Level Team changed description on Read-only API key test 1."

A grouped entry expands to show each individual change. For example, "Level Team saved 2 changes to Level Development" opens into the two underlying changes.

⚠️ WARNING: Settings Activity records that an API key's metadata changed (name, description). It does not display the key's secret value. Treat API keys like passwords and rotate any key you believe is exposed. See API Keys Settings.

Who Can See Activity

The global Activity page is admin-only. Non-admin technicians don't see it in the nav at all.

Everywhere else, Activity follows read alignment: the same permission scoping as the rest of Level. Technicians see the Activity tab on any device, automation, or policy they already have access to, scoped to what their permissions cover. A technician with limited group access sees the per-resource Activity for their groups. They don't get a filtered version of the global page, since they can't open the global page in the first place.

Access to settings-level and workspace-level activity depends on whether the technician can reach those sections at all.

ℹ️ NOTE: Activity scoping is read alignment, not a separate permission. If a technician can already see a device, automation, or policy, they can see its Activity tab. They can't see activity for resources they don't have access to. The one hard gate is the global Activity page itself, which is admins-only regardless of read access.

FAQ

  • What's the difference between Activity and History? Activity is the audit record: who did what, what configuration changed, and a summary of runs. History (and the automation run history under Device Automations) is the execution record: the detailed result of each run, including status, per-action output, and the option to rerun. Use Activity to answer "who changed this," and History to answer "what did this run actually do."

  • Can I edit or delete an Activity entry? No. Activity is read-only by design. You can search, filter, expand, and view diffs, but entries can't be changed or removed.

  • Why do I see fewer entries than a colleague? Activity is scoped to your permissions. You see activity for the device groups and resources you have access to. A colleague with broader access sees more. See Workspace → Permissions.

  • Someone's name shows as the Source but I know an automation did the work. Which is right? Both, at different layers. If a technician manually triggered the run, they're the Source. If a schedule or monitor triggered it, the trigger or monitor is the Source. Check the Source sub-label (role, "Hourly," "Remediation") to tell which.

  • The global Activity table doesn't show the detail I need. Where's the field-level change? The global table is a flat list. For before-and-after values and code diffs, open the scoped Activity tab on the specific automation, script, monitor policy, or settings item and expand the entry.

  • Does Settings Activity expose my API key values? No. It records metadata changes like name and description, not the secret value. The key value is retrievable from Settings → API Keys at any time using the Copy key option.

  • Who can view Activity? Any technician can view Activity, but the records are scoped to what their permissions allow them to see. Settings and Workspace activity require access to those sections. See Workspace → Permissions for how access is configured.

Related Articles
Scripting Overview
Delete Device Action
Settings Activity
Device Activity
Workspace Activity
Did this answer your question?