Review two-factor authentication activity#

Intelligence Center administrators and users with the necessary access rights can monitor and review two-factor authentication activities in the audit trail.

To access the Audit view, you must have at least the following permissions:

  • read configurations

  • read audit-trail

All default Intelligence Center roles have the necessary permissions to access the Audit view.

Access the Audit view#

To view audit logs in EclecticIQ Intelligence Center web-based interface:

  1. In the side navigation bar click Settings > System settings > Audit.

    Information in the Audit view relies on the Elasticsearch audit index.

    If audit logging is enabled, and if the audit log file is populated, audit log records are returned.

  2. Use the quick filters Filter to look for specific audit records based on a date range, on one or more specific users, HTTP methods, or HTTP response status codes.

    To show and to hide the available quick filters in the current view click Filter.

    To sort items by column header:

    1. Click the header of the column whose content you want to sort.

    2. Click Sort in ascending order or Sort in descending order to sort the content in either ascending or descending order, respectively.

Filter two-factor authentication audit logs#

The Audit trail records events from different areas and components of EclecticIQ Intelligence Center.

To search for specific audit records related to user sign-in and two-factor authentication events, you can start by entering in the search input field the reference API endpoints and the literal message snippets in the cheat sheet below.

Search the audit trail for users who…

Search by API endpoint

Search by message excerpt as literal search query

Initiated configuring enforced two-factor authentication for their profile.

path:"/private/auth"

message:"is forced to active 2FA"

Successfully validated the first factor for their profile.

path:"/private/auth"

message:"validated first factor"

Successfully signed in.

path:"/private/auth"

message:"logged in"

Successfully signed in, and suspended two-factor authentication for their profile.

path:"/private/auth"

message:"logged in (suspended 2FA)"

Successfully validated the second factor for their profile.

path:"/private/auth/mfa/"

message:"Successfully validated TOTP"

Successfully validated the second factor for their profile, and suspended two-factor authentication for their profile.

path:"/private/auth/mfa/"

message:"with suspension"

Successfully configured two-factor authentication for their profile.

path:"/private/users/${user_id}/mfa/"

message:"AuthnFactor"

Successfully deactivated two-factor authentication for their profile.

path:"/private/users/${user_id}/mfa/"

message:"Deactivating second factor"

Initiated configuring two-factor authentication for their profile by triggering sharing a secret key, which is represented by the QR code they are requested to scan with their authentication app.

path:"/mfa/config"

message:"Generating new TOTP shared secret"

Requested a set of recovery codes for their profile.

path:"/mfa/recovery"

message:"Regenerating recovery codes"

Successfully recovered access to two-factor authentication for their profile for their profile.

path:"/mfa/recovery"

message:"Successfully validated recovery code"

Retrieve a user ID#

Some Intelligence Center URL paths include IDs that refer to Intelligence Center assets and resources such as feeds, datasets, and workspaces; or to Intelligence Center users.

Each Intelligence Center user is automatically assigned a UUID upon creation. This UUID, or ID for short, uniquely identifies a user in EclecticIQ Intelligence Center.

To retrieve a user ID:

  1. In the side navigation bar click Settings > User management > Users.

  2. In the users overview, click anywhere in the row corresponding to the user whose ID you want to retrieve.

  3. In the web browser address bar, the URL of the active Intelligence Center view is similar to the following example: https://${platform_host_name}/user-management/users/?detail=42

    In the URL, the detail URL parameter holds the user ID.

    In the example, the ID value is 42.