List Authentication Logs - Blink Documentation

1Password
Abnormal
Absolute
AbuseIPDB
Acronis
Active Directory On-Prem
Adaptive Shield
Adobe Cloud
ADP
Agari Phishing Response
Airlock
Airlock Digital
Akamai Client List
Akamai Identity Cloud Social
Alert Logic
AlgoSec Firewall Analyzer
Alienvault OTX
Alienvault USM
Anodot
Ansible
Anthropic
Anvilogic
Any Run
Apex One
ArcSight ESM
Ardoq
Area 1
Armis Centrix
Asana
Asset Panda
Astrix
Atlassian Crowd
Atlassian User Management
Atlassian User Provisioning
AuditBoard
auth0
Authentik
Authomize
Automox
AWS
AWS IAM Identity Center
Axonius
Azure
Azure Data Explorer
Azure DevOps
Azure Log Analytics
Azure Storage
BambooHR
Big Fix
BigPanda
Bitbucket
Bitdefender
Bitsight
Bitwarden
Black Duck
Black Kite
Blink
BlueCat Edge
BMC Remedy
Box
Brinqa
Bugcrowd
Cato Networks
Censys
Check Point Harmony
Check Point Infinity Events
Check Point Management
Check Point XDR/XPR
Checkmarx One
Checkmarx SAST
Chorus
Chronicle
Cisco Advanced Phishing Protection
Cisco Domain Protection
Cisco Identity Services Engine
Cisco Meraki
Cisco Talos
Cisco Umbrella
Cisco Webex
Claroty CTD
Claroty xDome
ClearPass
ClickHouse
ClickUp
Cloud Custodian
Cloudflare
Cloudflare R2
Cobalt.io
Compass
Confluence
Confluence Data Center
Coralogix
Coralogix Incident Management
Cortex XDR
Cortex Xpanse
Coupa Compass
CredStash
Cribl
CrowdStrike
CyberArk
Cybersixgill
CyCognito
Cyera
Cylance
Cymulate
Cyware CTIX
Darktrace
Dasera
Databricks
Datadog
DataSet
Delighted
Delinea
Dell iDRAC
Devo
Digital-Shadows
Discord
Docusign
Domo
Drata
Dropbox
Dropbox Business
Dropzone AI
druva
Duo
- Duo
- Actions
Duo Auth
Dynatrace
EasyVista
EchoTrail
Egnyte
Egnyte Secure Govern
Elasticsearch
Entro
Entrust Certificate Services
Ermetic
Exabeam
Exchange Online
Expel
F5
Falcon LogScale
Falcon Surface
Fastly
FireHydrant
Flare.io
Forcepoint DLP
Forescout
FortiGate
Freshservice
GCP
Gemini
Ghostwriter
Git
GitHub
GitLab
Glean
Gmail
Google Admin Console
Google Calendar
Google Chat
Google Cloud Identity
Google Docs
Google Drive
Google Forms
Google Looker
Google Meet
Google Sheets
Google Workspace
Grafana
Greenhouse
GreyNoise
Grip Security
GYTPOL
HackerOne
HackNotice
Halo PSA
Have I Been Pwned
HiBob
HubSpot
Hunters
Hybrid Analysis
Hyperproof
IBM CLoud
IBM NS1 Connect
IBM Security Verify
IBM X Force
Imperva
Incident.io
Infobip
Infoblox Cloud Services Portal
Intel Owl
Intercom
Intezer
IP API
IPinfo
IPWHOIS
Ironscales
Ivanti RiskSense
Jamf
JetBrains
JFrog
Jira
Jira Data Center
Joe Sandbox
JumpCloud
Kandji
Keeper Secrets Manager
