Event Descriptions

HYPR Control Center Advanced: App Properties Menu

Each single captured Event is a result of a successful or failed attempt. Events appear in the Audit Trail, in the Control Center (CC) logs, in the HYPR Dashboard for Splunk, and in API call results.

πŸ“˜

Invisible Events

Not every Event is listed in the CC Audit Trail or HYPR Dashboard for Splunk; some only appear in API responses or CC logs.

2926

Event data is stored in a separate schema away from the critical HYPR FIDO databases. This allows registration, authentication, and deregistration flows to continue functioning without being affected. The connection information to this schema can be found in the Vault; a HYPR representative can help you find it. The settings for the Audit Trail schema will be automatically set up for you during installation.

We anticipate that potentially millions of records could exist in this database. We have included a means to roll over the data. This mechanism will be described in detail at the bottom of this guide.

eventTags

Most Events fall under one of the following eventTags categories; those that do not are listed last. Table listings under the following categories are sorted by the Action column.

A list of Event Parameters follows the event descriptions.

ADMIN Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
LOGINCC AccessCONTROL_CENTER_SERVERThe user logged in to Control Center.
LOGOUTCC AccessCONTROL_CENTER_SERVERLogout from Control Center web console.
FIDO2_METADATAFIDO2 MetadataCONTROL_CENTER_SERVERFIDO2 metadata statement with AAGUID modified.

aaguid = {aaguid}
CREATE_INTEGRATIONIdP IntegrationsRELYING_PARTY_SERVERSuccessfully added an IdP integration.
DELETE_INTEGRATIONIdP IntegrationsRELYING_PARTY_SERVERSuccessfully deleted the IdP integration.
DISABLE_INTEGRATIONIdP IntegrationsRELYING_PARTY_SERVERSuccessfully disabled the IdP integration.
ENABLE_INTEGRATIONIdP IntegrationsRELYING_PARTY_SERVERSuccessfully enabled the IdP integration.
REFRESH_INTEGRATIONIdP IntegrationsRELYING_PARTY_SERVERSuccessfully refreshed the IdP integration.

OR

Failed to refresh the IdP integration.
SUSPEND_INTEGRATIONIdP IntegrationsRELYING_PARTY_SERVERSuccessfully suspended the IdP integration.
UPDATE_INTEGRATIONIdP IntegrationsRELYING_PARTY_SERVERSuccessfully updated the IdP integration details.
AUTHENTICATOR_DISABLEDRP ApplicationCONTROL_CENTER_SERVERThe authenticator was disabled for this rpAppId. Authentication requests using this authenticator will fail.

aaid={aaid}
rpAppId={appId}
AUTHENTICATOR_ENABLEDRP ApplicationCONTROL_CENTER_SERVERThe authenticator was enabled.

aaid={aaid}
rpAppId={rpAppId}
CREATE_APPRP ApplicationCONTROL_CENTER_SERVER{rpAppId} was succesfully created.
CREATE_APP_ACTIONRP Application[Not Logged]An authentication or registration policy was created for {rpAppId}.
DELETE_APPRP ApplicationCONTROL_CENTER_SERVERAssociated settings have been deleted.
DELETE_APP_ACTIONRP ApplicationCONTROL_CENTER_SERVERDelete action for {rpAppId}.
DELETE_APP_CONFIGRP ApplicationRELYING_PARTY_SERVERRP Application configuration has been deleted.

config: {{config.toStringTruncateValue()}
SAVE_APP_CONFIGRP ApplicationRELYING_PARTY_SERVERThe Application configuration was saved. One or more of the following changed:

- Theme color, logo, title, or messaging
- Push and/or QR enablement toggle
- Desktop SSO enablement toggle
- Timeout configuration
UPDATE_APPRP ApplicationCONTROL_CENTER_SERVER{rpAppId} was succesfully updated.
UPDATE_APP_ACTIONRP ApplicationCONTROL_CENTER_SERVERUpdate action for {rpAppId}.
USERNAME DISSOCIATEUsername Aliases and EmailsRELYING_PARTY_SERVERAll associations with an email or alias have been deleted.
USERNAME ASSOCIATEUsername Aliases and EmailsRELYING_PARTY_SERVERThe username has been associated with {this}.

Back to Top

REGISTRATION Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
FIDO_ONLY_REGFIDO CoreUAF_SERVER
MobileDevice
WEB
FIDO registration.

The registration policy is supplied by the server. The device generates a cryptographic key pair, then sends the public key to the server. The user provides a second factor (touch/PIN/native/etc.) to safeguard the key.

Typical problems:
- The Application's policy(-ies) is not configured properly in Control Center
- The authenticator specified by the policy is not available on the phone
FIDO2_DEVICE_REGFIDO2 KeysRELYING_PARTY_SERVERUser {userName} initiated FIDO2 key registration.
FIDO2_DEVICE_REG_COMPLETEFIDO2 KeysRELYING_PARTY_SERVERA successful platform or security key registration was attempted on a mobile device. The browser running on the mobile device used WebAuthn with the Relying Party.

