Copy
{
"date": "2020-06-26T15:12:43.654Z",
"type": "s",
"details": {
"riskAssessment": {
"confidence": "high",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"code": "not_found_on_deny_list"
},
"NewDevice": {
"confidence": "medium",
"code": "partial_match",
"details": {
"device": "unknown",
"useragent": "known",
}
},
"ImpossibleTravel": {
"confidence": "high",
"code": "minimal_travel_from_last_login"
}
}
}
},
"description": "Successful login"
}
Copy
{
"date": "2020-06-24T20:24:39.412Z",
"type": "s",
"description": "Successful login",
"connection": "Username-Password-Authentication",
"connection_id": "con_16Tpc6YqlWZ4HCut",
"client_id": "9ZteveEZ8CqSLtCNXgvhoCJQ0jt2xSxe",
"client_name": "jwt.io",
"ip": "10.12.13.1",
"client_ip": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"details": {
"prompts": [
{
"name": "prompt-authenticate",
"initiatedAt": null,
"completedAt": 1593030278513,
"connection": "Username-Password-Authentication",
"connection_id": null,
"strategy": "auth0",
"identity": "5ee10b1ca85332004e44ce3e",
"stats": {
"loginsCount": 66
},
"elapsedTime": null
},
{
"name": "login",
"flow": "universal-login",
"initiatedAt": 1593030268561,
"completedAt": 1593030278558,
"timers": {
"rules": 336
},
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"elapsedTime": 9997
}
],
"initiatedAt": 1593030268550,
"completedAt": 1593030279374,
"elapsedTime": 10824,
"session_id": "dKvR03IjVSNLPaVLqVS-FBuX87z0bBoE",
"riskAssessment": {
"confidence": "medium",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"code": "ip_not_found"
},
"NewDevice": {
"confidence": "medium",
"code": "match_useragent",
"details": {
"device": "unknown",
"useragent": "known",
}
},
"ImpossibleTravel": {
"confidence": "low",
"code": "missing_geoip"
}
}
},
"stats": {
"loginsCount": 66
}
},
"hostname": "josh.local.dev.auth0.com",
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"strategy": "auth0",
"strategy_type": "database"
}
Attack protection details
In addition to providing information for rules execution, Auth0 includes adaptive MFA information to your tenant logs. The same data structure that appears in rules appears in the tenant logs:Copy
{
"date": "2020-06-26T15:12:43.654Z",
"type": "s",
"details": {
"anomalyDetection": {
"confidence": "high",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"reason": "ip not found",
"code": "ip_not_found"
},
"NewDevice": {
"confidence": "medium",
"reason": "match useragent",
"code": "match_useragent"
},
"ImpossibleTravel": {
"confidence": "high",
"reason": "minimal travel",
"code": "minimal_travel_from_last_login"
}
}
},
},
"description": "Successful login"
}
MFA prompt details
When adaptive MFA is enabled, users will be prompted for MFA enrollment on their first login attempt with a low confidence score. An mfa prompt may appear in the login event details. For example:Copy
{
"_id": "5ef3bb0a72487a0047c32959",
"date": "2020-06-24T20:43:54.159Z",
"type": "s",
"description": "Successful login",
"connection": "Username-Password-Authentication",
"connection_id": "con_16Tpc6YqlWZ4HCut",
"client_id": "9ZteveEZ8CqSLtCNXgvhoCJQ0jt2xSxe",
"client_name": "jwt.io",
"ip": "10.12.13.1",
"client_ip": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"details": {
"prompts": [
{
"name": "prompt-authenticate",
"completedAt": 1593031413909,
"connection": "Username-Password-Authentication",
"strategy": "auth0",
"identity": "5ee10b1ca85332004e44ce3e",
"stats": {
"loginsCount": 67
},
"elapsedTime": null
},
{
"name": "login",
"flow": "universal-login",
"initiatedAt": 1593031371948,
"completedAt": 1593031413953,
"timers": {
"rules": 443
},
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"elapsedTime": 42005
},
{
"name": "mfa",
"flow": "universal-mfa",
"initiatedAt": 1593031414863,
"completedAt": 1593031433795,
"performed_acr": [
"http://schemas.openid.net/pape/policies/2007/06/multi-factor"
],
"performed_amr": [
"mfa"
],
"provider": "guardian",
"elapsedTime": 18932
}
],
"initiatedAt": 1593031371938,
"completedAt": 1593031434151,
"elapsedTime": 62213,
"session_id": "ulYRdsS1F4wIKLpUfQDfhyXgKVJqJaEv",
"riskAssessment": {
"confidence": "medium",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"code": "ip_not_found"
},
"NewDevice": {
"confidence": "medium",
"code": "match_useragent",
"details": {
"device": "unknown",
"useragent": "known",
}
},
"ImpossibleTravel": {
"confidence": "low",
"code": "missing_geoip"
}
}
},
"stats": {
"loginsCount": 67
}
},
"hostname": "josh.local.dev.auth0.com",
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"strategy": "auth0",
"strategy_type": "database"
}
MFA provider details
Events may appear for certain MFA providers. Here is an example that includes OTP Auth Succeeded event.Copy
{
"_id": "5ef3bb0922b43d004844af00",
"date": "2020-06-24T20:43:53.758Z",
"type": "gd_auth_succeed",
"description": "Guardian - Second factor authentication succeed (totp)",
"ip": "10.12.13.1",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"details": {
"request": {
"method": "POST",
"path": "/api/totp/configs/josh/authenticators/totp%7Cdev_3KQv6yQ06pLoksIe/verify",
"query": {},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"body": {
"code": "********"
},
"ip": "10.12.13.1",
"auth": {
"subject": null,
"strategy": "jwt_api2_internal_token",
"scopes": [
"read:authenticators",
"verify:authenticator"
]
}
},
"response": {
"body": {},
"statusCode": null
},
"authenticator": {
"id": "totp|dev_3KQv6yQ06pLoksIe",
"type": "totp"
},
"device_id": "v0:45e50ea0-b65b-11ea-9dd7-27e2c7f14291"
},
"user_id": "auth0|5ee10b1ca85332004e44ce3e"
}