1. login events
Anzenna Public API
  • data exfiltration
    • Query database exfiltration events
      POST
    • List file movement activities
      POST
    • Get file movement activity by id
      GET
    • List files used with data exfiltration.
      POST
    • Get a specific data exfiltration file
      GET
    • List git events
      POST
    • Get a specific git event by id
      GET
    • List git repositories
      POST
    • Get a specific git repository
      GET
  • api key
    • Get API key information
      GET
  • login events
    • List login events
      POST
    • Get a login event by ID
      GET
  • browser applications
    • Query all browser applications
      POST
    • Get a browser application by id
      GET
    • List browser application instances
      POST
  • browser history
    • List browser history entries
      POST
  • data sharing
    • List file sharing instances
      POST
    • Query database share grants
      POST
    • Query database share user additions
      POST
    • List documents
      POST
    • Get document by id
      GET
  • devices
    • List devices
      POST
    • Get a device
      GET
    • List USB device connection events
      POST
    • Get a USB connection event
      GET
  • device policies
    • List device policies
    • Get a device policy
  • device applications
    • List device applications
    • Get a device application
    • Query device application instances.
  • device infections
    • List device infections
    • Get a device infection
  • ide applications
    • List IDE applications
    • Get an IDE application
  • ide application instances
    • Query IDE application instances.
  • mcp servers
    • List MCP servers
    • Get an MCP server
    • Query MCP server installations
  • mfa
    • Query all mfa statuses
  • oauth applications
    • Query all OAuth applications
    • Get an OAuth application by id
    • Query all OAuth application instances
  • passwords
    • Query all password reuse instances
  • people
    • Query all people
    • Get a person by id
    • Add a category to multiple people
    • Remove a category from multiple people
  • account
    • List accounts
    • Get an account by id
  • phishing interactions
    • Query all phishing interactions
  • email flows
    • Query all outbound email events
    • Get an outbound email event by id
  • company wide risk trends
    • Get company risk trends
  • high risk organizations
    • Get number of high risk organizations
  • detections
    • Get key finding detections
    • Get detection details
    • List users associated with a given detection
  • events
    • List security events
  • shadow it
    • Query all Shadow IT instances
  • web host
    • Query all web host resources
    • Get a web host resource by id
  • advanced query
    • Execute an advanced query
  • sources
    • Query raw events
  • allowlist
    • Query all allowlists
    • Create a new allowlist
    • Delete an allowlist
    • Update an allowlist
  1. login events

List login events

POST
/login-events
Query and filter login events
Relations:
employee (Person): The person who performed the login

Request

Authorization
Bearer Token
Provide your bearer token in the
Authorization
header when making requests to protected resources.
Example:
Authorization: Bearer ********************
or
Body Params application/json

Examples

Responses

🟢200OK
application/json
Successful operation
Body

🟠400Bad Request
🟠401Unauthorized
🟠403Forbidden
Request Request Example
Shell
JavaScript
Java
Swift
curl --location --request POST '/login-events' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "distinct_count": "string",
    "include_total_count": true,
    "limit": 10,
    "offset": 0,
    "query": "name='\''WINPC-4291'\'' AND status IN ('\''active'\'', '\''pending'\'')",
    "sort": "name desc, id"
}'
Response Response Example
{
    "distinct_values": [
        {
            "count": 0,
            "value": null
        }
    ],
    "pagination": {
        "count": 0,
        "total_count": 1000
    },
    "items": [
        {
            "allowlisted": true,
            "authentication_details": [
                {
                    "authentication_method": "Password",
                    "authentication_method_detail": "Password in the cloud",
                    "authentication_step_result_detail": "MFA requirement satisfied by claim in the token",
                    "succeeded": true
                }
            ],
            "challenge_method_kinds": [
                "security_key",
                "password"
            ],
            "client_app": "Browser",
            "conditional_access_status": "failure",
            "device_id": "device-123456",
            "employee_email": "john.doe@example.com",
            "employee_name": "John Doe",
            "external_id": "login_success/user@example.com/2025-01-15T14:30:00Z",
            "high_prevalence": true,
            "id": "8CA67511-744C-4D74-B26E-7281CF88712F",
            "impossible_travel_detail": {
                "distance_miles": 5823.4,
                "from_city": "San Francisco",
                "from_country": "US",
                "speed_mph": 1250.7,
                "to_city": "Amsterdam",
                "to_country": "NL"
            },
            "ip_address": "192.168.1.100",
            "ip_chain": [
                {
                    "city": "Amsterdam",
                    "country": "NL",
                    "ip": "203.0.113.45",
                    "source": "proxy",
                    "version": "V4"
                }
            ],
            "is_allowed_vpn": true,
            "is_foreign_country": false,
            "is_impossible_travel": false,
            "is_new_ip_network": false,
            "is_off_hours": false,
            "is_proxy_login": false,
            "is_service_account": false,
            "is_suspicious_client": false,
            "location_city": "San Francisco",
            "location_country": "USA",
            "location_state": "CA",
            "login_audit_kind": "failed_login",
            "login_time": "2025-01-15T14:30:00Z",
            "network_context": {
                "as_number": 14061,
                "as_org": "DigitalOcean, LLC",
                "domain": "digitalocean.com",
                "isp": "Comcast Cable"
            },
            "proxy_detail": {
                "kind": "vpn",
                "source": "NordVPN"
            },
            "risk_factors": [
                {
                    "magnitude": 40,
                    "type": "sensitive_file"
                }
            ],
            "risk_level": "high",
            "risk_score": 25.5,
            "sign_on_mode": "auto_login",
            "source": "unspecified",
            "token_protection": "bound",
            "user_agent": {
                "browser": "Chrome",
                "os": "Mac OS X",
                "raw": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36"
            },
            "vpn_operators": [
                "GLOBAL_PROTECT_CLOUD_VPN"
            ]
        }
    ]
}
Modified at 2026-03-31 19:28:57
Previous
Get API key information
Next
Get a login event by ID
Built with