Review two-factor authentication activity
Intelligence Center administrators and users with the necessary access rights can monitor and review two-factor authentication activities in the audit trail.
To access the Audit view, you must have at least the following permissions:
read configurations
read audit-trail
All default Intelligence Center roles have the necessary permissions to access the Audit view.
Access the Audit view
To view audit logs in the Intelligence Center web-based interface:
In the side navigation bar click > System settings > Audit.
Information in the Audit view relies on the Elasticsearch audit index.
If audit logging is enabled, and if the audit log file is populated, audit log records are returned.
Use the quick filters to look for specific audit records based on a date range, on one or more specific users, HTTP methods, or HTTP response status codes.
To show and to hide the available quick filters in the current view click .
To sort items by column header:
Click the header of the column whose content you want to sort.
Click or to sort the content in either ascending or descending order, respectively.
Filter two-factor authentication audit logs
The Audit trail records events from different areas and components of the Intelligence Center.
To search for specific audit records related to user sign-in and two-factor authentication events, you can start by entering in the search input field the reference API endpoints and the literal message snippets in the cheat sheet below.
Search the audit trail for users who… |
Search by API endpoint |
Search by message excerpt as literal search query |
Initiated configuring enforced two-factor authentication for their profile. |
path:"/private/auth" |
message:"is forced to active 2FA" |
Successfully validated the first factor for their profile. |
path:"/private/auth" |
message:"validated first factor" |
Successfully signed in. |
path:"/private/auth" |
message:"logged in" |
Successfully signed in, and suspended two-factor authentication for their profile. |
path:"/private/auth" |
message:"logged in (suspended 2FA)" |
Successfully validated the second factor for their profile. |
path:"/private/auth/mfa/" |
message:"Successfully validated TOTP" |
Successfully validated the second factor for their profile, and suspended two-factor authentication for their profile. |
path:"/private/auth/mfa/" |
message:"with suspension" |
Successfully configured two-factor authentication for their profile. |
path:"/private/users/${user_id}/mfa/" |
message:"AuthnFactor" |
Successfully deactivated two-factor authentication for their profile. |
path:"/private/users/${user_id}/mfa/" |
message:"Deactivating second factor" |
Initiated configuring two-factor authentication for their profile by triggering sharing a secret key, which is represented by the QR code they are requested to scan with their authentication app. |
path:"/mfa/config" |
message:"Generating new TOTP shared secret" |
Requested a set of recovery codes for their profile. |
path:"/mfa/recovery" |
message:"Regenerating recovery codes" |
Successfully recovered access to two-factor authentication for their profile for their profile. |
path:"/mfa/recovery" |
message:"Successfully validated recovery code" |
Retrieve a user ID
Some Intelligence Center URL paths include IDs that refer to Intelligence Center assets and resources such as feeds, datasets, and workspaces; or to Intelligence Center users.
Each Intelligence Center user is automatically assigned a UUID upon creation. This UUID, or ID for short, uniquely identifies a user in the Intelligence Center.
To retrieve a user ID:
In the side navigation bar click > User management > Users.
In the users overview, click anywhere in the row corresponding to the user whose ID you want to retrieve.
In the web browser address bar, the URL of the active Intelligence Center view is similar to the following example: https://${platform_host_name}/user-management/users/?detail=42
In the URL, the detail URL parameter holds the user ID.
In the example, the ID value is 42.