Success: FIDO2 key registered

Failure: Session not found for challenge , [expired | false]. Please contact HYPR customer support and report this issue. ExceptionId:
OOB_DEVICE_REGRegistrationRELYING_PARTY_SERVER
MobileDevice
The device scans the QR code and sends starts the registration process. A sessionId is generated and returned as a part of the response. The initial handshake between the client (browser/workstation) is now complete.

Typical problems:
- PIN mismatch due to a timeout
- Multiple scans of the same QR code
OOB_DEVICE_PAIRED
(was OOB_DEVICE_REG_COMPLETE)
RegistrationRELYING_PARTY_SERVERThis is the final step in the registration process. Confirmation was received from the Device. The device registration record has been saved.
OOB_DEVICE_PAIRED
(was OOB_DEVICE_REG_COMPLETE)
RegistrationRELYING_PARTY_SERVERThe device started registration successfully. The PIN has been matched successfully. The Relying Party connection is OK. The device can now proceed to attempt a FIDO registration.
OOB_DEVICE_PAIRED
(was OOB_DEVICE_REG_COMPLETE)
RegistrationRELYING_PARTY_SERVERA successful FIDO authentication was completed on a mobile device. Use traceId to match this event with the WORKSTATION_AUTH authentication start.

traceId={traceId}
OOB_GET_REG_DEVICESRegistrationRELYING_PARTY_SERVERListing request for mobile devices or security keys registered to the user.
OOB_WEBSITE_REGRegistrationRELYING_PARTY_SERVER
MobileDevice
WEB
The opening registration request from the browser or workstation. The client now waits for the mobile to scan QR. Started.
OOB_WEBSITE_REGRegistrationRELYING_PARTY_SERVER
MobileDevice
WEB
The client setup is complete. The sessionId is returned to the client

This indicates that the device has finished enrolling the user key pair. Registration is not yet complete.
OOB_WEBSITE_REGRegistrationRELYING_PARTY_SERVER
MobileDevice
WEB
The opening registration request call from the browser or workstation. The client now waits for the mobile device to scan a QR code.

Typical problems:
- The Application is not setup in Control Center
- The HYPR license is invalid
OOB_WORKSTATION_REGRegistrationRELYING_PARTY_SERVER
MobileDevice
Workstation
FIDO registration was started.
SMARTKEY_ENROLLSmartKey Phase 1RELYING_PARTY_SERVER
Workstation
Enrolling the security key.

enrollmentRequest={req}
SMARTKEY_ENROLL_COMPLETESmartKey Phase 1RELYING_PARTY_SERVERSecurity key enrollment succeeded.

Back to Top

WEB_REGISTRATION Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
MOBILE_CONFIRMED_CERTIFICATE_RENEWALWeb Registration[Not Logged]The mobile device's certificate renewal is complete.
MOBILE_CONFIRMED_NEW_CERTIFICATEWeb RegistrationRELYING_PARTY_SERVERThe mobile device confirms workstation certificate processing.
MOBILE_NOTIFIED_OF_CERTIFICATE_RENEWALWeb Registration[Not Logged]The mobile device was informed of successful certificate renewal.
MOBILE_NOTIFIED_OF_NEW_CERTIFICATEWeb RegistrationRELYING_PARTY_SERVERThe mobile device has been notified of the workstation certificate's availability.
WORKSTATION_CERTIFICATE_ISSUEDWeb RegistrationRELYING_PARTY_SERVERThe certificate was issued by the enrollment service.
WORKSTATION_CERTIFICATE_REQUESTEDWeb RegistrationRELYING_PARTY_SERVERA certificate request has been queued up for the Enrollment service.
WORKSTATION_CERTIFICATE_REVOKEDWeb Registration[Not Logged]The workstation certificate was revoked.
WORKSTATION_ENROLLEDWeb RegistrationRELYING_PARTY_SERVERWorkstation enrolled.

{machineName}

Back to Top

AUTHENTICATION Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
EXTERNAL_AUTH_COMPLETEAuth (OOB | Browser | DM | Java SDK)RELYING_PARTY_SERVERWorkstation [unlock | login] using [deviceType].
KC_USER_TEMPORARILY_DISABLEDAuth (OOB | Browser | DM | Java SDK)RELYING_PARTY_SERVERuser: REDACTED is temporarily disabled by brute force detection
KC_POSSIBLE_BRUTE_FORCE_AUTH_ATTEMPTAuth (OOB | Browser | DM | Java SDK)WEBUsers latest authentication attempt triggered brute force detection. Will eventually block user temporarily if this keeps occuring.
OOB_WEBSITE_AUTHAuth (OOB | Browser | DM | Java SDK)RELYING_PARTY_SERVER
WEB
MobileDevice
The browser requests authentication from the HYPR server for the user.
A push notification is sent to the mobile device asking it to authenticate.
A sessionId is generated and returned as a part of the response.

Typical problems:

- Network conditions may create delays in receiving the push notification
OOB_WEBSITE_AUTH_COMPLETEAuth (OOB | Browser | DM | Java SDK)RELYING_PARTY_SERVERThe client polls the server periodically to check if the mobile authentication is successful.

