Authentication event payload

The following IBM® Security Verify authentication event attributes are available when you generate reports.

The following table lists the attributes that are contained in the V2 Authentication Event.

Table 1. Authentication attributes
Name Data type Description
data.action String Example - login
data.authenticatorattachment String (Optional) Describes the authenticator's attachment modalities. This attribute is only present for FIDO based events and when known.
data.cause String Example - Authentication Successful
data.devicetype String Browser user agent
data.dict_enabled String Examples - “LOCAL”, “GLOBAL”, "LOCAL, GLOBAL"
data.dict_op String Examples - “NONE”, “CHANGE”, “AUTH”
data.dict_result String Examples - “NONE”, “SUCCESS”, “WARNING”, “ENFORCED”, "AUDIT"
data.dict_type String Examples - “NONE”, “LOCAL”, “GLOBAL”
data.fido2_authenticatordata String This attribute contains the authenticator data that is returned by the authenticator.
data.fido2_clientdatajson String This attribute contains the JSON-compatible serialization of the client data passed to the authenticator by the client to generate this credential.
data.fido2_credentialid String A probabilistically-unique byte sequence that identifies a public key credential source and its authentication assertions.
data.fido2_publickey String The Base64 encoded CBOR bytes of the COSE public key that is issued by the authenticator.
data.fido2_relyingparty String The unique identifier of the associated relying party.
data.fido2_signature String This attribute contains the raw signature returned from the authenticator.
data.host String Hostname of microservice instance that generated the event.
data.origin String IP address of system that caused event to be generated.
data.realm String

Identity source of user. Examples:

Cloud Directory: CloudIdentityRealm,

IBMid: www.ibm.com

SAML Enterprise: AzureRealm

LDAP pass-through: www.cloudsecurity.com

OIDC: www.yahoo.com
data.result String Success or failure.
data.sourceinstance String Source instance used for authentication - Azure.
data.sourcetype String Identity source type used for authentication: cloud directory, certificate, Kerberos, OIDC, pass-through, SAML - not needed for MFA events.
data.subject String Verify user ID that caused event to be generated.
data.subtype String
  • Certificate: Login with a native mobile app from Android mobile device (MaaS360®).
  • Device trust: Trust evaluation through device assertions, in addition to user provided trust (authentication).
  • Federation: SAML - ISVA and OIDC - IBMid
  • Kerberos - Login with a native mobile app from iOS mobile device (MaaS360)
  • MFA - Second factor used for authentication.
  • Passwordless - First factor used for authentication.
  • Social - Social providers like Facebook and Linkedin.
  • Socialjwt - Used for mobile apps like WeChat.
  • Token-exchange - used in the browser ROPC flow.
  • User_password - Cloud Directory, LDAP pass-through.
data.target String Secondary resource that might be applicable.
data.username String Unique identifier for logging in to Verify. It can be the same as the email address of the user.
geoip.city_name

geoio.continent_name

geoip.country_iso_code

geoip.country_name

geoip.location

geoip.region_name

 String Augmented by Event service by using data.origin.
data.deviceid

data.mdmiscompliant

data.mdmismanaged

data.billingid

 String Android or IPhone device

True or false

True or false
data.providerid

data.samlassertion

 String Identifies the SAML partner - only for failure events.
data.mfamethod

data.mfadevice

  

data.mfamethod - MFA factor that are used.

  • FIDO2
  • Email OTP
  • IBM Verify push
  • Knowledge questions
  • QR Login
  • SMS OTP
  • TOTP

Example

The following code is a sample payload. Use the Events APIs to get the actual attributes. See https://docs.verify.ibm.com/verify/reference/getallevents and https://docs.verify.ibm.com/verify/docs/pulling-event-data.

{
  "geoip":{
    "continent_name":"North America",
    "as_org":"ATT-INTERNET4",
    "city_name":"Austin",
    "country_iso_code":"USA",
    "ip":"111.11.1111111",
    "country_name":"United States",
    "region_name":"Texas",
    "location":{
      "lon":"-97.7467",
      "lat":"30.2627"
    },
    "asn":7018
  },
  "data":{
    "result":"success",
    "subtype":"user_password",
    "subject":"222B2B22BB",
    "origin":"333.33.33.3",
    "cause":"Authentication Successful",
    "action":"login",
    "sourcetype":"clouddirectory",
    "realm":"cloudIdentityRealm",
    "devicetype":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0",
    "target":"https://<tenant_name>.<targetURL>",
    "username":"<user_email>"
  },
  "year":2019,
  "event_type":"authentication",
  "month":11,
  "indexed_at":1572979268427,
  "tenantid":"<tenant_id>",
  "tenantname":"<tenant_name>.ibmcloudsecurity.com",
  "correlationid":"CORR_ID-44c4cc4444-444c-4444-444-c44ccc4444cc",
  "servicename":"authsvc",
  "id":"<event_identifier>",
  "time":1572979268418,
  "day":5
}