Kenna Security
KnowBe4
KnowBe4 Events
Kubernetes
Lacework
Lark
LaunchDarkly
LimaCharlie
Linear
Litmos
Living Security
LogicMonitor
LogRhythm
Magnet One
Manage Engine ServiceDesk Plus
Mattermost
Maven
Microsoft Defender For Cloud
Microsoft Defender For Cloud Apps
Microsoft Defender For Endpoints
Microsoft Defender XDR
Microsoft E-Discovery
Microsoft Entra ID
Microsoft Excel
Microsoft Graph
Microsoft Intune
Microsoft Office 365 Management Activity
Microsoft OneNote
Microsoft Outlook
Microsoft Purview
Microsoft Sentinel
Microsoft SQL Server
Microsoft Teams
Mimecast
MISP
Monday
MongoDB Atlas
MxToolbox
Neo4j
NetBox
Netography
Netskope
NetSPI
New Relic
Nexthink
Nightfall AI
NinjaOne
Notion
Nozomi Networks
Nuclei
Nucleus
Nutanix Hypervisor
Obsidian
Okta
OneDrive
OneLogin
OneTrust
Oort
OpenAI
OpenCTI
Opsgenie
OPSWAT
Oracle Cloud
Oracle HCM
Oracle NetSuite
Oracle PeopleSoft
Orca Security
OWASP ZAP
PagerDuty
Palo Alto Firewall
Palo Alto NGFW
Panther
Passwordstate
Pentera
Perception Point
PhishLabs
PhishLabs Incident Data
PhishLabs Open Web Monitoring
Pingdom
PingID
PingOne
PlexTrac
PortSwigger
Postman
Postman SCIM
Power BI
PowerShell
Prisma Access
Prisma Cloud
Prisma Cloud CWP
Prometheus
Proofpoint
Proofpoint ITM
Proofpoint Protection Server
Proofpoint Security Awareness Training
Proofpoint TAP
Proofpoint TRAP
Pub-Sub
QRadar
Qualys
Rapid7
Rapid7 InsightIDR
Rapid7 InsightVM Cloud
Rapid7 Threat Command
Reco
Recorded Future
Recorded Future Triage Cloud
Red Hat IDM
Rippling
RSS
Rubrik
runZero
SafeBase
SafeBreach
Sage HR
SailPoint
SailPoint IdentityIQ
Salesforce
SAP Ariba
Sap Concur
ScienceLogic
Securin
Securin VI
SecurityScorecard
Securonix
Seemplicity
Sekoia.io
SemGrep
SentinelOne
ServiceNow
SharePoint
Shodan
Shopify
Silverfort
Slack
Smartsheet
Snipe IT
Snowflake
Snyk
SolarWinds Information Service
SolarWinds Service Desk
SonarQube
Sophos
Split
Splunk
Splunk Observability
Splunk SOAR
Spur
StrongDM
Sumo Logic
Symantec EDR
Sysdig
Tableau
Tanium
TeamCity
TeamViewer
Telegram
Tempo
Tenable
Tenable Security Center
Terraform
Terraform Cloud
Tessian
TheHive
Thinkst Canary
Thomson Reuters
ThreatQuotient
Traliant LMS
Trellix Email Security
Trello
Trend Vision One
Twilio
UKG HR
Uptycs
URLScan
Varonis
Vault
Veracode
Verkada
Vertica
VirusTotal
VMware Carbon Black
VMware vSphere
WeChat
WhatsApp
WhoIs
WildFire
Wiz
Workday
Workspace ONE UEM
YesWeHack
Zendesk
Zero Networks
Zoom
Zscaler Internet Access
Zscaler Private Access
Dropzone AI
Intel Owl
Akamai Client List
BlueCat Edge
SAP LeanIX

