Account Security Monitor
Account Security Monitor
Section titled “Account Security Monitor”The Account Security Monitor gives every user visibility into their own authentication activity and active sessions. Administrators gain additional controls to view and manage security events across all users in the organization.
Overview
Section titled “Overview”Every authentication event against your Arbitex account is recorded with full context: timestamp, event type, IP address, device information, and GeoIP-enriched location data. The Account Security Monitor surfaces this history through the Cloud Portal and through the security events API.
Auth Event Types
Section titled “Auth Event Types”The following 12 event types are recorded in the security history. These match the action values returned by the API and displayed in the Cloud Portal event timeline.
| Event Type | Description |
|---|---|
auth.login_success | Successful interactive login (password or passkey) |
auth.login_failed | Failed login attempt — wrong password, locked account, or unrecognized user |
auth.logout | Explicit logout initiated by user |
auth.mfa_enabled | TOTP or WebAuthn MFA factor enabled on account |
auth.mfa_disabled | MFA factor disabled by user or admin |
auth.mfa_verify_success | MFA challenge completed successfully during login |
auth.mfa_verify_failed | MFA challenge failed (wrong code or expired token) |
auth.webauthn_registered | New WebAuthn passkey registered on the account |
auth.webauthn_login | Successful login using a WebAuthn passkey |
auth.webauthn_revoked | WebAuthn passkey removed from account |
auth.session_force_logout | Session terminated by an admin force-logout action |
auth.session_evicted | Session terminated automatically due to concurrent session limit |
All events include the user_id of the authenticating user and the source_ip of the origin request.
Viewing Your Security History
Section titled “Viewing Your Security History”Cloud Portal
Section titled “Cloud Portal”Navigate to Account → Security or go directly to /portal/my-security.
The security history page shows:
- Event timeline — the last 90 days of auth events, most recent first, with relative timestamps (absolute on hover)
- Active Sessions panel — all currently valid sessions with device and location details
- Filters — event type, date range
- Auto-refresh — the timeline refreshes automatically every 60 seconds
Event timeline columns
Section titled “Event timeline columns”Each event row shows:
| Column | Description |
|---|---|
| Icon | Color-coded event type indicator (green = success, red = failure, amber = warning) |
| Event label | Human-readable event type |
| Relative time | Time since event (e.g., “5m ago”); hover for absolute timestamp |
| IP address | Source IP at time of event |
| Location | City and country inferred from IP via GeoIP |
| Device | Browser, app, and OS parsed from User-Agent string |
| Anon IP badges | VPN / Proxy / Tor / Hosting flags when detected |
Click any event row to expand full metadata including the raw User-Agent string and any extra event metadata.
Filtering
Section titled “Filtering”Use the filter controls to narrow results:
- Event type — one of the 12 event types, or “All events”
- Date range — start date and end date pickers
Query your own auth events using the user_id=me parameter:
curl -H "Authorization: Bearer $TOKEN" \ "https://api.arbitex.ai/v1/orgs/{org_id}/security/events?user_id=me&limit=50"Endpoint
Section titled “Endpoint”GET /v1/orgs/{org_id}/security/eventsHost: https://api.arbitex.ai
Query parameters
Section titled “Query parameters”| Parameter | Type | Description |
|---|---|---|
user_id | string | Filter by user ID. Use me to filter by the authenticated user. Defaults to org-wide (admin only). |
event_type | string | Filter by exact action string (e.g., auth.login_success) |
start_date | string | ISO 8601 date lower bound (inclusive) |
end_date | string | ISO 8601 date upper bound (inclusive) |
offset | integer | Pagination offset (default: 0) |
limit | integer | Max events per page, 1–200 (default: 50) |
Response schema
Section titled “Response schema”{ "events": [ { "id": "evt_01ABC123", "timestamp": "2026-03-13T10:00:00.000Z", "action": "auth.login_success", "user_id": "usr_alice", "source_ip": "203.0.113.42", "location": { "city": "San Francisco", "country": "US" }, "anonymous_ip": { "isp": "Comcast", "is_vpn": false, "is_proxy": false, "is_tor": false, "is_hosting": false }, "device": { "name": "Chrome", "app": "Chrome 122", "os": "macOS", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36..." }, "extra_metadata": null } ], "total": 47, "offset": 0, "limit": 50}user_id=me parameter
Section titled “user_id=me parameter”The user_id=me alias resolves to the authenticated user’s own UUID at query time. It allows users to query their own events without knowing their UUID:
# Self-service: retrieve my own auth eventscurl -H "Authorization: Bearer $TOKEN" \ "https://api.arbitex.ai/v1/orgs/{org_id}/security/events?user_id=me&event_type=auth.login_failed&limit=10"Non-admin users can only query user_id=me. Admin users can pass any user_id value to view another user’s events.
Active Sessions
Section titled “Active Sessions”Viewing Active Sessions
Section titled “Viewing Active Sessions”The Active Sessions panel at /portal/my-security lists all sessions currently active under your account.
