KB-2386 Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

pauline.delacruz — Mon, 15 Jun 2026 16:05:32 GMT

Current Revision posted to Appian Knowledge Base by pauline.delacruz on 6/15/2026 4:05:32 PM

Symptoms

After upgrading to Appian 25.4, automated log ingestion pipelines (such as Splunk, Datadog, ELK, or custom Appian expression rules) that process the <APPIAN_HOME>/logs/login-audit.csv file and rely on strict positional parsing or headerless formats may fail or parse data incorrectly.

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

For more information about login-audit.csv, refer to Logging.

Action

To resolve this issue and prevent future disruptions, log ingestion scripts and parsers must be updated:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

This article applies to Appian 25.4 and later.

Last Reviewed: June 2026

Tags: integration, authentication

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

pauline.delacruz — Wed, 20 May 2026 20:12:41 GMT

Revision 13 posted to Appian Knowledge Base by pauline.delacruz on 5/20/2026 8:12:41 PM

Symptoms

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

For more information about login-audit.csv, refer to Logging

Action

To resolve this issue and prevent future disruptions, log ingestion scripts and parsers must be updated:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

This article applies to Appian 25.4 and later.

Last Reviewed: May 2026

Tags: authentication

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 08:58:41 GMT

Revision 12 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 8:58:41 AM

Symptoms

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

For more information about login-audit.csv, refer to Logging

Action

To resolve this issue and prevent future disruptions, log ingestion scripts and parsers must be updated:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

This article applies to Appian 25.4 and later.

Last Reviewed: May 2026

Tags: authentication

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 08:57:53 GMT

Revision 11 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 8:57:53 AM

Symptoms

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

For more information about login-audit.csv, refer to Logging

Action

To resolve this issue and prevent future disruptions, log ingestion scripts and parsers must be updated:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

This article applies to Appian 25.4 and later.

Tags: authentication

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 08:56:14 GMT

Revision 10 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 8:56:14 AM

Symptoms

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

For more information about login-audit.csv, refer to Logging

Action

To resolve this issue and prevent future disruptions, log ingestion scripts and parsers must be updated:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

Appian 25.4 and later.

Tags: authentication

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 08:36:47 GMT

Revision 9 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 8:36:47 AM

Issue

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

For more information about login-audit.csv, refer to Logging

Action

To resolve this issue and prevent future disruptions, log ingestion scripts and parsers must be updated:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

Appian 25.4 and later.

Tags: authentication

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 08:36:30 GMT

Revision 8 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 8:36:30 AM

Issue

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

For more information about login-audit.csv, refer to Logging

Action

To resolve this issue and prevent future disruptions, log ingestion scripts and parsers must be updated:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

Appian 25.4 and later.

Tags: authentication

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 08:26:07 GMT

Revision 7 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 8:26:07 AM

Issue

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

Action

To resolve this issue and prevent future disruptions, log ingestion scripts and parsers must be updated:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

Appian 25.4 and later.

Tags: authentication

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 08:25:38 GMT

Revision 6 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 8:25:38 AM

Issue

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

Action

To resolve this issue and prevent future disruptions, log ingestion scripts and parsers must be updated:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

Appian 25.4 and later.

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 08:23:40 GMT

Revision 5 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 8:23:40 AM

Issue

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

Action

To resolve this issue and prevent future disruptions, administrators must update their log ingestion scripts and parsers:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

Appian 25.4 and later.

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 08:22:46 GMT

Revision 4 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 8:22:46 AM

Issue

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

Action

To resolve this issue and prevent future disruptions, administrators must update their log ingestion scripts and parsers:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

Appian 25.4 and later.

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 08:22:00 GMT

Revision 3 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 8:22:00 AM

Issue

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

Action

To resolve this issue and prevent future disruptions, administrators must update their log ingestion scripts and parsers:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

Appian 25.4 and later.

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 08:06:26 GMT

Revision 2 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 8:06:26 AM

Issue

After upgrading to Appian 25.4, automated log ingestion pipelines (such as Splunk, Datadog, ELK, or custom Appian expression rules) that process the <APPIAN_HOME>/logs/login-audit.csv file and rely on strict positional parsing or headerless formats may fail or parse data incorrectly.

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

Action

To resolve this issue and prevent future disruptions, administrators must update their log ingestion scripts and parsers:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

Appian 25.4 and later.

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

cesar.gilalonso — Tue, 19 May 2026 07:47:09 GMT

Revision 1 posted to Appian Knowledge Base by cesar.gilalonso on 5/19/2026 7:47:09 AM

Issue

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.
New MFA Tracking Column: A new column was appended to the log to track native MFA events.
- In Appian 25.4, this column was initially introduced as MFA User.
- In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.
- Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

Action

To resolve this issue and prevent future disruptions, administrators must update their log ingestion scripts and parsers:

Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.
Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

Appian 25.4 and later.