Skip to main content

Audit logs

In Arculix, you can view and access real-time audit logs, which include detailed data on the context and results of authentication and workstation events.

Audit log summary

  1. Log in to Arculix and from the left navigation, click Home.

    arculix_audit_logs_001.png

  2. In the Show Logs for field, select whether you want to view authentication events by Organization or Current User.

    Organization

    View all events within a specific organization.

    You must be an administrator to view logs by organization.

    arculix_audit_logs_003.png
    Search filters

    • Search by user – Filter your search by user email. You can enter any part of an email address in the search.

    • Search for or select applications – Filter your search by application.

    • Select event time start – Filter your search by the starting date and time of the data event.

    • Select event time end – Filter your search by the ending date and time of the data event.

    Current User

    View events for yourself as the current user logged in to Arculix.

    arculix_audit_logs_004.png
    Search filters

    • Select event time start – Filter your search by the starting date and time of the data event.

    • Select event time end – Filter your search by the ending date and time of the data event.

  3. View the audit logs.

    For an explanation of the event and description types, see Event types and Description types.

    arculix_audit_logs_002.png

    Audit logs by Organization

    arculix_audit_logs_005.png

    Audit logs by Current User

  4. To view more details of an authentication event, click the log entry in the summary list.

    For an explanation of log details, see Audit log details.

Event types

In the Events column of the audit logs summary list, it displays the following event types.

  • Authentication – Login requests to web apps, Credential Provider, RADIUS, and others.

  • Continuous Authentication – Logins to additional resources during an authenticated SSO session.

  • Data Event – Log entry of a data event like the creation or removal of user permissions.

  • Workstation Log – Workstation events such as locked, unlocked, paired, and logged out.

arculix_audit_logs_006.png

Organization audit logs - Event types

arculix_audit_logs_007.png

Current User audit logs - Event types

Description types

In the Description column, it displays a description associated with the event type.

  • MFA Approved – Successful login, approved by the user or automatically via policy.

  • Automatically Approve – Continuous authentication approved by the policy engine.

  • MFA Expired – Login request expired without being approved.

  • MFA Rejected – Login request rejected by the user or due to policy.

  • Pending – Login request pending approval.

  • Logged In – User is logged in to workstation.

  • Logged Out – User is logged out of workstation.

  • Locked – Workstation locked by user, administrator, or policy.

  • Unlocked – Workstation unlocked by user, administrator, or policy.

arculix_audit_logs_008.png

Organization audit logs - Description types

arculix_audit_logs_009.png

Current User audit logs - Description types

Audit log details

  1. In the Audit Logs summary list, click a log entry.

    arculix_audit_logs_010.png

    Click anywhere on a log entry to view details

  2. View details about an authentication event.

    Different types of information are displayed for different events.

    arculix_audit_log_detail_001.png

    Continuous Authentication event details

    arculix_audit_log_detail_002.png

    Authentication event details

    arculix_audit_log_detail_003.png

    Workstation Log event details

Event details

The log details for events can include any of the following:

  • User – User email account that triggered this event.

  • EventType of event that occurred. For example, an authentication event to log in to Arculix.

  • Application – Name of application associated with this event. For example, Arculix Dashboard or SSO portal.

  • Message – Message associated with this event.

  • DescriptionDescription associated with event type. For example, MFA Approved for login to Arculix.

  • Location – Obtained user location where this event occurred.

  • Event type – Result associated with the event, like login, logout and so on.

  • Method – The method associated with the event. For example. Arculix Mobile was used to authenticate and approve log in to the event.

arculix_audit_logs_011.png

LOA Score

The LOA score is a number between 0.0 to 4.0. The higher the LOA the more likely the user is who they claim to be. The overall LOA score is calculated out of the confidence and risk scores generated by the risk analyzers.

arculix_audit_logs_012.png

Active Risk Analyzers

Risk analyzers are responsible for fetching data from different sources and calculating a final score based on the collected information. Each risk analyzer focuses on a specific area and gets a specific kind of data. For example, the IP risk analyzer gets some information about the IP address of the user and generates a score based on that address.

This is a non-inclusive list of built-in risk analyzers:

  • AIML: Provides a score based on the user contextual information provided to the AI/ML engine in Arculix.

  • Auth method: Provides a score based on the authenticator used for the last MFA.

  • DBFP: Provides a score based on the user's browser fingerprint.

  • IP: Provides a score based on the user's IP address.

  • Location: Provides a score based on the user's obtained location. The location will be obtained from the phone or browser and if not provided, falls back to the IP-based location.

Tip

You can click the question mark icon next to each risk analyzer for more information.

arculix_audit_logs_013.png

Description / Workstation System Attributes

Detailed context information in code about about the audit log entry that includes risk analyzer results and workstation configuration.

arculix_audit_logs_014.png
In this section: