Retrieve a list of authentication log events ranging from the last 180 days up to as recently as two minutes before the action execution. There is a two minute delay in availability of new authentication logs in the response. Querying for logs more recent than two minutes will retrieve an empty response. Duo recommends requesting logs no more than once per minute. Note: This action requires the Grant read log API permission.
External DocumentationTo learn more, visit the Duo documentation.

Basic Parameters

ParameterDescription
ApplicationsA comma-seperated list of application keys to filter the logs by. For example: DIY231J8BR23QK4UKBY8,DIF947T2MN58HZ1DPWRC.

An application key can be retrieved from the application field of a previous List Authentication Logs output.

If no value is provided, logs will be retrieved for all applications.
AssessmentThe risk-based authentication assessment to filter by.

The assessment is based on risk-based factor selection (RBFS) and risk-based remembered device (RBRD) policy enforcement.

This information is only available to Duo Premier and Duo Advantage planh customers.

If no value is provided, logs will be retrieved for all assessments.
Authentication FactorsThe authentication factor or method to filter by.

If no value is provided, logs will be retrieved for all factors.
DetectionsThe risk-based authentication detections to filter by, identified during or after an authentication attempt.

This information is only available to Duo Premier and Duo Advantage plan customers.

If no value is provided, logs will be retrieved for all detections.
Event TypeThe type of authentication event to filter by.

* Choose Authentication to filter logs related to authentication attempts.
* Choose Enrollment to filter logs related to a user completing Duo’s inline enrollment.

If no value is provided, logs will be retrieved for all event types.
GroupsA comma-seperated list of group IDs to filter the logs by. For example: KJQZT852R7HNU3AWLERV,VBNRZ731L8QTY6WDFJHU.

A group ID can be retrieved using the List Groups action.

If no value is provided, logs will be retrieved for all groups.
Maximum TimeRetrieve logs that have a timestamp of Maximum Time or earlier.

This value must be strictly greater then Minimum Time.
Minimum TimeRetrieve logs that have a timestamp of Minimum Time or later.

This value must be strictly less then Maximum Time.
ReasonsThe reason associated with an authentication attempt to filter by.

If no value is provided, logs will be retrieved for all reasons.

Note: Enrollment events have no associated reason.
ResultsThe result of an authentication attempt to filter by.

If no value is provided, logs will be retrieved for any result.
Security TokensA security token to filter by. Either a WebAuthn security key’s webauthnkey or U2F security key’s registration_id.

If no value is provided, logs will be retrieved for any security token.
UsersA comma-seperated list of user keys to filter the logs by. For example: DU3KC77WJ06Y5HIV7XKQ,QZ8RM22LT95F4EOG6JYP.

A user key can be retrieved from the user field of a previous List Authentication Logs output.

If no value is provided, logs will be retrieved for all users.

Advanced Parameters

ParameterDescription
LimitThe maximum number of records to retrieve. Defaults to 100, with maximum value of 1000.
Next OffsetThe offset at which to start record retrieval.

The offset is provided in the metadata field of a previous List Authentication Logs response in the form of a 13 character date string in milliseconds and the event txid.

These two values must be provided together, separated by a comma (e.g. 1547486297000,5bea1c1e-612c-4f1d-b310-75fd31385b15).

When used with Limit, the handler will return Limit records starting at the n-th record, where n is the offset.
SortThe order in which to return the logs.

Example Output

{
  "stat": "OK",
  "response": {
    "authlogs": [
      {
        "access_device": {
          "browser": "Chrome",
          "browser_version": "67.0.3396.99",
          "flash_version": "uninstalled",
          "hostname": null,
          "ip": "169.232.89.219",
          "is_encryption_enabled": true,
          "is_firewall_enabled": true,
          "is_password_set": true,
          "java_version": "uninstalled",
          "location": {
            "city": "Ann Arbor",
            "country": "United States",
            "state": "Michigan"
          },
          "os": "Mac OS X",
          "os_version": "10.14.1",
          "security_agents": []
        },
        "adaptive_trust_assessments": {
          "more_secure_auth": {
            "features_version": "3.0",
            "model_version": "2022.07.19.001",
            "policy_enabled": false,
            "reason": "Normal level of trust; no detection of known attack pattern",
            "trust_level": "NORMAL"
          },
          "remember_me": {
            "features_version": "3.0",
            "model_version": "2022.07.19.001",
            "policy_enabled": false,
            "reason": "Known Access IP",
            "trust_level": "NORMAL"
          }
        },
        "alias": "",
        "application": {
          "key": "DIY231J8BR23QK4UKBY8",
          "name": "Microsoft Azure Active Directory"
        },
        "auth_device": {
          "ip": "192.168.225.254",
          "key": "DP5BJ05HI4WRBVI4Q7JF",
          "location": {
            "city": "Ann Arbor",
            "country": "United States",
            "state": "Michigan"
          },
          "name": "My iPhone X (734-555-2342)"
        },
        "email": "narroway@example.com",
        "event_type": "authentication",
        "factor": "duo_push",
        "isotimestamp": "2020-02-13T18:56:20.351346+00:00",
        "ood_software": null,
        "reason": "user_approved",
        "result": "success",
        "timestamp": 1581620180,
        "trusted_endpoint_status": "not trusted",
        "txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb",
        "user": {
          "groups": [
            "Duo Users",
            "CorpHQ Users"
          ],
          "key": "DU3KC77WJ06Y5HIV7XKQ",
          "name": "narroway@example.com"
        }
      },
    ],
    "metadata": {
      "next_offset": [
        "1532951895000",
        "af0ba235-0b33-23c8-bc23-a31aa0231de8"
      ],
      "total_objects": 1
    }
  }
}

Workflow Library Example

List Authentication Logs with Duo and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop