detection.wiki

Okta-app

225 operations, identified by eventType in the audit log.

eventTypeDescription
app.access_request.approver.approveRequest to access an app was approved by an administrator-defined approver.
app.access_request.approver.denyRequest to access an app was denied by an administrator-defined approver.
app.access_request.deleteRequest to access an app was deleted by an administrator.
app.access_request.denyRequest to access an app was denied after at least one approver denied the request.
app.access_request.expireRequest to access an app expired by the system due to lack of approver action.
app.access_request.grantRequest to access an app was granted after all approvers approved the request.
app.access_request.requestRequest to access an app was performed by a user.
app.ad.api.user_import.account_lockedActive Directory user account set to locked following profile update: user is locked in active directory.
app.ad.api.user_import.warn.skipped_contact.attribute_invalid_valueSkipping import of contact due to invalid attribute. Please consult with your Active Directory admin if you believe this contact should be imported.
app.ad.api.user_import.warn.skipped_user.attribute_invalid_valueSkipping import of user due to an invalid AD attribute.
app.ad.api.user_import.warn.skipped_user.missing_required_attributeSkipping import of user due to a required AD attribute being null.
app.ad.password_migration_campaign.cancel.endComplete cancellation of migration campaign. This can be used to confirm that the process to cancel a password migration campaign intentionally is complete. This event marks the end of the cancellation process that began with an app.ad.password_migration_campaign.cancel.start event.
app.ad.password_migration_campaign.cancel.startStart cancellation of a password migration campaign. This can be used to track when the process to intentionally cancel a password migration campaign begins. This begins an asynchronous process. Its conclusion is marked by the app.ad.password_migration_campaign.cancel.end event.
app.ad.password_migration_campaign.createCreate Active Directory password migration campaign. This can be used to identify when a migration is created to monitor its duration and impact on users. Marks the beginning of a password migration campaign.
app.ad.password_migration_campaign.finish.endComplete password migration campaign. This can be used to confirm that a Finish password migration campaign process has fully completed. This event marks the successful end of the entire campaign lifecycle. This is an asynchronous process and is preceded by an app.ad.password_migration_campaign.finish.start event.
app.ad.password_migration_campaign.finish.startStart password migration campaign completion. This can be used to track the start of the Finish Campaign process. This begins an asynchronous process. Its conclusion is marked by the app.ad.password_migration_campaign.finish.end event.
app.ad.password_migration_campaign.group.addAdd group to Active Directory password migration campaign. This can be used to identify groups that have been included in a password migration campaign. This action expands the set of users eligible for password capture by the campaign.
app.ad.password_migration_campaign.user.capture_passwordCapture user password from Active Directory. This can be used to track progress for individual users and confirm password collection. This event does not signify the full migration of the user, only the successful capture of their password.
app.ad.password_migration_campaign.user.migrate.endComplete individual user password migration. This can be used as a record that a user's credential is fully migrated to Okta. The user's password is now fully migrated and active in Okta.
app.ad.password_migration_campaign.user.migrate.startStart individual user password migration. This can be used to confirm that a specific user's migration process has begun. The conclusion of this asynchronous process is marked by a corresponding app.ad.password_migration_campaign.user.migrate.end event.
app.ai_agent_provider.activateActivate an AI agent provider. Track when an AI agent import provider is enabled for scheduled imports.
app.ai_agent_provider.createCreate an AI agent provider. Track when a new connection to an external AI agent provider is established for importing agents.
app.ai_agent_provider.credential.validateValidate credentials for an AI agent import provider. Verify that credentials for an AI agent import provider are valid before activating the provider. Typically follows provider.credential.update and precedes provider.activate.
app.ai_agent_provider.deactivateDeactivate an AI agent provider. Track when an AI agent import provider is disabled.
app.ai_agent_provider.deleteDelete an AI agent provider. Track when a connection to an external AI agent provider is removed.
app.ai_agent_provider.import.completeComplete a bulk import of AI agents from an external provider. Audit the outcome of AI agent imports, including the number of agents found, imported, and errored. Paired with app.ai_agent_provider.import.start. Import outcome details are in the targets.