The server returns the current status of authentication in the response message.
OOB_WEBSITE_TRANSAuth (OOB | Browser | DM | Java SDK)RELYING_PARTY_SERVER
MobileDevice
The browser requested authentication for a step transaction from the HYPR server. The HYPR server sent a push notification to the mobile device, asking it to authenticate.
DESKTOP_SSODesktop SSORELYING_PARTY_SERVER
WORKSTATION
Desktop SSO started by web login attempt.
DESKTOP_SSO_COMPLETEDesktop SSORELYING_PARTY_SERVER
WORKSTATION
Desktop SSO completed by the workstation signing challenge.
FALLBACK_AUTHENTICATORFallback AuthenticationMobileDeviceFallback authentication has been [ enabled | disabled ]

.
FIDO_ONLY_AUTHFIDO CoreUAF_SERVERFIDO authentication using the cryptographic key.
FIDO2_WEBAUTHNFIDO2 AuthenticationRELYING_PARTY_SERVERA web authentication (webAuthn) attempt was made.
FIDO2_WEBAUTHN_COMPLETEFIDO2 AuthenticationRELYING_PARTY_SERVERWeb authentication (webAuthn) with {aaguid} was successful.

OR

Mobile device: Authentication as a platform authenticator or with a security key plugged into the mobile device. This is the use case where the browser running on the mobile device does WebAuthn with the Relying Party.
QR_FALLBACK_PAYLOAD_CACHEDQR AuthenticationCONTROL_CENTER_SERVER QR code was successfully cached for manual retrieval via QR Fallback deviceId=null, rpAppId={{rpAppId}}
QR_FALLBACK_PAYLOAD_RETRIEVEDQR AuthenticationCONTROL_CENTER_SERVER
RELYING PARTY_SERVER
[Success] Cached payload was retrieved using the respective activation code associated with creation. \n \n[Failure] Failed to find QR fallback payload using activation code provided. Please check code entered and retry.
SESSION_WEBSITE_AUTHQR AuthenticationMobileDeviceAuthentication was attempted using a QR code.
SESSION_WEBSITE_AUTH_COMPLETEQR Authentication[Not Logged]Authentication was completed using a QR code.
WORKSTATION_AUTHWorkstation AuthRELYING_PARTY_SERVER
MobileDevice
Workstation
Start of the workstation unlock request from the device. This request is made when the user clicks the Unlock button in the HYPR App. A message is sent to the workstation to initiate unlock/login.
WORKSTATION_AUTH_COMPLETEWorkstation AuthRELYING_PARTY_SERVERFinal confirmation that workstation unlock is successful.
Client and device top off the offline tokens.
WORKSTATION_AUTH_COMPLETEWorkstation AuthRELYING_PARTY_SERVERThe client has finished unlocking the workstation.
The login confirmation message reached the workstation. Completed.
WORKSTATION_AUTH_COMPLETEWorkstation AuthRELYING_PARTY_SERVERThe user has verified their physical presence at the workstation.
Generally, this involves pressing Ctrl+Alt+Delete.
UNIVERSAL_QR_SCANWorkstation AuthMobileDeviceOperation canceled. The HYPR barcode scan was aborted by the user.
WORKSTATION_AUTH_JSON_SCANWorkstation AuthMobileDeviceA mobile device was used to initiate a workstation lock or unlock event.
WORKSTATION_AUTH_QR_SCANWorkstation Auth[Not logged]A mobile device has been paired with a workstation via QR scan.

Back to Top

DEREGISTRATION Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
MOBILE_INITIATED_WEBSITE_DELETEDeleteRELYING_PARTY_SERVER
MobileDevice
A deregistration request was initiated from a mobile device for a website. The mobile user clicked on the Delete Web Account button.
MOBILE_INITIATED_WORKSTATION_DELETEDeleteRELYING_PARTY_SERVER
MobileDevice
A deregistration request was initiated from a mobile device for a workstation. The mobile user clicked on the Delete Computer button.
OOB_WEBSITE_INITIATED_DELETEDeleteRELYING_PARTY_SERVERA deregistration request was initiated from the web account or Control Center.
OOB_DEVICE_UNPAIRED
(was WORKSTATION_INITIATED_DELETE)
DeleteRELYING_PARTY_SERVER
Workstation
MobileDevice
A deregistration request was initiated from the workstation. The user clicked on the Delete Mobile Device button in the HYPR app on the computer.
FIDO_ONLY_DEREGFIDO CoreUAF_SERVER
MobileDevice
WEB
FIDO registration is deleted. It can no longer be used to authenticate.
FIDO2_DEVICE_DEREGFIDO2 KeysRELYING_PARTY_SERVERFIDO2 key {aaid} deleted for user {userName}.
FIDO2_DEVICE_RESETFIDO2 KeysRELYING_PARTY_SERVER[FIDO2 key {aaid} reset for user {userName}.
MOBILE_INITIATED_WORKSTATION_UNPAIREDFIDO2 KeysRELYING_PARTY_SERVERA deregistration request was initiated from a mobile device for a workstation. The mobile user clicked on the Delete Computer button.

