Breached Password & Blocked Account events are not visible in user logs

Hello,
I noticed that whenever we have an event of Blocked Account (limit_wc) or Breached Password (pwd_leak) they are not visible in the User logs in the User Management.
I think the reason is that those events are missing user_id value, even though they have user_name which is an existing user email.

Can this be fixed?

1 Like

Hi @Artur ,

I noticed that the same query was raised in a Support ticket recently. The following is the answer provided by our Product Support Team. Hope it can be helpful to other folks in our community.


Brute Force Protection blocks are managed independently of users , tracked via the user-submitted identifier: email, username, or phone number.

For example, if a user fails 5 login attempts with the email address “example@mail.com”, we store something like the below in an “Anomaly Detection” database :

{
"block_type": "limit_wc",
"identifier": "[example@email.com](mailto:example@email.com)"
}

All other Attack Protection features, like Breached Password (pwd_leak), work in a similar fashion. So it is expected that there is no user_id value in the logs, hence when you check the logs for a specific user, you won’t see the Attack Protection logs since those are filtered by user_id, not by identifier.


If the feature of having a user_id associated with the logs (when the user exists) so that you can also see the Attack protection logs associated with a user is important to you, please communicate with our Product team directly via the feedback page. Thanks!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.