app.ai_agent_provider.import.startStart a bulk import of AI agents from an external provider. Audit when bulk imports of AI agents from external providers begin. A corresponding app.ai_agent_provider.import.complete event is fired when the import completes.
app.ai_agent_provider.updateUpdate an AI agent provider. Track AI agent import provider changes, such as credential configuration, owner info, and schedule updates. This event refers to the OAuth2 credentials used to connect to an external AI agent provider. For AI agent workload identity credentials (JWK signing keys), see workload_principal.ai_agent.credential.* events.
app.app_instance.csr.generateCertificate signing request (CSR) generated.
app.app_instance.csr.publishCertificate signing request (CSR) published.
app.app_instance.csr.revokeCertificate signing request (CSR) revoked.
app.app_instance.provision_sync_job.completedFired when a provision sync job has successfully completed. This can be used to confirm that a provision sync job has finished running and is no longer processing users. When fired, this event contains details about number of users processed in the job. Related events include app.app_instance.provision_sync_job.started and app.app_instance.provision_sync_job.failed.
app.app_instance.provision_sync_job.failedFired when a provision sync job has failed. This can be used to identify when a provision sync job has failed. When fired, this event contains information about the reason the provision sync job failed. Related events include app.app_instance.provision_sync_job.started and app.app_instance.provision_sync_job.completed.
app.app_instance.provision_sync_job.startedFired when a provision sync job has successfully started. This can be used to confirm that a provision sync job has successfully started. Related events include app.app_instance.provision_sync_job.completed and app.app_instance.provision_sync_job.failed.
app.cross_app_access.connection.createCreate Cross App Access connection. Audit when a requesting application is configured to connect with one or more resource applications. This is useful for security investigations and for compliance reviews of inter-application trust establishment.
app.cross_app_access.connection.deleteDelete Cross App Access connection. Audit when existing Cross App Access connections are removed. This is useful for tracking application lifecycle management and for security posture cleanup of inter-application trust relationships.
app.cross_app_access.connection.updateUpdate Cross App Access connection. Audit when existing Cross App Access connection configuration is modified, such as toggling enabled status. The changeDetails field tracks specific modifications. It is useful for generating alerts about unexpected changes to inter-application trusts.
app.generic.unauth_app_access_attemptUser attempted unauthorized access to app.
app.inbound_del_auth.login_successSuccessful inbound delegated authentication request for user.
app.interclient_mapping.createCreate interclient trust mapping. Audit the creation of a trust mapping between a target app and a requesting app via the interclient access API.
app.interclient_mapping.deleteDelete interclient trust mapping. Audit the deletion of a trust mapping between a target app and a requesting app via the interclient access API.
app.interclient_mapping.delete_allDelete all interclient trust mappings for app. Identify the automatic cleanup of all trust mappings associated with a deleted application instance.
app.kerberos_rich_client.account_not_foundKerberos based rich client authentication failed: Could not find Office 365 app user for the AD user with principal id.
app.kerberos_rich_client.instance_not_foundKerberos based rich client authentication failed: Unknown app instance id.
app.kerberos_rich_client.multiple_accounts_foundKerberos based rich client authentication failed: Multiple users with username found.
app.kerberos_rich_client.user_authentication_successfulKerberos based rich client authentication successful for Office 365 user.
app.keys.cloneApplication signing key cloned.
app.keys.generateNew signing key generated.
app.keys.rotateApplication signing key rotated.
app.ldap.password.change.failedPassword change failed.
app.oauth2.admin.consent.grantAdministrator consent granted for scope. This event can be used to track when an administrator grants consent to a client to request a specific scope. This event is fired when an admin grants consent.
app.oauth2.admin.consent.revokeAdministrator consent revoked for scope. This event can be used to track when an administrator revokes consent to a client to request a specific scope. This event is fired when an admin revokes consent.
app.oauth2.as.authorizeOAuth2 authorization request.
app.oauth2.as.authorize.codeOAuth2 authorization code request.
app.oauth2.as.authorize.implicit.access_tokenOAuth2 authorization implicit access token request.
app.oauth2.as.authorize.implicit.id_tokenOAuth2 authorization implicit ID token request.
app.oauth2.as.authorize.scope_deniedSome of the requested scopes were denied by the policy.