Back to Top

OFFLINE_ACCESS Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
OFFLINE_TOKEN_ACCESSWorkstation-relatedMobileDeviceOffline token access request.
OFFLINE_TOKEN_AUTHWorkstation-relatedWorkstationAuthentication using Offline Mode. A mobile app user used an Offline Mode PIN to login to the workstation.

Back to Top

SMART_KEY Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
SMARTKEY_CC_INITIATED_UNENROLLSmartKey Phase 1RELYING_PARTY_SERVERThe security key was unenrolled from Control Center. Please remove the certificate from the Certificate Authority using the following command:

certutil -revoke ${req.smartKeyCertificateSerialNumber} 8
SMARTKEY_PIN_CHANGESmartKey Phase 1WorkstationAn attempt was made to change the security key PIN.
SMARTKEY_PIN_VERIFICATIONSmartKey Phase 1WorkstationThe security key PIN was verified.
SMARTKEY_WORKSTATION_INITIATED_UNENROLLSmartKey Phase 1RELYING_PARTY_SERVER
Workstation
The security key was unenrolled from the workstation. Please remove the certificate from the Certificate Authority using the following command:

certutil -revoke ${req.smartKeyCertificateSerialNumber} 8
SMARTKEY_AUTHSmartKey Phase 2[Not Logged]Authentication was attempted on a workstation using a security key.
SMARTKEY_AUTH_COMPLETESmartKey Phase 2WorkstationAuthentication was completed using a security key.
SMARTKEY_PIN_PUK_CHANGESmartKey Phase 2[Not Logged]A PIN Unblocking Key (PUK) for a smart key has been changed.
SMARTKEY_PIN_PUK_VERIFICATIONSmartKey Phase 2[Not Logged]A PIN Unblocking Key (PUK) for a smart key has been verified as part of a PIN reset.

Back to Top

ACCESS_TOKEN (ADMIN) Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
ACCESS_TOKEN_CREATEAccess TokensRELYING_PARTY_SERVEREndpoint API token creation request; this event is typically from the the browser token management UI.
ACCESS_TOKEN_REVOKEAccess TokensRELYING_PARTY_SERVEREndpoint API token revoked.

tokenId={token.id}
revokedBy={user}

Back to Top

ENDPOINT_API_ACCESS_TOKEN (ADMIN) Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
ENDPOINT_API_ACCESS_TOKEN_CREATEEndpoint API Access TokenRELYING_PARTY_SERVERThe endpoint API token was created.

Scope = [DEVICE | WORKSTATION]
tokenId = {truncated_token}
ENDPOINT_API_ACCESS_TOKEN_EXCHANGEEndpoint API Access TokenRELYING_PARTY_SERVERThe workstation install token was successfully exchanged.

tokenId={truncated_token}
ENDPOINT_API_ACCESS_TOKEN_EXCHANGE_FAILEDEndpoint API Access TokenRELYING_PARTY_SERVER
MobileDevice
The workstation install token exchange failed.

tokenId={truncated_token}
ENDPOINT_API_ACCESS_TOKEN_REVOKEEndpoint API Access TokenRELYING_PARTY_SERVERThe endpoint API token was successfully revoked.

tokenId={token.id}
revokedBy=$user

Back to Top

RECOVERY_PINS (ADMIN) Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
RECOVERY_PIN_AUTHRecovery PINsWorkstationAuthorization was attempted using a recovery PIN.
RECOVERY_PIN_REVEALRecovery PINsCONTROL_CENTER_SERVER
RELYING_PARTY_SERVER
The recovery PIN was revealed via either the CC Admin UI or an API call.
RECOVERY_PINS_DELETERecovery PINs[Not Logged]The recovery PIN was deleted. HYPR recommends generating new recovery PINS.
RECOVERY_PINS_GENERATEDRecovery PINsRELYING_PARTY_SERVERThe recovery PIN has been saved.
RECOVERY_PINS_RE_GENERATEDRecovery PINsRELYING_PARTY_SERVERThe recovery PINs have been re-saved.
RECOVERY_PINS_SETUPRecovery PINs[Not Logged]Recovery PINS were created.

Back to Top

MAGIC_LINK (ADMIN) Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
MAGIC_LINK_CREATEMagic LinksCONTROL_CENTER_SERVER
RELYING_PARTY_SERVER
Magic link created.
MAGIC_LINK_DELETEMagic LinksCONTROL_CENTER_SERVERDeleting pending magic links for:

username={userName}
rpAppId={rpAppId}
MAGIC_LINK_EXP_DELETE_EXISTING_AFTER_NEWMagic LinksCONTROL_CENTER_SERVERDeleting existing magic links after creating new a one for the same username.
MAGIC_LINK_EXP_DELETED_EXISTINGMagic LinksCONTROL_CENTER_SERVERPre-existing magic links have been deleted. Only one magic link can be alive at a given time.
MAGIC_LINK_EXP_RESEND_EMAIL_MSG_TO_HAASMagic LinksCONTROL_CENTER_SERVERAn invitation email has been generated and sent to {userName}.
MAGIC_LINK_EXP_USERNAME_NOT_FOUNDMagic LinksCONTROL_CENTER_SERVERUsername not found. Unable to resend an email to HYPR with a new magic link message.
MAGIC_LINK_EXPIRED_OR_USEDMagic LinksRELYING_PARTY_SERVERThis magic link is invalid or has expired.
MAGIC_LINK_NOT_FOUNDMagic LinksCONTROL_CENTER_SERVERCannot find a magic link for the token given. Verify that the token is correct and try again.

