> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
> Describes tenant log events that capture Adaptive Multi-Factor Authentication (MFA) activities in Auth0.
# Adaptive MFA Log Events
Your tenant logs contain entries for successful and failed login events including information related to Adaptive MFA risk assessment scores. These are the same entries as those that can be used in rule context objects. The Adaptive MFA entries have the following structure:
```json lines expandable theme={null}
{
"date": "2020-06-26T15:12:43.654Z",
"type": "s",
"details": {
"riskAssessment": {
"confidence": "high",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"code": "not_found_on_deny_list"
},
"NewDevice": {
"confidence": "medium",
"code": "partial_match",
"details": {
"device": "unknown",
"useragent": "known",
}
},
"ImpossibleTravel": {
"confidence": "high",
"code": "minimal_travel_from_last_login"
}
}
}
},
"description": "Successful login"
}
```
Here is an example:
```json lines expandable theme={null}
{
"date": "2020-06-24T20:24:39.412Z",
"type": "s",
"description": "Successful login",
"connection": "Username-Password-Authentication",
"connection_id": "con_16Tpc6YqlWZ4HCut",
"client_id": "9ZteveEZ8CqSLtCNXgvhoCJQ0jt2xSxe",
"client_name": "jwt.io",
"ip": "10.12.13.1",
"client_ip": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"details": {
"prompts": [
{
"name": "prompt-authenticate",
"initiatedAt": null,
"completedAt": 1593030278513,
"connection": "Username-Password-Authentication",
"connection_id": null,
"strategy": "auth0",
"identity": "5ee10b1ca85332004e44ce3e",
"stats": {
"loginsCount": 66
},
"elapsedTime": null
},
{
"name": "login",
"flow": "universal-login",
"initiatedAt": 1593030268561,
"completedAt": 1593030278558,
"timers": {
"rules": 336
},
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"elapsedTime": 9997
}
],
"initiatedAt": 1593030268550,
"completedAt": 1593030279374,
"elapsedTime": 10824,
"session_id": "dKvR03IjVSNLPaVLqVS-FBuX87z0bBoE",
"riskAssessment": {
"confidence": "medium",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"code": "ip_not_found"
},
"NewDevice": {
"confidence": "medium",
"code": "match_useragent",
"details": {
"device": "unknown",
"useragent": "known",
}
},
"ImpossibleTravel": {
"confidence": "low",
"code": "missing_geoip"
}
}
},
"stats": {
"loginsCount": 66
}
},
"hostname": "josh.local.dev.auth0.com",
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"strategy": "auth0",
"strategy_type": "database"
}
```
## Attack protection details
In addition to providing information for rules execution, Auth0 includes adaptive MFA attack protection information to your tenant logs. The same data structure that appears in rules appears in the tenant logs:
```json lines expandable theme={null}
{
"date": "2020-06-26T15:12:43.654Z",
"type": "s",
"details": {
"anomalyDetection": {
"confidence": "high",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"reason": "ip not found",
"code": "ip_not_found"
},
"NewDevice": {
"confidence": "medium",
"reason": "match useragent",
"code": "match_useragent"
},
"ImpossibleTravel": {
"confidence": "high",
"reason": "minimal travel",
"code": "minimal_travel_from_last_login"
}
}
},
},
"description": "Successful login"
}
```
## MFA prompt details
When adaptive MFA is enabled, users will be prompted for MFA enrollment on their first login attempt with a low confidence score. An **mfa** prompt may appear in the login event details. For example:
```json lines expandable theme={null}
{
"_id": "5ef3bb0a72487a0047c32959",
"date": "2020-06-24T20:43:54.159Z",
"type": "s",
"description": "Successful login",
"connection": "Username-Password-Authentication",
"connection_id": "con_16Tpc6YqlWZ4HCut",
"client_id": "9ZteveEZ8CqSLtCNXgvhoCJQ0jt2xSxe",
"client_name": "jwt.io",
"ip": "10.12.13.1",
"client_ip": null,
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"details": {
"prompts": [
{
"name": "prompt-authenticate",
"completedAt": 1593031413909,
"connection": "Username-Password-Authentication",
"strategy": "auth0",
"identity": "5ee10b1ca85332004e44ce3e",
"stats": {
"loginsCount": 67
},
"elapsedTime": null
},
{
"name": "login",
"flow": "universal-login",
"initiatedAt": 1593031371948,
"completedAt": 1593031413953,
"timers": {
"rules": 443
},
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"elapsedTime": 42005
},
{
"name": "mfa",
"flow": "universal-mfa",
"initiatedAt": 1593031414863,
"completedAt": 1593031433795,
"performed_acr": [
"http://schemas.openid.net/pape/policies/2007/06/multi-factor"
],
"performed_amr": [
"mfa"
],
"provider": "guardian",
"elapsedTime": 18932
}
],
"initiatedAt": 1593031371938,
"completedAt": 1593031434151,
"elapsedTime": 62213,
"session_id": "ulYRdsS1F4wIKLpUfQDfhyXgKVJqJaEv",
"riskAssessment": {
"confidence": "medium",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"code": "ip_not_found"
},
"NewDevice": {
"confidence": "medium",
"code": "match_useragent",
"details": {
"device": "unknown",
"useragent": "known",
}
},
"ImpossibleTravel": {
"confidence": "low",
"code": "missing_geoip"
}
}
},
"stats": {
"loginsCount": 67
}
},
"hostname": "josh.local.dev.auth0.com",
"user_id": "auth0|5ee10b1ca85332004e44ce3e",
"user_name": "user@josh.local.dev.auth0.com",
"strategy": "auth0",
"strategy_type": "database"
}
```
## MFA provider details
Events may appear for certain MFA providers. Here is an example that includes **OTP Auth Succeeded** event.
```json lines expandable theme={null}
{
"_id": "5ef3bb0922b43d004844af00",
"date": "2020-06-24T20:43:53.758Z",
"type": "gd_auth_succeed",
"description": "Guardian - Second factor authentication succeed (totp)",
"ip": "10.12.13.1",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"details": {
"request": {
"method": "POST",
"path": "/api/totp/configs/josh/authenticators/totp%7Cdev_3KQv6yQ06pLoksIe/verify",
"query": {},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0",
"body": {
"code": "********"
},
"ip": "10.12.13.1",
"auth": {
"subject": null,
"strategy": "jwt_api2_internal_token",
"scopes": [
"read:authenticators",
"verify:authenticator"
]
}
},
"response": {
"body": {},
"statusCode": null
},
"authenticator": {
"id": "totp|dev_3KQv6yQ06pLoksIe",
"type": "totp"
},
"device_id": "v0:45e50ea0-b65b-11ea-9dd7-27e2c7f14291"
},
"user_id": "auth0|5ee10b1ca85332004e44ce3e"
}
```
## Learn more
* [Customize Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa)