account

Your account audit

PROFESSIONALEstimated read: 5 min· Updated 2026-06-02

Your account audit

ProfessionalAny user

The Audit tab shows a per-user feed of every action AxisSynapse recorded against your account — sign-ins, MFA changes, profile updates, data-export and erasure milestones, recovery code redemptions. It's your private mirror of the workspace's security log, scoped to actions where you are the subject. Use it to confirm "did I do that?" after any unexpected change, or to spot something you didn't.

TL;DR — Open Account → Audit. Scroll the timeline; click any row to see the full detail. "Report suspicious entry" sends a note to your workspace admin without revealing the audit machinery.

What appears in your feed

FieldWhat it doesAccepted values / default
Sign-in eventsEvery successful and failed sign-in attempt against your account.Both SAML and direct sign-ins. Includes device + IP + country.
MFA + passkey lifecycleEnrollment, verification, rename, revoke, recovery-code generation + redemption.One row per action. Critical-severity rows highlighted.
Profile + preferences changesDisplay name, time zone, locale, avatar, theme, density, notifications.Before-and-after captured per field.
Data-export + erasure milestonesRequest, approval, cooling-off, completion, cancellation, blocked-by-holds.Each milestone with timestamps + actor.
Session activityPer-session revoke and sign-out-everywhere.Each row names the device that was revoked.
PAT lifecyclePersonal access token creation and revocation.One row per token; scope changes are separate rows.

Filtering

The feed is searchable + filterable along the same axes as the workspace Security Console, scoped to your account.

  1. Open Account → Audit

    The default view shows the last 30 days, reverse-chronological.

  2. Use the filter bar

    Pick a time window, a category, or a severity. Multi-select where sensible.

  3. Click a row to expand it

    The expanded view shows every recorded field for that row: the code, the severity, the actor (you / SCIM / a workspace admin / the platform itself), the source IP and country (when relevant), and the before-and-after for any value changes.

Report a suspicious entry

If you see a row you didn't initiate — a sign-in from a country you weren't in, an MFA change you didn't make, a token rotation you don't recognize — click Report suspicious entry.

  1. Click "Report suspicious entry"

    A drawer asks for an optional note and confirms what's being reported.

  2. Submit

    The report opens a security-review item in the workspace Security Console, attached to the row in question. Your admin receives a notification.

  3. Take protective action

    The drawer also offers one-click Sign out everywhere, Reset MFA, and Change password so you can secure your account at the same time.

Reports do not reveal internal triage

The report sends what you saw, plus the row's audit ID. AxisSynapse

  • your admin handle triage; you'll be told the outcome via your notification preferences (see /account/notifications).

Every field, explained

FieldWhat it doesAccepted values / default
Row timestampWhen the action was recorded.In your account time zone. Hover to see UTC.
Action codeThe audit-action string.Click to open the catalogue entry at /reference/audit-actions.
SeverityInfo / Notice / Warning / Critical.Same color-coded scale as the workspace console.
ActorWho or what caused the action.You / a workspace admin / SCIM / the platform itself.
Source IP + countryWhere the action came from.Shown when the action is network-bound (sign-ins, downloads, exports).
Before / afterField-level diff for value changes.Shown for profile / preferences / settings rows.
Report buttonFlag the row as suspicious.Adds it to the admin's review queue with your optional note.

What appears in the audit log

The audit feed is itself the audit log — your view of it. Reading the feed is recorded in aggregate (so per-row volume doesn't explode) and reports are recorded individually.

ACCOUNT_NOTIF_INBOX_READACCOUNT_SECURITY_ALERT_ACKNOWLEDGED
  • ACCOUNT_NOTIF_INBOX_READ — daily aggregate; not per-row.
  • ACCOUNT_SECURITY_ALERT_ACKNOWLEDGED — when an admin marks an alert resolved (visible to you if it referenced your account).

Common gotchas

  • "A sign-in shows a country I wasn't in." IP-to-geo is approximate; cross-check the IP. A single mismatch with the right IP isn't proof of compromise. A repeated mismatch with an unexpected IP is.
  • "The same code fires twice within seconds." A few codes fire on both attempt and verify (sign-in success, factor verify); two rows for one action is normal.
  • "I don't see anything for the last few minutes." The feed is near-real-time but the read-side is cached for a short window. Refresh after a minute.
  • "My admin's actions show in my feed." Only actions where you are the subject (e.g. an admin revoked your session). Actions the admin took elsewhere appear in their feed.
  • "I want to export my feed." Open Account → PrivacyData export — the bundle includes your audit feed as a separate file.

Troubleshooting

| Error code | What it means | Fix | |---|---|---| | AUDIT_FEED_FILTER_INVALID | A filter value didn't parse. | Pick from the dropdown. | | AUDIT_FEED_REPORT_DUPLICATE | The same row was already reported. | One report per row. | | AUDIT_FEED_WINDOW_TOO_LARGE | Requested time window exceeded the per-user cap. | Narrow the window. |

Related

Account security

Manage devices and sessions.

Privacy

Data export + erasure.

Security Console (admin)

Workspace-wide view of the same audit data.