Back to Top

FEATURE_FLAGS (ADMIN) Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
FEATURE_FLAG_TOGGLEFeature FlagsRELYING_PARTY_SERVERFeature Flag toggled.

Back to Top

CREATE_USER, DELETE_USER Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
DELETE_USERDeleting RP User from CCRELYING_PARTY_SERVER{userName} was deleted from the Control Center using the API token belonging to {userPerformingDelete}.
[if no devices left]
{userName} has no remaining registrations after removing {deviceId}. Deleting the user record.
MAGIC_LINK_CREATE_USERMagic LinksRELYING_PARTY_SERVER{userName} was invited to Control Center via magic link and email.

Back to Top

SYSTEM_CHECK Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
BATCH_DB_UPDATESystem ChecksCONTROL_CENTER_SERVERThe background process to update the database failed; contact your administrator immediately.
DB_CRYPTO_VALIDATION_PROBLEMSystem ChecksCONTROL_CENTER_SERVERThe database data integrtity check failed. Data has potentially been tampered with.
Check affected user activity in the Audit Trail and Logs for suspicious authentication attempts. Try to register again.
FIDO_CERT_EXPIRY_CHECKSystem ChecksRELYING_PARTY_SERVERCertificate Expiration Notice.
FIDO certificates are monitored for expiry based on days remaining:

< 90 = High Criticality
90 - 150 = Medium Criticality
> 150 = Low Criticality

If the event is not logged as success=false, it passed the check.
LICENSE_VALIDATION_PROBLEMSystem ChecksRELYING_PARTY_SERVERINVALID_LICENSE: Details: Please upload a HYPR license key with a valid domain. Creating and updating RP applications will not be permitted until a valid license is uploaded.
MOBILE_CERT_RENEWAL_EXPIRY_CHECKSystem ChecksRELYING_PARTY_SERVER
MobileDevice
Certificate Expiration Notice.
Mobile device certificates are monitored for expiry based on days remaining:

< 90 = High Criticality
90 - 150 = Medium Criticality
> 150 = Low Criticality

If the event is not logged as success=false, it passed the check.
UAF_CERT_EXPIRY_CHECKSystem ChecksRELYING_PARTY_SERVERCertificate Expiration Notice.
UAF certificates are monitored for expiry based on days remaining:

< 90 = High Criticality
90 - 150 = Medium Criticality
> 150 = Low Criticality

If the event is not logged as success=false, it passed the check.

Back to Top

SETTINGS Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
SSL_PINS_UPDATEDGlobal ConfigMobileDevice
Workstation
SSL pins have been synched across HYPR.

[Fail] Error updating SSL pins: Operation failed
UPDATE_SERVER_GLOBAL_CONFIGGlobal ConfigRELYING_PARTY_SERVERSupport email has been updated. Support display name has been updated.

OR

Support email has been deleted.
FIDO2_POLICYSettingsRELYING_PARTY_SERVERUpdated FIDO2 policy.
FIDO2_SETTINGSSettingsRELYING_PARTY_SERVER{Client origin URL} has been [ enabled | disabled ]

Back to Top

RADIUS Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
RADIUS_CLIENT_CREATERADIUS ClientsCONTROL_CENTER_SERVERThe Radius server client was created.

id={radiusClientId}
RADIUS_CLIENT_DELETERADIUS ClientsCONTROL_CENTER_SERVERThe Radius server client was deleted.

id={radiusClientId}
RADIUS_CLIENT_UPDATERADIUS ClientsCONTROL_CENTER_SERVERThe Radius server client was updated.

id={radiusClientId}
RADIUS_CONFIG_CREATERADIUS ServersCONTROL_CENTER_SERVERThe Radius server configuration was created.

id={configCreated.radiusConfigId}
RADIUS_CONFIG_DELETERADIUS ServersCONTROL_CENTER_SERVERThe Radius server configuration was deleted.

id={radiusConfigId}
RADIUS_CONFIG_UPDATERADIUS ServersCONTROL_CENTER_SERVERThe Radius server configuration was updated.

id={updatedConfig.radiusConfigId}
RADIUS_INTEGRATION_CREATERADIUS ServersCONTROL_CENTER_SERVERThe Radius integration was created.

id={createdIntegration.id}
RADIUS_INTEGRATION_DELETERADIUS ServersCONTROL_CENTER_SERVERThe Radius integration was deleted.

id={radiusIntConfigId}
RADIUS_ONBOARDEDRADIUS ServersCONTROL_CENTER_SERVERRadius integration onboarded.

id={newIntegration.id}
RADIUS_SERVER_CREATERADIUS ServersCONTROL_CENTER_SERVERThe Radius server was created.

