Correlate events and define authentication factors using Log Events

Howdy!

I am working on consuming Auth0 Log Events into Snowflake and building out reporting for our analytics team.

One of the first requests is to create a table with 1 row per login attempt and summarize what happened. The table should show the 2nd authentication factor used and any error if the login was unsuccessful.

Using the log events, I need to define:

  1. A login attempt for a user on a device
  2. The authentication factors used
  3. Whether the login succeeded
  4. If login failed, what was the reason

The first question is whether there is any concrete way to tie events together? Something like a correlation or session id. As an example, if a user tries to login, fails several times, then enrolls in a 2nd auth factor, and successfully logs in, how do I tie all of those together on a given device?

There is a field called user_id that has our own internal CustomerID field so that lets me tie events across a user (assuming each event has the user_id). I also see a device_id field in the gd_* events which I was hoping would let me tie events across a device, but the s events don’t have the device_id field. I see a sessionID in s events, but not in the gd_* events. Is there any ID shared across all events during the login process? The concern there is: what if a user has multiple devices and tries logging in from the desktop site, then tries to login from the app on their phone? How do I group the events by the user and device including the login success event?

Next question is, what is the best way to define the authentication factors used in a login attempt? I found an example a login success event for a user had no prior mfa enrollment events:

{
  "client_id": "[redacted]",
  "client_name": "Customer Portal",
  "connection_id": "",
  "date": "2022-09-14T00:34:19.095Z",
  "details": {
    "completedAt": 1663115659094,
    "elapsedTime": 938,
    "initiatedAt": 1663115658156,
    "prompts": [
      {
        "completedAt": 1663115658822,
        "elapsedTime": 622,
        "flow": "universal-mfa",
        "initiatedAt": 1663115658200,
        "name": "mfa"
      }
    ],
    "riskAssessment": {
      "assessments": {
        "ImpossibleTravel": {
          "code": "initial_login",
          "confidence": "high"
        },
        "NewDevice": {
          "code": "initial_login",
          "confidence": "high"
        },
        "UntrustedIP": {
          "code": "not_found_on_deny_list",
          "confidence": "high"
        }
      },
      "confidence": "high",
      "version": "1"
    },
    "session_id": "[redacted]"
  },
  "hostname": "[redacted]",
  "ip": "[redacted]",
  "log_id": "[redacted]",
  "type": "s",
  "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Mobile/15E148 Safari/604.1",
  "user_id": "[redacted]",
  "user_name": "[redacted]"
}

I see under prompts, which I assume is telling me how they logged in, the name is “mfa” but I don’t see anything in this users event history indicating any sort of mfa enrollment. What does mfa mean in this event?

In another example, I found a user that enrolled in webauthn as their 2nd factor. I then found a login success event after their enrollment. This is the example of the prompts field of the login success event:

  "prompts": [
      {
        "completedAt": 1664807561480,
        "elapsedTime": 8615,
        "flow": "universal-login",
        "initiatedAt": 1664807552865,
        "name": "login",
        "passwordless_amr": "*****",
        "performed_acr": [
          "http://schemas.openid.net/pape/policies/2007/06/multi-factor"
        ],
        "performed_amr": [
          "mfa"
        ],
        "timers": {
          "rules": 22
        },
       "user_id": "auth0|[redacted]",
        "user_name": "[redacted]"
      }
    ],

I can’t tell the authentication factors from this. Do I need to look back at their enrollment success events? If so, how do I look by user and device?