app.oauth2.as.consent.grantUser granted consent to app.
app.oauth2.as.consent.revokeConsent revoked.
app.oauth2.as.consent.revoke.implicit.asAll consent revoked for authorization server.
app.oauth2.as.consent.revoke.implicit.clientAll consent revoked for client.
app.oauth2.as.consent.revoke.implicit.scopeAll consent revoked for scope.
app.oauth2.as.consent.revoke.implicit.userConsent for all scopes revoked for user.
app.oauth2.as.consent.revoke.userAll consent revoked for user.
app.oauth2.as.consent.revoke.user.clientUser consent revoked for client.
app.oauth2.as.evaluate.claimClaim evaluation for OAuth 2.0 token. This event is triggered when the OAuth 2.0 authorization server's claim evaluation process can't be completed and fails. This event is useful when detecting misconfigured claims. Recorded details include the requester's ID, the client ID, the user ID, and the claims that couldn't be evaluated. This verification ensures that access tokens are granted only to requests that fully comply with established security policies, thus safeguarding access to protected resources.
app.oauth2.as.interact.interaction_codeInteraction code is generated by OIE. This event can be used by administrators to audit interaction_code generation, and troubleshoot why the IdX transaction has failed. When fired, this event contains hashed values of the interaction_code and interaction_handle, as well as information about the client to which they were issued.
app.oauth2.as.interact.interaction_handleInteraction handle is generated by OIE. This event can be used by administrators to detect if additional interaction is required and an interaction handle has been issued. When fired this event contains interaction handle hash and the client to which it was issued.
app.oauth2.as.key.rolloverCustom Authorization Server token signing key rolled over.
app.oauth2.as.resource_server.credentials.lifecycle.activateAuthorization server access token encryption key is activated. Use this event to find out if a new access token encryption key has been activated for an authorization server. This could be used to audit changes made to authorization server access token encryption keys.
app.oauth2.as.resource_server.credentials.lifecycle.createAuthorization server access token encryption key is created. Use this event to find out if a new access token encryption key has been created for an authorization server. This could be used to audit changes made to authorization server access token encryption keys.
app.oauth2.as.resource_server.credentials.lifecycle.deactivateAuthorization server access token encryption key is deactivated. Use this event to find out if a new access token encryption key has been deactivated for an authorization server. This could be used to audit changes made to authorization server access token encryption keys.
app.oauth2.as.resource_server.credentials.lifecycle.deleteAuthorization server access token encryption key is deleted. Use this event to find out if a new access token encryption key has been deleted for an authorization server. This could be used to audit changes made to authorization server access token encryption keys.
app.oauth2.as.token.detect_reuseDetect one-time refresh token attempted reuse. This event can be used by administrators to detect and audit attempted reuse of one-time refresh tokens. When fired this event contains information about the user, client to which the refresh token was minted, and the hash of the refresh tokens.
app.oauth2.as.token.grantOAuth2 token request.
app.oauth2.as.token.grant.access_tokenOAuth 2.0 access token is granted. This event is triggered within OAuth 2.0 frameworks when an app successfully grants an access token to a user or service. The event occurs post-authentication and authorization, marking the final step in accessing protected resources. Use this event as a comprehensive audit trail for issued tokens. The event captures details such as the client ID, subject ID, token attributes (for example: scope, validity period), and the grant type used. This information helps with security audits, ensuring compliance with access policies and troubleshooting authorization flows. Specifically, variations in token attributes and grant type offer insights into the security posture and operational efficiency of OAuth 2.0 implementations. While this event primarily signifies successfully issued tokens, the event details are helpful in many areas. They help flag potential misuse of token grants or anomalies in token attributes. The event details also help facilitate a prompt response to deviations from established security practices.
app.oauth2.as.token.grant.device_secretGrant an OAuth2 device_secret for the Native SSO flow. This event adds tracking to let admins know when Native SSO is being used to protect desktop or mobile apps. When fired this event contains the device secret id which administrators can use to correlate with single logout events across native desktop apps.