id={createdServer.radiusServerId}
RADIUS_SERVER_DELETERADIUS ServersCONTROL_CENTER_SERVERThe Radius server was deleted.

id={radiusServerId}
RADIUS_SERVER_UPDATERADIUS ServersCONTROL_CENTER_SERVERThe Radius server was updated.

id={radiusServerId}
radiusConfigId={radiusServer.radiusConfigId}

Back to Top

SUPPORT_ACCESS Events

Event (eventName)ActionSource (eventLoggedBy)Description (message)
SUPPORT_ACCESS_ENABLEDSupport AccessRELYING_PARTY_SERVERHYPR Support access enabled.
SUPPORT_ACCESS_DISABLEDSupport AccessRELYING_PARTY_SERVERHYPR Support access disabled.
SUPPORT_ACCESS_EXPIRATION_DATE_CHANGEDSupport AccessRELYING_PARTY_SERVERHYPR Support access expiration date set.
SUPPORT_ACCESS_EXPIRATION_DATE_EXCEEDED_BLOCKING_ACCESSSupport AccessRELYING_PARTY_SERVERBlocked HYPR Support access due to expiration date exceeded.
SUPPORT_ACCESS_NEW_EXPIRATION_DATE_APPLICABLE_ENABLING_ACCESSSupport AccessRELYING_PARTY_SERVEREnabled HYPR Support access due to expiration date no yet exceeded.
SUPPORT_ACCESS_ADDED_EMAILS_TO_ALLOW_LISTSupport AccessRELYING_PARTY_SERVEREmail added to list.
SUPPORT_ACCESS_REMOVED_EMAILS_FROM_ALLOW_LISTSupport AccessRELYING_PARTY_SERVEREmail removed from list.
SUPPORT_ACCESS_ALLOWANCE_CHANGED_FROM_ALLOW_LIST_TO_ALLSupport AccessRELYING_PARTY_SERVERAll HYPR employees are allowed to have access.
SUPPORT_ACCESS_ALLOWANCE_CHANGED_FROM_ALL_TO_ALLOW_LISTSupport AccessRELYING_PARTY_SERVEROnly HYPR employees on the list are allowed to have access.
SUPPORT_ACCESS_EXPIRATION_DATE_ENABLEDSupport AccessRELYING_PARTY_SERVERChanged from indefinite access to expiration date.
SUPPORT_ACCESS_EXPIRATION_DATE_DISABLEDSupport AccessRELYING_PARTY_SERVERChanged from expiration date to indefinite access.
SUPPORT_ACCESS_DENIED_TENANT_ACCESS_ATTEMPT_EXPIRATION_DATE_EXCEEDEDSupport AccessRELYING_PARTY_SERVERDenied HYPR Support access - expiration date exceeded.
SUPPORT_ACCESS_SUCCESSFUL_TENANT_ACCESS_ATTEMPTSupport AccessRELYING_PARTY_SERVERSuccessful HYPR Support tenant access.
SUPPORT_ACCESS_DENIED_TENANT_ACCESS_ATTEMPT_UNAUTHORIZEDSupport AccessRELYING_PARTY_SERVERDenied HYPR Support access - unauthorized.
SUPPORT_ACCESS_DENIED_TENANT_ACCESS_ATTEMPT_SUPPORT_ACCESS_DISABLEDSupport AccessRELYING_PARTY_SERVERDenied HYPR Support access - access disabled.
SUPPORT_ACCESS_MAGIC_LINK_SESSION_EXPIREDSupport AccessRELYING_PARTY_SERVERHYPR Support Magic Link session expired.

Back to Top

RISK_ENGINE Events

Event (eventName)ActionSource (eventLoggedBy)Description
(message)
ADAPT_CREATE_POLICYRisk Engine (AUTHENTICATION)CONTROL_CENTER_SERVERCreated new Adapt authentication policy for this tenant.
ADAPT_DELETE_POLICYRisk Engine (AUTHENTICATION)CONTROL_CENTER_SERVERDeleted an Adapt authentication policy for this tenant.
ADAPT_POLICY_EVALUATIONRisk Engine (AUTHENTICATION)CONTROL_CENTER_SERVERAdapt policy evaluation was successful for , rpAppId=, traceId=<traceId, if applicable; may be empty>.
ADAPT_POLICY_EVAL_USER_ALLOWLISTEDRisk Engine
(AUTHENTICATION)
CONTROL_CENTER_SERVERThe user has been allowlisted to this policy.
ADAPT_UPDATE_POLICYRisk Engine (AUTHENTICATION)CONTROL_CENTER_SERVERUpdate an Adapt authentication policy for this tenant.
AUTHENTICATION_BLOCKED_BY_RISK_POLICYRisk Engine (AUTHENTICATION)CONTROL_CENTER_SERVERThe limit for allowed login failures was exceeded. Accompanies a 403 status code.
DISABLE_AUTH_RISK_POLICYRisk Engine (AUTHENTICATION)CONTROL_CENTER_SERVERThe risk policy was disabled.
ENABLE_AUTH_RISK_POLICYRisk Engine (AUTHENTICATION)CONTROL_CENTER_SERVERThe risk policy was enabled.

Back to Top

SIGNAL Events

Event (eventName)ActionSource (eventLoggedBy)Description
(message)
DEVICE_SIGNAL_RECEIVEDSignalsRELYING PARTY_SERVERSuccessfully posted the device security state.
WORKSTATION_SIGNAL_RECEIVEDSignalsRELYING_PARTY_SERVERSuccessfully posted the workstation security state.
BROWSER_SIGNAL_RECEIVEDSignalsBROWSERSuccessfully posted the browser security state.
MACHINE_SIGNAL_RECEIVEDSignalsRELYING_PARTY_SERVERSuccessfully posted device signals.

Back to Top

ERROR Events

Event (eventName)ActionSource (eventLoggedBy)Description
(message)
EXCEPTIONErrorRELYING_PARTY_SERVERCaptures any oddities that may occur on the mobile, workstation, or web components.

Back to Top

WORKSTATION_STATE Events

Event (eventName)ActionSource (eventLoggedBy)Description
(message)
WORKSTATION_SOCKET_CONNECTWorkstation StateWorkstationThe workstation web socket was connected.
WORKSTATION_SOCKET_DISCONNECTWorkstation State[Not Logged]The workstation web socket was disconnected.
WORKSTATION_CONFIGURATIONWorkstation State[Not Logged]The workstation was configured successfully.
WORKSTATION_STARTUPWorkstation State[Not Logged]The workstation was started. Usually this indicates the user powered on or rebooted the computer.
WORKSTATION_SHUTDOWNWorkstation State[Not Logged]The workstation was shut down. Usually this indicates the user powered off or rebooted the computer.
WORKSTATION_LOCKWorkstation StateRELYING_PARTY_SERVER
Workstation
A request was issued to lock the workstation. {deviceId(deviceIdParam)}
WORKSTATION_UPGRADEWorkstation State[Not Logged]The workstation was upgraded.

Back to Top

MISCELLANEOUS Events (no eventTags)

Event (eventName)ActionSource (eventLoggedBy)Description (message)
WESBITE_AUTHAuthenticationMobileDeviceOperation failed. Your request to authenticate this device didn't complete in time. Fingerprint timeout reached. Try again.
MOBILE_CERTIFICATE_REENROLLMENTCertificate RenewalRELYING_PARTY
Workstation
MobileDevice
The certificate was re-issued by the enrollment service.
DEFAULTCore System[Not Logged]A default entry for anomalous events.
UNKNOWNCore System[Not Logged]EventName= {name} is not known to this version of the server. The event may have been introduced in a newer version of the server.
LOG_SUBMISSIONLog SubmissionCONTROL_CENTER_SERVER
RELYING_PARTY_SERVER
{clientType} client logs were submitted successfully. OR
{clientType} client logs were submitted successfully by {userName}. OR
WINDOWS client logs were submitted successfully by {machineUserName}.
AUTH_DENIED_LOW_VERSIONVersion Control Feature Flag[Not Logged]Authentication was denied due to a prohibitively low version of Control Center.
REG_DENIED_LOW_VERSIONVersion Control Feature Flag[Not Logged]Registration was denied due to a prohibitively low version of Control Center.
MOBILE_INITIATED_WORKSTATION_LOCKWorkstation-related[Not Logged]The mobile device initiated a workstation lock action.

Back to Top

Event Parameters

Each Event will provide the following parameters, data permitting.

πŸ“˜

Event Data Model Parameters vs. Log Parameters

Labels in plain text are directly from the Event Data Model, while those in italics are generated for the logs and may be used in the Audit Trail and HYPR Dashboard for Splunk.

LabelParameterDescription
Event IDidUnique identifier for the Event.
Schema VersionversionThe Event schema version.
Event TypetypeEvent classification. For API log requests, this will always be AUDIT.
EventeventNameThe name of the Event.
MessagemessageA message giving a brief recount of the Event.
SubEventsubNameAn Event might be broken into sub-steps. The SubEvent distinguishes the various steps. Typically it is the URI of the request.
Logged ByeventLoggedByThe component which logged the Event. Success Events are mostly (but not necessarily) logged by the server. Failure Events are sent by the
HYPR Mobile App, HYPR Passwordless, or HYPR SDK if something goes wrong.

Possible Values: MobileDevice, RELYING_PARTY_SERVER, CONTROL_CENTER_SERVER, Web, Workstation, Browser, UAF_SERVICE, ENROLLMENT_SERVICE
TimeeventTimeInUTCThe time of the Event in UTC format.
LoggedloggedTimeInUTCThe time the server logged the Event in UTC format.
TenanttenantIdIdentifier for the HYPR Control Center server.

Sourced from the HYPR-TenantID HTTP header or from the hypr.rp.cacheNamespace Vault prop.
Remote IPremoteIPThe IP address of the node submitting the Event.

Sourced from the X-Forwarded-For HTTP header in the request.
User AgentuserAgentIdentifies the application, operating system, vendor, and/or version of the Event's requesting user agent.

Sourced from the User-Agent HTTP header.
Trace IDtraceIdAn identifier to assist Support in tracking the Event. If the header is missing, the server starts a new trace.