Each session shows:
| Field | Description |
|---|---|
| Created | When the session was established |
| Last active | Most recent authenticated request |
| Expires | Session expiry time |
| IP Address | IP at session creation |
| Location | GeoIP city and country |
| Device | Browser and OS |
| Current | Badge indicates the session you are currently using |
API: List active sessions
Section titled “API: List active sessions”GET /v1/orgs/{org_id}/security/sessions?user_id={user_id}Host: https://api.arbitex.ai
curl -H "Authorization: Bearer $TOKEN" \ "https://api.arbitex.ai/v1/orgs/{org_id}/security/sessions?user_id=me"Response schema
Section titled “Response schema”{ "sessions": [ { "session_id": "sess_01DEF456", "user_id": "usr_alice", "created_at": "2026-03-13T08:00:00Z", "last_activity_at": "2026-03-13T10:15:00Z", "source_ip": "203.0.113.42", "location": { "city": "San Francisco", "country": "US" }, "device": { "name": "Chrome", "app": "Chrome 122", "os": "macOS", "user_agent": "Mozilla/5.0 ..." }, "is_current": true } ], "current_session_id": "sess_01DEF456"}Revoking a Session
Section titled “Revoking a Session”Cloud Portal:
- Find the session in the Active Sessions panel.
- Click Revoke on the row.
- Confirm the revocation dialog.
The session is invalidated immediately. Any in-flight requests using that session token will receive 401 Unauthorized. The event is logged as auth.session_force_logout.
You cannot revoke your current session from the UI; use Sign Out instead.
API:
# Revoke a single sessionDELETE /v1/orgs/{org_id}/security/sessions/{session_id}curl -X DELETE \ -H "Authorization: Bearer $TOKEN" \ "https://api.arbitex.ai/v1/orgs/{org_id}/security/sessions/sess_01DEF456"Returns 204 No Content on success.
Device and Location Information
Section titled “Device and Location Information”Device Information
Section titled “Device Information”Each event and session record includes device information parsed from the HTTP User-Agent header at the time of authentication:
| Field | Description |
|---|---|
device.name | Browser or application name (Chrome, Firefox, Safari, Edge) |
device.app | Browser name and major version |
device.os | Operating system (Windows, macOS, Linux, iOS, Android) |
device.user_agent | Raw User-Agent string (visible in expanded event row) |
Arbitex does not install tracking software or use browser fingerprinting beyond the standard User-Agent string.
GeoIP Enrichment
Section titled “GeoIP Enrichment”Every authentication event is enriched with geographic location data using the MaxMind GeoLite2 database:
| Field | Description |
|---|---|
location.city | City name (best-effort; may be absent for some IPs) |
location.country | ISO 3166-1 alpha-2 country code |
anonymous_ip.isp | Internet service provider for the source IP |
anonymous_ip.is_vpn | True if the IP is a known VPN exit node |
anonymous_ip.is_proxy | True if the IP is a known open proxy |
anonymous_ip.is_tor | True if the IP is a Tor exit node |
anonymous_ip.is_hosting | True if the IP belongs to a hosting or cloud provider |
Accuracy notes:
- City-level accuracy is approximately 80% for covered IPs.
- Private, RFC 1918, and CGNAT addresses resolve to an empty location.
- GeoIP data is best-effort and should not be used as a sole indicator for access control decisions.
Air-gap deployments:
Outpost deployments with OUTPOST_AIRGAP=true use the bundled MMDB fallback (/etc/arbitex/geoip/GeoLite2-City.mmdb). Events still receive GeoIP enrichment; however, the database may lag the current MaxMind release. Update the MMDB file manually as part of routine air-gap media refreshes.
Admin: Viewing User Security Events
Section titled “Admin: Viewing User Security Events”Administrators with the admin or security_auditor role can view and manage security events for any user in the organization.
Cloud Portal (Admin)
Section titled “Cloud Portal (Admin)”Navigate to Admin → Users → [User] → Security Events.
The admin view provides the same event timeline and filter controls as the user self-service view, plus:
- All event types across all 12 categories
- Export — download events as CSV for audit evidence
- Force Logout — terminate all active sessions for the selected user
# List auth events for a specific usercurl -H "Authorization: Bearer $ADMIN_TOKEN" \ "https://api.arbitex.ai/v1/orgs/{org_id}/security/events?user_id={user_id}&limit=50"
# List all active sessions for a usercurl -H "Authorization: Bearer $ADMIN_TOKEN" \ "https://api.arbitex.ai/v1/orgs/{org_id}/security/sessions?user_id={user_id}"
# Force-logout all sessions for a usercurl -X DELETE \ -H "Authorization: Bearer $ADMIN_TOKEN" \ "https://api.arbitex.ai/v1/orgs/{org_id}/security/users/{user_id}/sessions"Returns 204 No Content on successful session revocation.
Admin Session Management
Section titled “Admin Session Management”The admin sessions view shows all active sessions across the organization.
Admins can:
- Search by user email or IP address
- Filter by session age or location country
- Revoke individual sessions —
DELETE /v1/orgs/{org_id}/security/sessions/{session_id} - Revoke all sessions for a user —
DELETE /v1/orgs/{org_id}/security/users/{user_id}/sessions
All force-logout actions are logged as auth.session_force_logout with the admin’s identity as the actor and the target session ID in the event metadata.
Security Alerts
Section titled “Security Alerts”The Account Security Monitor does not send automated alerts by default. To configure alerts on suspicious auth events (e.g., auth.login_failed spikes, logins from new countries), route audit events to your SIEM and define alert rules there.
See SIEM Integration Guide for connector configuration.
Retention
Section titled “Retention”Auth event records follow the standard audit log retention policy:
- Hot (searchable): 90 days
- Archive: 2 years (compliance export)
Events older than 90 days are available via the compliance export API. See Compliance Audit Evidence Guide.
See also
Section titled “See also”- Audit Log Management — full audit log search and export
- API Reference — Batch 12 — complete security events API reference
- SIEM Integration Guide — forward auth events to Splunk or Sentinel
- MFA Configuration — configure MFA policy for your organization