app.oauth2.as.token.grant.id_tokenOAuth 2.0 ID token is granted. This event occurs when an OAuth 2.0 authorization server grants an ID token to a client after successful authentication. The ID token, which encapsulates the user's identity information, verifies the user's identity to the client app. Recorded details include the client ID, user ID, token issuance time, and claims associated with the user's identity. You can use this data for security audits, enabling precise tracking of user identity verification across apps. The issuance of an ID token follows established protocols for secure authentication. This ensures that sensitive user information is transmitted securely between the authorization server and the client.
app.oauth2.as.token.grant.interclient_tokenGrant interclient token. Track the successful issuance of an Interclient token via OAuth token exchange. This event will contain the target audience the interclient token is issued for.
app.oauth2.as.token.grant.refresh_tokenOAuth2 refresh token is granted.
app.oauth2.as.token.revokeOAuth2 token revocation request.
app.oauth2.authorizeOIDC authorization request.
app.oauth2.authorize.codeOIDC authorization code request.
app.oauth2.authorize.implicit.access_tokenOIDC authorization implicit access token request.
app.oauth2.authorize.implicit.id_tokenOIDC authorization implicit ID token request.
app.oauth2.client.lifecycle.activateActivate OAuth client.
app.oauth2.client.lifecycle.createCreate OAuth client.
app.oauth2.client.lifecycle.deactivateDeactivate OAuth client.
app.oauth2.client.lifecycle.deleteDelete OAuth client.
app.oauth2.client.lifecycle.updateUpdate OAuth client.
app.oauth2.client.privilege.grantAn OAuth 2.0 client app's admin privileges changed. This can be used to audit the provisioning of admin privileges for OAuth 2.0 client apps. When fired, this event contains information about the type of admin privileges the OAuth 2.0 client app currently has. Related events include: APP_OAUTH2_CLIENT_PRIVILEGE_REVOKE.
app.oauth2.client.privilege.revokeAll privileges for OAuth 2.0 client app were revoked. This can be used to audit the deprovisioning of admin privileges from OAuth 2.0 client apps. When fired, this event indicates the OAuth 2.0 client app has no more admin privileges. All of OAuth 2.0 client app's privileges were revoked. Related events include: APP_OAUTH2_CLIENT_PRIVILEGE_GRANT.
app.oauth2.client.read_client_secretRead OAuth client's secret(s). Use this event to verify that an OAuth client's secret(s) have been read when the client is returned in certain API responses. For example, an admin might use this event to audit if a client's secrets were read when using the client credentials management API. When fired, this event indicates that an OAuth client's secrets were read. The targets array may include references to multiple client secrets.
app.oauth2.client_id_rate_limit_warningRequests from a single client ID consumed the majority of an organization's OAuth2 endpoint rate limit. This event can be used by admins to discover and deactivate a rogue client. The admin is able to manage the client via the Syslog UI. When fired, this event contains information about the responsible client id. As of release, this event is fired when a single client id consumes 90% of an org's OAuth2 rate limit; this threshold is subject to change.
app.oauth2.consent.grantUser granted consent to app. This event can be used to identify the org AS consent grant. When fired, the event contains information about the successful consent grant by org AS.
app.oauth2.credentials.lifecycle.activateOAuth client credentials (either client secret or JWK) is added for an application. Use this event to find out if an application has a new client secret or private/public key that has been added. This could be used to audit changes made to client credentials.
app.oauth2.credentials.lifecycle.createOAuth client credentials (either client secret or JWK) is activated for an application. Use this event to find out if an application has activated a new client secret or private/public key. This could be used to audit changes made to client credentials.
app.oauth2.credentials.lifecycle.deactivateOAuth client credentials (either client secret or JWK) is deactivated for an application. Use this event to find out if an application has an existing client secret or private/public key that has been deactivated. This could be used to audit changes made to client credentials.
app.oauth2.credentials.lifecycle.deleteOAuth client credentials (either client secret or JWK) is deleted for an application. Use this event to find out if an application has an existing client secret or private/public key that has been deleted. This could be used to audit changes made to client credentials.
app.oauth2.interact.interaction_codeInteraction code generated by OIE. This event can be used by administrators to audit interaction_code generation, and troubleshoot why the IdX transaction has failed. When fired, this event contains hashed values of the interaction_code and interaction_handle, as well as information about the client to which they were issued.
app.oauth2.interact.interaction_handleInteraction handle generated by OIE. This event can be used by administrators to detect if additional interaction is required and an interaction handle has been issued. When fired this event contains interaction handle hash and the client to which it was issued.
app.oauth2.invalid_client_credentialsMultiple requests with invalid client credentials for client id.
app.oauth2.key.rolloverOrg Authorization Server token signing key rolled over.
app.oauth2.signonUser performed OIDC single sign on to app.
app.oauth2.token.detect_reuseDetect one-time refresh token attempted reuse. This event can be used by administrators to detect and audit attempted reuse of one-time refresh tokens. When fired this event contains information about the user, client to which the refresh token was minted, and the hash of the refresh tokens.
app.oauth2.token.grantOIDC token request.
app.oauth2.token.grant.access_tokenOIDC access token is granted.
app.oauth2.token.grant.id_jagOAuth 2.0 Identity Assertion JWT Authorization Grant (ID-JAG) granted. This event is triggered when an app successfully completes an OAuth token exchange to generate an Identity Assertion JWT Authorization Grant. The Identity Assertion relies on a valid ID token obtained from a single sign-on (SSO) flow and the ID-JAG JWT is used in Cross App Access.
app.oauth2.token.grant.id_tokenOIDC id token is granted.
app.oauth2.token.grant.interclient_tokenGrant interclient token. Track the successful issuance of an Interclient token via OAuth token exchange. This event will contain the target audience the interclient token is issued for.
app.oauth2.token.grant.oauth_stsGrant OAuth Security Token Service (STS) access token. Audit when an application successfully exchanges an OAuth token for an access token from a third-party authorization server.
app.oauth2.token.grant.refresh_tokenOIDC refresh token is granted.
app.oauth2.token.grant.service_accountGrant Okta Privileged Access service account credentials. Audit when an application successfully exchanges an OAuth token for credentials for a service account in Okta Privileged Access.
app.oauth2.token.grant.vaulted_secretGrant Okta Privileged Access vaulted secret. Audit when an application successfully exchanges an OAuth token for a vaulted secret in Okta Privileged Access.
app.oauth2.token.oauth_sts.request_tokenRequest OAuth tokens from a third-party authorization server. This event is triggered when Okta requests OAuth tokens from a third-party authorization server.
app.oauth2.token.revokeOIDC token revocation request.
app.oauth2.token.revoke.implicit.asTokens revoked for authorization server.
app.oauth2.token.revoke.implicit.clientTokens revoked for client.
app.oauth2.token.revoke.implicit.userTokens revoked for user.
app.oauth2.trusted_server.addTrusted authorization server is added. Administrators can use this event to debug and audit trusted authorization server operations. When fired, this event contains the authorization server IDs of the servers involved.
app.oauth2.trusted_server.deleteTrusted authorization server is removed. Administrators can use this event to debug and audit trusted authorization server operations. When fired, this event contains the authorization server IDs of the servers involved.
app.office365.api.change.domain.federation.successSuccessfully updated the domain federation from old settings to new settings.
app.office365.api.error.ad.userUser is assigned to more than one instance of Active Directory, could not set Immutable ID.
app.office365.api.error.check.user.existsCould not determine status of Office 365 user, received error.
app.office365.api.error.create.userCould not create user in Office 365, received error.
app.office365.api.error.deactivate.userCould not deactivate Office 365 user, received error.
app.office365.api.error.download.custom.objectsCould not download group/role/license data for your Office 365 instance, received error.
app.office365.api.error.download.groupsCould not download all groups from your Office 365 instance, received error.
app.office365.api.error.download.usersCould not download all users from your Office 365 instance, received error.
app.office365.api.error.endpoint.unavailableUnable to reach the Office 365 endpoint.
app.office365.api.error.get.company.dirsync.failureUnable to read Office 365 directory sync for the company, received error.
app.office365.api.error.get.company.dirsync.status.failureUnable to provision user to Office 365, because 'Directory Sync' value in Azure Active Directory is unsupported. Please visit the Azure Active Directory portal and set 'Directory Sync' state to Activated and retry.
