Security Related Fields in the Audit Trail
Descope automatically logs two powerful security-related fields for every authentication event:
- J4A Fingerprinting: Detects bots and suspicious activity by analyzing request patterns and characteristics.
- ASN (Autonomous System Number): Identifies the network and organization behind the request's IP address.
These fields are available in the audit trail and can be leveraged in Descope Flows to automate risk-based security decisions.
What is J4A Fingerprinting?
J4A is an advanced fingerprinting system that analyzes:
- Request patterns
- HTTP headers
- Timing and behavioral signals
to generate a unique fingerprint for each request. This helps you:
- Detect automated attacks (bots, credential stuffing)
- Identify suspicious or anomalous activity
- Assign a risk score to each authentication attempt
How to use it:
- Review the J4A score in the audit trail for risk assessment
- Add flow conditions to block, challenge, or step-up authentication for risky requests
What is ASN?
ASN (Autonomous System Number) is a unique identifier for networks on the internet. Each ASN represents a group of IP addresses managed by a single organization (e.g., an ISP, cloud provider, or enterprise).
- ASN is a globally unique 16-digit number
- Reveals the network origin of a request
- Useful for identifying requests from known malicious networks or anonymizing services
How to use it:
- Allow, deny, or require additional verification for requests from specific ASNs
- Apply geo/network-based access controls
Example: Security Headers in the Audit Trail
On the Audit page, you can see these fields in every event. For example, a LoginSucceed
event includes cf-ja4
(J4A fingerprint) and x-asn
(ASN):
Using J4A & ASN in Descope Flows
You can use these fields in your Descope Flows to:
- Block or challenge risky requests: Use the J4A score to detect and block bots or suspicious activity.
- Apply network-based logic: Use ASN to allow, deny, or step-up authentication for requests from certain networks or countries.
- Customize user journeys: Dynamically adapt authentication flows based on risk profile or network origin.
Example: Require MFA for Risky ASN
Suppose you want to require MFA for users coming from ASNs known for phishing or spam. You can do this in your flow conditions:
- Add the ASN condition:
- Trigger MFA based on ASN:
Best Practices
- Monitor: Regularly review J4A and ASN data in your audit logs for new threats.
- Automate: Use flow conditions to respond to risky requests in real time.
- Adapt: Update your flow logic as new attack patterns or malicious ASNs emerge.
For more details, see the Descope Audit Trail doc.