:doc:`CognitoIdentityProvider <../../cognito-idp>` / Client / admin_list_user_auth_events

***************************
admin_list_user_auth_events
***************************



.. py:method:: CognitoIdentityProvider.Client.admin_list_user_auth_events(**kwargs)

  

  Requests a history of user activity and any risks detected as part of Amazon Cognito threat protection. For more information, see `Viewing user event history <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-event-user-history>`__.

   

  .. note::

    

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

     

    **Learn more**

     

    
    * `Signing Amazon Web Services API Requests <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html>`__
     
    * `Using the Amazon Cognito user pools API and user pool endpoints <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html>`__
    

    

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminListUserAuthEvents>`_  


  **Request Syntax**
  ::

    response = client.admin_list_user_auth_events(
        UserPoolId='string',
        Username='string',
        MaxResults=123,
        NextToken='string'
    )
    
  :type UserPoolId: string
  :param UserPoolId: **[REQUIRED]** 

    The Id of the user pool that contains the user profile with the logged events.

    

  
  :type Username: string
  :param Username: **[REQUIRED]** 

    The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If ``username`` isn't an alias attribute in your user pool, this value must be the ``sub`` of a local user or the username of a user from a third-party IdP.

    

  
  :type MaxResults: integer
  :param MaxResults: 

    The maximum number of authentication events to return. Returns 60 events if you set ``MaxResults`` to 0, or if you don't include a ``MaxResults`` parameter.

    

  
  :type NextToken: string
  :param NextToken: 

    This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'AuthEvents': [
              {
                  'EventId': 'string',
                  'EventType': 'SignIn'|'SignUp'|'ForgotPassword'|'PasswordChange'|'ResendCode',
                  'CreationDate': datetime(2015, 1, 1),
                  'EventResponse': 'Pass'|'Fail'|'InProgress',
                  'EventRisk': {
                      'RiskDecision': 'NoRisk'|'AccountTakeover'|'Block',
                      'RiskLevel': 'Low'|'Medium'|'High',
                      'CompromisedCredentialsDetected': True|False
                  },
                  'ChallengeResponses': [
                      {
                          'ChallengeName': 'Password'|'Mfa',
                          'ChallengeResponse': 'Success'|'Failure'
                      },
                  ],
                  'EventContextData': {
                      'IpAddress': 'string',
                      'DeviceName': 'string',
                      'Timezone': 'string',
                      'City': 'string',
                      'Country': 'string'
                  },
                  'EventFeedback': {
                      'FeedbackValue': 'Valid'|'Invalid',
                      'Provider': 'string',
                      'FeedbackDate': datetime(2015, 1, 1)
                  }
              },
          ],
          'NextToken': 'string'
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **AuthEvents** *(list) --* 

        The response object. It includes the ``EventID``, ``EventType``, ``CreationDate``, ``EventRisk``, and ``EventResponse``.

        
        

        - *(dict) --* 

          One authentication event that Amazon Cognito logged in a user pool with threat protection active. Contains user and device metadata and a risk assessment from your user pool.

          
          

          - **EventId** *(string) --* 

            The event ID.

            
          

          - **EventType** *(string) --* 

            The type of authentication event.

            
          

          - **CreationDate** *(datetime) --* 

            The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a human-readable format like ISO 8601 or a Java ``Date`` object.

            
          

          - **EventResponse** *(string) --* 

            The event response.

            
          

          - **EventRisk** *(dict) --* 

            The threat evaluation from your user pool about an event. Contains information about whether your user pool detected compromised credentials, whether the event triggered an automated response, and the level of risk.

            
            

            - **RiskDecision** *(string) --* 

              The action taken by adaptive authentication. If ``NoRisk``, your user pool took no action. If ``AccountTakeover``, your user pool applied the adaptive authentication automated response that you configured. If ``Block``, your user pool prevented the attempt.

              
            

            - **RiskLevel** *(string) --* 

              The risk level that adaptive authentication assessed for the authentication event.

              
            

            - **CompromisedCredentialsDetected** *(boolean) --* 

              Indicates whether compromised credentials were detected during an authentication event.

              
        
          

          - **ChallengeResponses** *(list) --* 

            A list of the challenges that the user was requested to answer, for example ``Password``, and the result, for example ``Success``.

            
            

            - *(dict) --* 

              The responses to the challenge that you received in the previous request. Each challenge has its own required response parameters. The following examples are partial JSON request bodies that highlight challenge-response parameters.

               

              .. warning::

                 

                You must provide a SECRET_HASH parameter in all challenge responses to an app client that has a client secret. Include a ``DEVICE_KEY`` for device authentication.

                 

                SELECT_CHALLENGE  

              ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "USERNAME": "[username]", "ANSWER": "[Challenge name]"}``

               

              Available challenges are ``PASSWORD``, ``PASSWORD_SRP``, ``EMAIL_OTP``, ``SMS_OTP``, and ``WEB_AUTHN``.

               

              Complete authentication in the ``SELECT_CHALLENGE`` response for ``PASSWORD``, ``PASSWORD_SRP``, and ``WEB_AUTHN``:

               

              
              * ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "WEB_AUTHN", "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"}`` See `AuthenticationResponseJSON <https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson>`__.
               
              * ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD", "USERNAME": "[username]", "PASSWORD": "[password]"}``
               
              * ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD_SRP", "USERNAME": "[username]", "SRP_A": "[SRP_A]"}``
              

               

              For ``SMS_OTP`` and ``EMAIL_OTP``, respond with the username and answer. Your user pool will send a code for the user to submit in the next challenge response.

               

              
              * ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "SMS_OTP", "USERNAME": "[username]"}``
               
              * ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "EMAIL_OTP", "USERNAME": "[username]"}``
              

                WEB_AUTHN  

              ``"ChallengeName": "WEB_AUTHN", "ChallengeResponses": { "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"}``

               

              See `AuthenticationResponseJSON <https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson>`__.

                PASSWORD  

              ``"ChallengeName": "PASSWORD", "ChallengeResponses": { "USERNAME": "[username]", "PASSWORD": "[password]"}``

                PASSWORD_SRP  

              ``"ChallengeName": "PASSWORD_SRP", "ChallengeResponses": { "USERNAME": "[username]", "SRP_A": "[SRP_A]"}``

                SMS_OTP  

              ``"ChallengeName": "SMS_OTP", "ChallengeResponses": {"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"}``

                EMAIL_OTP  

              ``"ChallengeName": "EMAIL_OTP", "ChallengeResponses": {"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"}``

                SMS_MFA  

              ``"ChallengeName": "SMS_MFA", "ChallengeResponses": {"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"}``

                PASSWORD_VERIFIER  

              This challenge response is part of the SRP flow. Amazon Cognito requires that your application respond to this challenge within a few seconds. When the response time exceeds this period, your user pool returns a ``NotAuthorizedException`` error.

               

              ``"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses": {"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}``

                CUSTOM_CHALLENGE  

              ``"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[challenge_answer]"}``

                NEW_PASSWORD_REQUIRED  

              ``"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses": {"NEW_PASSWORD": "[new_password]", "USERNAME": "[username]"}``

               

              To set any required attributes that ``InitiateAuth`` returned in an ``requiredAttributes`` parameter, add ``"userAttributes.[attribute_name]": "[attribute_value]"``. This parameter can also set values for writable attributes that aren't required by your user pool.

               

              .. note::

                

                In a ``NEW_PASSWORD_REQUIRED`` challenge response, you can't modify a required attribute that already has a value. In ``AdminRespondToAuthChallenge`` or ``RespondToAuthChallenge``, set a value for any keys that Amazon Cognito returned in the ``requiredAttributes`` parameter, then use the ``AdminUpdateUserAttributes`` or ``UpdateUserAttributes`` API operation to modify the value of any additional attributes.

                

                SOFTWARE_TOKEN_MFA  

              ``"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses": {"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE": [authenticator_code]}``

                DEVICE_SRP_AUTH  

              ``"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses": {"USERNAME": "[username]", "DEVICE_KEY": "[device_key]", "SRP_A": "[srp_a]"}``

                DEVICE_PASSWORD_VERIFIER  

              ``"ChallengeName": "DEVICE_PASSWORD_VERIFIER", "ChallengeResponses": {"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}``

                MFA_SETUP  

              ``"ChallengeName": "MFA_SETUP", "ChallengeResponses": {"USERNAME": "[username]"}, "SESSION": "[Session ID from VerifySoftwareToken]"``

                SELECT_MFA_TYPE  

              ``"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA|EMAIL_MFA|SOFTWARE_TOKEN_MFA]"}``

                 

              For more information about ``SECRET_HASH``, see `Computing secret hash values <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash>`__. For information about ``DEVICE_KEY``, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`__.

              
              

              - **ChallengeName** *(string) --* 

                The type of challenge that your previous authentication request returned in the parameter ``ChallengeName``, for example ``SMS_MFA``.

                
              

              - **ChallengeResponse** *(string) --* 

                The set of key-value pairs that provides a response to the requested challenge.

                
          
        
          

          - **EventContextData** *(dict) --* 

            The user context data captured at the time of an event request. This value provides additional information about the client from which event the request is received.

            
            

            - **IpAddress** *(string) --* 

              The source IP address of your user's device.

              
            

            - **DeviceName** *(string) --* 

              The user's device name.

              
            

            - **Timezone** *(string) --* 

              The user's time zone.

              
            

            - **City** *(string) --* 

              The user's city.

              
            

            - **Country** *(string) --* 

              The user's country.

              
        
          

          - **EventFeedback** *(dict) --* 

            The ``UpdateAuthEventFeedback`` or ``AdminUpdateAuthEventFeedback`` feedback that you or your user provided in response to the event. A value of ``Valid`` indicates that you disagreed with the level of risk that your user pool assigned, and evaluated a session to be valid, or likely safe. A value of ``Invalid`` indicates that you agreed with the user pool risk level and evaluated a session to be invalid, or likely malicious.

            
            

            - **FeedbackValue** *(string) --* 

              Your feedback to the authentication event. When you provide a ``FeedbackValue`` value of ``valid``, you tell Amazon Cognito that you trust a user session where Amazon Cognito has evaluated some level of risk. When you provide a ``FeedbackValue`` value of ``invalid``, you tell Amazon Cognito that you don't trust a user session, or you don't believe that Amazon Cognito evaluated a high-enough risk level.

              
            

            - **Provider** *(string) --* 

              The submitter of the event feedback. For example, if you submit event feedback in the Amazon Cognito console, this value is ``Admin``.

              
            

            - **FeedbackDate** *(datetime) --* 

              The date that you or your user submitted the feedback.

              
        
      
    
      

      - **NextToken** *(string) --* 

        The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.

        
  
  **Exceptions**
  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.InvalidParameterException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.ResourceNotFoundException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.TooManyRequestsException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.NotAuthorizedException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.UserNotFoundException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.UserPoolAddOnNotEnabledException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.InternalErrorException`

  