Okta-analytics

4 operations, identified by eventType in the audit log.

eventType	Description
analytics.feedback.provide	An admin has provided feedback on a detection Okta provided which indicated a change in user or session risk. This can be used to monitor feedback provided by admins in response to Okta determined changes in risk. This event is fired when an admin chooses to provide feedback on a detection event in the admin console.
analytics.reports.export.download	A user has downloaded an export file that Okta has generated for a report available in the admin console. This event may be used to identify access by a user to a report data set from Okta. This may be useful to audit access to report data for security investigations, compliance audits, and evaluation of the utility of a report within the Org. This event only indicates that a user has downloaded the export file. The user that downloaded it may not be the user that requested generation of the export file. See analytics.reports.export.request and analytics.reports.export.generate for related actions.
analytics.reports.export.generate	Okta has generated an export file for a report available in the admin console. This event may be used to identify whether Okta successfully generated the export file that a user requested for a report. This event is primarily useful for troubleshooting if a report fails to generate. This event does not indicate whether a user downloaded the report file. See analytics.reports.export.request and analytics.reports.export.download for related actions.
analytics.reports.export.request	A user has requested that Okta generate an export file for a report available in the admin console. This event may be used to identify a request by a user to export a report data set from Okta. This may be useful to audit access to report data for security investigations, compliance audits, and evaluation of the utility of a report within the Org. This event only indicates that a user requested the export. It does not indicate that an export file was successfully generated by Okta nor that the export file was accessed by a user. See analytics.reports.export.generate and analytics.reports.export.download for those actions.

analytics.feedback.provide

Namespace: Okta-analytics

Description

An admin has provided feedback on a detection Okta provided which indicated a change in user or session risk. This can be used to monitor feedback provided by admins in response to Okta determined changes in risk. This event is fired when an admin chooses to provide feedback on a detection event in the admin console.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: analytics.feedback.provide https://developer.okta.com/docs/reference/api/event-types/#analytics-feedback-provide
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

analytics.reports.export.download

Namespace: Okta-analytics

Description

A user has downloaded an export file that Okta has generated for a report available in the admin console. This event may be used to identify access by a user to a report data set from Okta. This may be useful to audit access to report data for security investigations, compliance audits, and evaluation of the utility of a report within the Org. This event only indicates that a user has downloaded the export file. The user that downloaded it may not be the user that requested generation of the export file. See analytics.reports.export.request and analytics.reports.export.generate for related actions.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: analytics.reports.export.download https://developer.okta.com/docs/reference/api/event-types/#analytics-reports-export-download
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

analytics.reports.export.generate

Namespace: Okta-analytics

Description

Okta has generated an export file for a report available in the admin console. This event may be used to identify whether Okta successfully generated the export file that a user requested for a report. This event is primarily useful for troubleshooting if a report fails to generate. This event does not indicate whether a user downloaded the report file. See analytics.reports.export.request and analytics.reports.export.download for related actions.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: analytics.reports.export.generate https://developer.okta.com/docs/reference/api/event-types/#analytics-reports-export-generate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

analytics.reports.export.request

Namespace: Okta-analytics

Description

A user has requested that Okta generate an export file for a report available in the admin console. This event may be used to identify a request by a user to export a report data set from Okta. This may be useful to audit access to report data for security investigations, compliance audits, and evaluation of the utility of a report within the Org. This event only indicates that a user requested the export. It does not indicate that an export file was successfully generated by Okta nor that the export file was accessed by a user. See analytics.reports.export.generate and analytics.reports.export.download for those actions.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: analytics.reports.export.request https://developer.okta.com/docs/reference/api/event-types/#analytics-reports-export-request
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Okta-analytics

analytics.feedback.provide

Description

Fields #

References #

analytics.reports.export.download

Description

Fields #

References #

analytics.reports.export.generate

Description

Fields #

References #

analytics.reports.export.request

Description

Fields #

References #

Keyboard shortcuts

Search operators