Copy
Ask AI
{
"date": "2020-06-26T15:12:43.654Z",
"type": "s",
"details": {
"riskAssessment": {
"confidence": "high",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"code": "not_found_on_deny_list"
},
"NewDevice": {
"confidence": "medium",
"code": "partial_match",
"details": {
"device": "unknown",
"useragent": "known",
}
},
"ImpossibleTravel": {
"confidence": "high",
"code": "minimal_travel_from_last_login"
}
}
}
},
"description": "Successful login"
}
Copy
Ask AI
{
"date": "2020-06-24T20:24:39.412Z",
"type": "s",
"description": "Successful login",
"connection": "Username-Password-Authentication",
"connection_id": "con_16Tpc6YqlWZ4HCut",
"client_id": "9ZteveEZ8CqSLtCNXgvhoCJQ0jt2xSxe",
"client_name": "jwt.io",
"ip": "10.12.13.1",
"client_ip": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"details": {
"prompts": [
{
"name": "prompt-authenticate",
"initiatedAt": null,
"completedAt": 1593030278513,
"connection": "Username-Password-Authentication",
"connection_id": null,
"strategy": "auth0",
"identity": "5ee10b1ca85332004e44ce3e",
"stats": {
"loginsCount": 66
},
"elapsedTime": null
},
{
"name": "login",
"flow": "universal-login",
"initiatedAt": 1593030268561,
"completedAt": 1593030278558,
"timers": {
"rules": 336
},
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"elapsedTime": 9997
}
],
"initiatedAt": 1593030268550,
"completedAt": 1593030279374,
"elapsedTime": 10824,
"session_id": "dKvR03IjVSNLPaVLqVS-FBuX87z0bBoE",
"riskAssessment": {
"confidence": "medium",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"code": "ip_not_found"
},
"NewDevice": {
"confidence": "medium",
"code": "match_useragent",
"details": {
"device": "unknown",
"useragent": "known",
}
},
"ImpossibleTravel": {
"confidence": "low",
"code": "missing_geoip"
}
}
},
"stats": {
"loginsCount": 66
}
},
"hostname": "josh.local.dev.auth0.com",
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"strategy": "auth0",
"strategy_type": "database"
}
Attack protection details
In addition to providing information for rules execution, Auth0 includes adaptive MFA information to your tenant logs. The same data structure that appears in rules appears in the tenant logs:Copy
Ask AI
{
"date": "2020-06-26T15:12:43.654Z",
"type": "s",
"details": {
"anomalyDetection": {
"confidence": "high",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"reason": "ip not found",
"code": "ip_not_found"
},
"NewDevice": {
"confidence": "medium",
"reason": "match useragent",
"code": "match_useragent"
},
"ImpossibleTravel": {
"confidence": "high",
"reason": "minimal travel",
"code": "minimal_travel_from_last_login"
}
}
},
},
"description": "Successful login"
}
MFA prompt details
When adaptive MFA is enabled, users will be prompted for MFA enrollment on their first login attempt with a low confidence score. An mfa prompt may appear in the login event details. For example:Copy
Ask AI
{
"_id": "5ef3bb0a72487a0047c32959",
"date": "2020-06-24T20:43:54.159Z",
"type": "s",
"description": "Successful login",
"connection": "Username-Password-Authentication",
"connection_id": "con_16Tpc6YqlWZ4HCut",
"client_id": "9ZteveEZ8CqSLtCNXgvhoCJQ0jt2xSxe",
"client_name": "jwt.io",
"ip": "10.12.13.1",
"client_ip": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"details": {
"prompts": [
{
"name": "prompt-authenticate",
"completedAt": 1593031413909,
"connection": "Username-Password-Authentication",
"strategy": "auth0",
"identity": "5ee10b1ca85332004e44ce3e",
"stats": {
"loginsCount": 67
},
"elapsedTime": null
},
{
"name": "login",
"flow": "universal-login",
"initiatedAt": 1593031371948,
"completedAt": 1593031413953,
"timers": {
"rules": 443
},
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"elapsedTime": 42005
},
{
"name": "mfa",
"flow": "universal-mfa",
"initiatedAt": 1593031414863,
"completedAt": 1593031433795,
"performed_acr": [
"http://schemas.openid.net/pape/policies/2007/06/multi-factor"
],
"performed_amr": [
"mfa"
],
"provider": "guardian",
"elapsedTime": 18932
}
],
"initiatedAt": 1593031371938,
"completedAt": 1593031434151,
"elapsedTime": 62213,
"session_id": "ulYRdsS1F4wIKLpUfQDfhyXgKVJqJaEv",
"riskAssessment": {
"confidence": "medium",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"code": "ip_not_found"
},
"NewDevice": {
"confidence": "medium",
"code": "match_useragent",
"details": {
"device": "unknown",
"useragent": "known",
}
},
"ImpossibleTravel": {
"confidence": "low",
"code": "missing_geoip"
}
}
},
"stats": {
"loginsCount": 67
}
},
"hostname": "josh.local.dev.auth0.com",
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"strategy": "auth0",
"strategy_type": "database"
}
MFA provider details
Events may appear for certain MFA providers. Here is an example that includes OTP Auth Succeeded event.Copy
Ask AI
{
"_id": "5ef3bb0922b43d004844af00",
"date": "2020-06-24T20:43:53.758Z",
"type": "gd_auth_succeed",
"description": "Guardian - Second factor authentication succeed (totp)",
"ip": "10.12.13.1",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"details": {
"request": {
"method": "POST",
"path": "/api/totp/configs/josh/authenticators/totp%7Cdev_3KQv6yQ06pLoksIe/verify",
"query": {},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"body": {
"code": "********"
},
"ip": "10.12.13.1",
"auth": {
"subject": null,
"strategy": "jwt_api2_internal_token",
"scopes": [
"read:authenticators",
"verify:authenticator"
]
}
},
"response": {
"body": {},
"statusCode": null
},
"authenticator": {
"id": "totp|dev_3KQv6yQ06pLoksIe",
"type": "totp"
},
"device_id": "v0:45e50ea0-b65b-11ea-9dd7-27e2c7f14291"
},
"user_id": "auth0|5ee10b1ca85332004e44ce3e"
}