Security Console
The Security Console is your workspace's one-stop view of every privileged action AxisSynapse records. It surfaces the raw Audit log, the derived security alerts (counter regressions, step-up reuses, impossible-travel, brute-force, policy pressure), and the per-user session management for fast intervention. Compliance teams use it for evidence; security teams use it for incident response.
TL;DR — Open Settings → Security → Security Console. Use the seven filters to narrow the audit log, click any code to see its definition, export the filtered view as CSV or NDJSON, and acknowledge each derived alert as you triage it. Per-user sessions live in the Sessions tab.
The three tabs
The console has three top-level tabs — each answers a different question.
| Field | What it does | Accepted values / default |
|---|---|---|
| Audit log | Every recorded action, filterable across seven dimensions. | Use for evidence packs, SOX/SOC 2 walk-throughs, post-incident reconstruction. |
| Security alerts | Derived signals: counter regression, step-up reuse, factor brute-force, policy pressure, impossible-travel. | Use for steady-state security operations — triage queue + acknowledge flow. |
| Sessions | Active sessions across every user, with last-heartbeat timestamps. | Use to revoke a specific session, sign a user out everywhere, or trace an unexpected device. |
Filtering the audit log
Seven filters compose freely; every filter narrows the result set.
| Field | What it does | Accepted values / default |
|---|---|---|
| Time window | When the action happened. | Last 24 h / 7 d / 30 d / custom range. Custom honors the workspace timezone. |
| Actor | Who performed the action. | Pick a user, or filter to system actions (cron jobs, SCIM provisioners, webhooks). |
| Category | Which audit group. | MFA / WebAuthn / SAML / SCIM / Webhooks / Network / Erasure / etc. Multi-select. |
| Severity | Read-side risk level. | Info / Notice / Warning / Critical. Multi-select. |
| Code | Exact audit-action string. | Free-text — matches against the full list at /reference/audit-actions. |
| Subject | Who or what the action affected (target user, target resource). | Pick a user or paste a resource id. |
| IP | Source IP address (or CIDR) of the action. | Useful for tying activity to a specific egress point. |
Exporting
Export gives you the filtered view in two formats. Both are step-up-protected actions (see Step-up authentication).
Click "Export"
A side drawer offers CSV (one row per audit line, columns for every recorded field) and NDJSON (one JSON object per line — streamable for very large exports).
Complete the step-up prompt
The platform asks for a fresh MFA proof — this is an audit-relevant action and its initiator is recorded as part of the export.
Download the file
The file is delivered through a single-use, time-limited URL. The act of downloading itself emits
ACCOUNT_AUDIT_LOG_EXPORTEDat warning severity — exports are rare, deliberate events.
Derived security alerts
Beyond raw audit lines, the console raises alerts when a pattern of activity warrants attention. Each alert has an acknowledge flow: once an admin acks, the alert moves out of the active queue but is preserved in the audit log for review.
| Field | What it does | Accepted values / default |
|---|---|---|
| Counter regression | A WebAuthn passkey returned a sign counter that went backward — possible cloning. | Severity: Critical. Recommended response: revoke + re-enroll. |
| Step-up replay | A single-use step-up token was presented twice. | Severity: Critical. Recommended response: investigate session, revoke if compromised. |
| Factor brute-force | Repeated failed factor challenges on the same account in a short window. | Severity: Warning. Recommended response: confirm with the user; revoke their sessions if not them. |
| Policy pressure | Repeated blocked actions of the same kind in a short window (e.g. many factor-disable attempts). | Severity: Warning. Recommended response: investigate intent; consider tightening the policy or contacting the user. |
| Impossible travel | Two successful sign-ins from geographically distant locations within a short window. | Severity: High. Recommended response: revoke the further session, contact the user. |
Sessions tab
Every signed-in session is recorded with the device, the user agent chrome, the IP, the country (derived from IP), and a heartbeat that updates every few minutes.
Open the Sessions tab
Filter by user, IP, or country. Active sessions are sorted by last-heartbeat descending.
Revoke a specific session
Click Revoke on a row. The session's tokens are invalidated immediately; the device shows the sign-in card on its next request.
Revoke all sessions for a user
Click the user's row → Revoke all. Every session for that user is killed; their next sign-in evaluates the current policy (MFA, network, etc.) from a clean slate.
Sign-out-everywhere on factor change
When a user disables their MFA from their own account, every other active session is revoked automatically. The "current session everywhere" pattern is the only one preserved.
Every field, explained
| Field | What it does | Accepted values / default |
|---|---|---|
| Audit-log filter set | Combination of the seven filter axes. | Saved filter sets persist across visits — favorite the ones you use often. |
| Export format | CSV (analyst-friendly) or NDJSON (pipeline-friendly). | Both ship the same columns. |
| Alert acknowledgement | Mark an alert as triaged. | Required to clear the queue. Note + actor + timestamp are recorded. |
| Session row | One row per active session — device, UA, IP, country, heartbeat. | Heartbeat updates every few minutes; sessions that haven't beat in days are auto-expired. |
| Revoke buttons | Per-session revoke or per-user revoke-all. | Immediate. Both emit dedicated audit codes. |
What appears in the audit log
The console writes its own audit lines for actions taken inside it, on top of surfacing the lines from every other surface.
ACCOUNT_AUDIT_LOG_EXPORTED— every export, with filter set + format recorded.ACCOUNT_SECURITY_ALERT_ACKNOWLEDGED— alert acks, with the note- acker.
ACCOUNT_SESSION_REVOKED— per-session revoke.ACCOUNT_SESSIONS_REVOKED_ALL— sign-out-everywhere.
Common gotchas
- "I exported a huge window and the CSV is awkward to open." Use NDJSON instead — Excel chokes on multi-million-row CSVs but every log pipeline streams NDJSON.
- "I ack'd an alert but it came back." The underlying behavior continued and the detector re-fired. Look at the timestamps — a second-instance alert is a new signal, not a stale ack.
- "A user's session shows a country I don't expect." IP-to-geo is approximate. Cross-check with the actual IP and the user's known travel. Don't treat a single geo mismatch as proof of compromise.
- "Sign-out-everywhere didn't sign out my current tab." That's by design — the platform preserves your current session so you don't lock yourself out mid-incident.
- "The filter set I saved doesn't match what I remember." Saved filter sets capture the filter values, not the underlying data. As new audit lines accumulate, the same filter returns more rows.
Troubleshooting
| Error code | What it means | Fix |
|---|---|---|
| EXPORT_TOO_LARGE | The filtered set exceeded the export-size cap. | Narrow the time window or filter further. |
| EXPORT_STEPUP_REQUIRED | The export wasn't preceded by a step-up. | Complete the step-up prompt. |
| SESSION_NOT_FOUND | The session row was revoked between selection and click. | Refresh the page. |
| ALERT_ALREADY_ACK | The alert was acked by another admin before you. | Refresh the page. |
Related