List Authentication Logs
Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. To fetch all results, call repeatedly with the next_offset paging parameter as long as the result metadata has next_offset values. Requires "Grant read log" API permission.
There is an intentional two minute delay in availability of new authentications in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.
We recommend requesting logs no more than once per minute.
Basic Parameters
| Parameter | Description |
|---|---|
| Maximum Time | Return records that have a 13 character Unix timestamp in milliseconds of maxtime or earlier.This value must be strictly greater then mintime. |
| Minimum Time | Return records that have a 13 character Unix timestamp in milliseconds of mintime or later.This value must be strictly less then maxtime. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Custom Filters | Any additional custom filters to apply to the search. View [https://duo.com/docs/adminapi#authentication-logs] for a list of possible parameters. |
| Limit | The maximum number of records returned. Default: 100; Max: 1000 |
| Next Offset | The offset at which to start record retrieval. This value is provided in the metadata in the form of a 13 character date string in milliseconds and the event txid. Both of these values must be provided when used, separated by a comma (e.g. 1547486297000,5bea1c1e-612c-4f1d-b310-75fd31385b15).When used with "limit", the handler will return "limit" records starting at the n-th record, where n is the offset. Default: None. |
| Sort | The order in which to return records. One of:ts:asc - Return logs in chronological order. ts:desc - Return logs in reverse chronological order. |
Example Output
{
"stat": "OK",
"response": {
"authlogs": [
{
"access_device": {
"browser": "Chrome",
"browser_version": "67.0.3396.99",
"flash_version": "uninstalled",
"hostname": null,
"ip": "169.232.89.219",
"is_encryption_enabled": true,
"is_firewall_enabled": true,
"is_password_set": true,
"java_version": "uninstalled",
"location": {
"city": "Ann Arbor",
"country": "United States",
"state": "Michigan"
},
"os": "Mac OS X",
"os_version": "10.14.1",
"security_agents": []
},
"adaptive_trust_assessments": {
"more_secure_auth": {
"features_version": "3.0",
"model_version": "2022.07.19.001",
"policy_enabled": false,
"reason": "Normal level of trust; no detection of known attack pattern",
"trust_level": "NORMAL"
},
"remember_me": {
"features_version": "3.0",
"model_version": "2022.07.19.001",
"policy_enabled": false,
"reason": "Known Access IP",
"trust_level": "NORMAL"
}
},
"alias": "",
"application": {
"key": "DIY231J8BR23QK4UKBY8",
"name": "Microsoft Azure Active Directory"
},
"auth_device": {
"ip": "192.168.225.254",
"key": "DP5BJ05HI4WRBVI4Q7JF",
"location": {
"city": "Ann Arbor",
"country": "United States",
"state": "Michigan"
},
"name": "My iPhone X (734-555-2342)"
},
"email": "narroway@example.com",
"event_type": "authentication",
"factor": "duo_push",
"isotimestamp": "2020-02-13T18:56:20.351346+00:00",
"ood_software": null,
"reason": "user_approved",
"result": "success",
"timestamp": 1581620180,
"trusted_endpoint_status": "not trusted",
"txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb",
"user": {
"groups": [
"Duo Users",
"CorpHQ Users"
],
"key": "DU3KC77WJ06Y5HIV7XKQ",
"name": "narroway@example.com"
}
},
],
"metadata": {
"next_offset": [
"1532951895000",
"af0ba235-0b33-23c8-bc23-a31aa0231de8"
],
"total_objects": 1
}
}
}
Workflow Library Example
List Authentication Logs with Duo and Send Results Via Email
Preview this Workflow on desktop