Sourced from the X-B3-TraceId HTTP header.
Session IDsessionIdUnique identifier of the web session.
Additional DetailsadditionalDetailsA map of discretionary data supplied for an Event; used to capture attributes not available in the Event object.
StatusisSuccessfulStatus of the individual Event.

Possible Values: true, false
Error CodeerrorCodeThe HYPR Error code associated with the Event, if any. This value must be populated if isSuccessful=false.

See also HYPR Error Codes Troubleshooting Table.
Error SeverityerrorSeverityThe impact level of the Event causing the error.

Possible Values: WARN, ERROR, FATAL, null (default)
RP Application IDrpAppIdThe camel case unique identifier of the relying party application generating the Event.
FIDO UserfidoUserA machine-readable user handle representing a FIDO registration.
UsernamemachineUserNameHYPR name for the user generating the Event. Typically associated with fidoUser.
AuthenticatorauthenticatorAuthenticator GUID/ID logged with the following Events:

GUID for FIDO2 Authentication
FIDO2_DEVICE_DEREG
FIDO2_WEBAUTHN_COMPLETE
FIDO2_DEVICE_REG_COMPLETE


ID for UAF
FIDO_ONLY_AUTH
FIDO_ONLY_DEREG
FIDO_ONLY_REG
Usage TypeusageTypeCurrently not used.
Integration TypeintegrationTypeThe type of integration upon which the Event occurs.
Integration ProviderintegrationProviderThe type of integration provider for the Event, based on the rpAppId.

Specific Parameters

The following parameters will appear only when a specific Event type is triggered.

Device (Includes Security Keys)

LabelParameterDescription
OSdeviceOSDevice operating system (Android/iOS/security key).

Sourced from the HYPR-Device-OS HTTP header.
OS VersiondeviceOSVersionDevice operating system version. For security keys, this will be the firmware version.

Sourced from the HYPR-Device-OS-Version HTTP header.
ModeldeviceModelDevice model number.

Sourced from the HYPR-Device-Model HTTP header.
Device IDdeviceIdA HYPR-generated device identifier. deviceId stays same for the lifetime of the App. Reinstalling the App generates a new deviceId.

In this case, Device may refer to a mobile device (90%) or another hardware device (Yubikey, etc.) which stores the private key/authenticator and performs authentication.
Device TypedeviceTypeRepresents any special indication of the device type triggering the Event.
HYPR Mobile App VersiondeviceRelVersionVersion of the HYPR Mobile App.

Sourced from the HYPR-Device-Release-Version HTTP header.
SDK VersionsdkRelVersionVersion of the HYPR SDK.

Sourced from the HYPR-SDK-Release-Version HTTP header.
Tokens Available tokensAvailableNumber of Offline Mode tokens available.
Tokens Remaining tokensRemainingNumber of Offline Mode tokens remaining.

Workstation

LabelParameterDescription
Extended Message extendedMessageAn additional message from the workstation regarding the Event.
OS VersionwsOSVersionWorkstation operating system version.

Sourced from the HYPR-Device-OS-Version HTTP header.
ModelwsModelWorkstation model number.

Sourced from the HYPR-WS-Model HTTP header.
OSwsOSWorkstation operating system.

Sourced from the HYPR-WS-OS HTTP header.
Machine IDmachineIdA HYPR-generated machine identifier.

In this case, Machine refers to the entity requesting authentication.

Possible Values:

Website
Accessing the same website in different browsers is considered to be the same machine. machineId is derived as
sha256(window.location.hostname + user + rpAppID)

WorkStation
The UUID generated upon Workstation install. This is not related to the underlying OS. The machineId remains constant through the life of the install or upgrade. A re-install of the Workstation will generate a new machineId."
Machine TypemachineTypeDefines when a machine is persisted/non-persisted with a local, web, or domain account.
Workforce Access VersionwsRelVersionVersion of the HYPR Passwordless client.

Sourced from the HYPR-WS-Release-Version HTTP header.
Offline Access Enabled offlineAccessEnabledToggle Offline Access.

Possible Values: True, False
Offline Token Length offlineTokenLengthLength of the offline token.
Offline Token Count offlineTokenCountTotal number of offline tokens.
Offline Access Days offlineAccessDaysNumber of days remaining on offline tokens.
Tokens Available tokensAvailableNumber of tokens available.
Tokens Remaining tokensRemainingNumber of tokens remaining.

Server

LabelParameterDescription
Node IDnodeIP address of the node.
VersionserverRelVersionVersion of the HYPR Control Center.

Web

LabelParameterDescription
Extended MessageextendedMessageAdditional details.
Machine NamemachineNameUnique name of the machine.

Event Log File (On-premises Only)

HYPR generates Event log files for tracing errors and Events, and to help integration with SIEM tools such as Splunk, Greylog, etc.

Control Center Event Log File

The CC Event log is located under the /opt/hypr/<server install dir> logs directory. It contains all Control Center Events.

1956

UAF Event Log File

The UAF Event log is located in the /opt/hypr/<server install dir> logs directory. This contains all UAF Events.

1960