On this page

Basic Parameters
Advanced Parameters
Example Output
Workflow Library Example

Retrieve a list of authentication log events ranging from the last 180 days up to as recently as two minutes before the action execution. There is a two minute delay in availability of new authentication logs in the response. Querying for logs more recent than two minutes will retrieve an empty response. Duo recommends requesting logs no more than once per minute. Note: This action requires the Grant read log API permission.

External DocumentationTo learn more, visit the Duo documentation.

Basic Parameters

Parameter	Description
Applications	A comma-seperated list of application keys to filter the logs by. For example: `DIY231J8BR23QK4UKBY8,DIF947T2MN58HZ1DPWRC`. An application key can be retrieved from the `application` field of a previous `List Authentication Logs` output. If no value is provided, logs will be retrieved for all applications.
Assessment	The risk-based authentication assessment to filter by. The assessment is based on risk-based factor selection (RBFS) and risk-based remembered device (RBRD) policy enforcement. This information is only available to Duo Premier and Duo Advantage planh customers. If no value is provided, logs will be retrieved for all assessments.
Authentication Factors	The authentication factor or method to filter by. If no value is provided, logs will be retrieved for all factors.
Detections	The risk-based authentication detections to filter by, identified during or after an authentication attempt. This information is only available to Duo Premier and Duo Advantage plan customers. If no value is provided, logs will be retrieved for all detections.
Event Type	The type of authentication event to filter by. * Choose `Authentication` to filter logs related to authentication attempts. * Choose `Enrollment` to filter logs related to a user completing Duo’s inline enrollment. If no value is provided, logs will be retrieved for all event types.
Groups	A comma-seperated list of group IDs to filter the logs by. For example: `KJQZT852R7HNU3AWLERV,VBNRZ731L8QTY6WDFJHU`. A group ID can be retrieved using the `List Groups` action. If no value is provided, logs will be retrieved for all groups.
Maximum Time	Retrieve logs that have a timestamp of `Maximum Time` or earlier. This value must be strictly greater then `Minimum Time`.
Minimum Time	Retrieve logs that have a timestamp of `Minimum Time` or later. This value must be strictly less then `Maximum Time`.
Reasons	The reason associated with an authentication attempt to filter by. If no value is provided, logs will be retrieved for all reasons. Note: Enrollment events have no associated reason.
Results	The result of an authentication attempt to filter by. If no value is provided, logs will be retrieved for any result.
Security Tokens	A security token to filter by. Either a WebAuthn security key’s `webauthnkey` or U2F security key’s `registration_id`. If no value is provided, logs will be retrieved for any security token.
Users	A comma-seperated list of user keys to filter the logs by. For example: `DU3KC77WJ06Y5HIV7XKQ,QZ8RM22LT95F4EOG6JYP`. A user key can be retrieved from the `user` field of a previous `List Authentication Logs` output. If no value is provided, logs will be retrieved for all users.

Advanced Parameters

Parameter	Description
Limit	The maximum number of records to retrieve. Defaults to `100`, with maximum value of `1000`.
Next Offset	The offset at which to start record retrieval. The offset is provided in the `metadata` field of a previous `List Authentication Logs` response in the form of a 13 character date string in milliseconds and the `event txid`. These two values must be provided together, separated by a comma (e.g. `1547486297000,5bea1c1e-612c-4f1d-b310-75fd31385b15`). When used with `Limit`, the handler will return `Limit` records starting at the n-th record, where n is the offset.
Sort	The order in which to return the logs.

Example Output

{
  "stat": "OK",
  "response": {
    "authlogs": [
      {
        "access_device": {
          "browser": "Chrome",
          "browser_version": "67.0.3396.99",
          "flash_version": "uninstalled",
          "hostname": null,
          "ip": "169.232.89.219",
          "is_encryption_enabled": true,
          "is_firewall_enabled": true,
          "is_password_set": true,
          "java_version": "uninstalled",
          "location": {
            "city": "Ann Arbor",
            "country": "United States",
            "state": "Michigan"
          },
          "os": "Mac OS X",
          "os_version": "10.14.1",
          "security_agents": []
        },
        "adaptive_trust_assessments": {
          "more_secure_auth": {
            "features_version": "3.0",
            "model_version": "2022.07.19.001",
            "policy_enabled": false,
            "reason": "Normal level of trust; no detection of known attack pattern",
            "trust_level": "NORMAL"
          },
          "remember_me": {
            "features_version": "3.0",
            "model_version": "2022.07.19.001",
            "policy_enabled": false,
            "reason": "Known Access IP",
            "trust_level": "NORMAL"
          }
        },
        "alias": "",
        "application": {
          "key": "DIY231J8BR23QK4UKBY8",
          "name": "Microsoft Azure Active Directory"
        },
        "auth_device": {
          "ip": "192.168.225.254",
          "key": "DP5BJ05HI4WRBVI4Q7JF",
          "location": {
            "city": "Ann Arbor",
            "country": "United States",
            "state": "Michigan"
          },
          "name": "My iPhone X (734-555-2342)"
        },
        "email": "narroway@example.com",
        "event_type": "authentication",
        "factor": "duo_push",
        "isotimestamp": "2020-02-13T18:56:20.351346+00:00",
        "ood_software": null,
        "reason": "user_approved",
        "result": "success",
        "timestamp": 1581620180,
        "trusted_endpoint_status": "not trusted",
        "txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb",
        "user": {
          "groups": [
            "Duo Users",
            "CorpHQ Users"
          ],
          "key": "DU3KC77WJ06Y5HIV7XKQ",
          "name": "narroway@example.com"
        }
      },
    ],
    "metadata": {
      "next_offset": [
        "1532951895000",
        "af0ba235-0b33-23c8-bc23-a31aa0231de8"
      ],
      "total_objects": 1
    }
  }
}

Workflow Library Example

List Authentication Logs with Duo and Send Results Via Email

Preview this Workflow on desktop

List Admin Logs List Endpoints

Integrations

​Basic Parameters

​Advanced Parameters

​Example Output

​Workflow Library Example

Basic Parameters

Advanced Parameters

Example Output

Workflow Library Example