app.office365.api.error.get.company.dirsync.status.pendingUnable to provision user to Office 365, because 'Directory Sync' value in Azure Active Directory not yet in Activated state. This may take up to 72 hours. Please visit the Azure Active Directory portal and retry when in Activated state.
app.office365.api.error.get.object.ids.by.group.idCould not get users by group id from your Office 365 instance, received error.
app.office365.api.error.group.create.failureCould not create Office 365 group, received error.
app.office365.api.error.group.create.failure.name.in.useCould not create Office 365 group because the name is already in use, received error.
app.office365.api.error.group.delete.failureCould not delete Office 365 group, received error.
app.office365.api.error.group.membership.update.failureCould not update the Office 365 group membership, received error.
app.office365.api.error.group.membership.update.group.not.found.failureCould not update the Office 365 group membership because the group could not be found, received error.
app.office365.api.error.group.update.failureCould not update Office 365 group, received error.
app.office365.api.error.group.update.failure.not.foundCould not update Office 365 group because it was not found, received error.
app.office365.api.error.import.profileCould not import profile for Office 365 user, received error.
app.office365.api.error.push.passwordCould not push password for Office 365 user, received error.
app.office365.api.error.push.profileCould not push profile for Office 365 user, received error.
app.office365.api.error.reactivate.userCould not reactivate Office 365 user, received error.
app.office365.api.error.remove.domain.federation.failureUnable to remove the domain federation, received error.
app.office365.api.error.remove.domain.federation.failure.access.deniedUnable to remove the domain federation because the admin user is not authorized to perform the task.
app.office365.api.error.remove.domain.federation.failure.domain.not.foundUnable to remove the domain federation because the specified domain was not found.
app.office365.api.error.revoke.refresh.tokenFailed to revoke refresh tokens for user.
app.office365.api.error.set.company.dirsync.failureUnable to enable Office 365 directory sync for the company, received error.
app.office365.api.error.set.company.dirsync.status.failureUnable to enable Office 365 directory sync for the company, because 'Directory Sync' value in Azure Active Directory is unsupported. Please visit the Azure Active Directory portal and set 'Directory Sync' state to Activated.
app.office365.api.error.set.domain.federation.failureUnable to setup the domain federation, received error.
app.office365.api.error.set.domain.federation.failure.access.deniedUnable to setup the domain federation because the admin user is not authorized to perform the task.
app.office365.api.error.set.domain.federation.failure.domain.defaultUnable to setup the domain federation because the specified domain is the default domain.
app.office365.api.error.set.domain.federation.failure.domain.not.foundUnable to setup the domain federation because the specified domain was not found.
app.office365.api.error.sync.contactFailed to sync contact, received error.
app.office365.api.error.sync.finalizeFailed to finalize export to Office 365, received error.
app.office365.api.error.sync.groupFailed to sync group, received error.
app.office365.api.error.sync.not.activatedSync could not execute because Office 365 directory sync for the company not yet Activated. Sync will retry after a period of time.
app.office365.api.error.sync.set.attributeFailed to set attribute, received error.
app.office365.api.error.sync.userFailed to sync user, received error.
app.office365.api.error.unable.to.create.graph.clientAn error occurred while creating the Azure Active Directory Graph API client. Please try the last operation again. If this error persists, please contact Okta support.
app.office365.api.error.validate.admin.credsUser does not have the Company Administrator role. Please try again with a user which has this role.
app.office365.api.error.validate.credsCould not validate your Office 365 credentials, received error.
app.office365.api.error.x-ms-forwarded-client-ip-header.absentX-MS-Forwarded-Client-IP header either empty or not found in the request.
app.office365.api.remove.domain.federation.successSuccessfully removed the domain federation.
app.office365.api.set.domain.federation.successSuccessfully set up the domain federation with new settings.
app.office365.api.sync.completeUser sync completed.
app.office365.api.sync.heartbeat.sentHeartbeat sent to Microsoft Azure Active Directory.
app.office365.api.sync.job.completeSync job completed.
app.office365.api.sync.job.complete.contactSync job completed.
app.office365.api.sync.job.complete.groupSync job completed.
app.office365.api.sync.job.complete.userSync job completed.
app.office365.clientplatform.conversion.job.processing.app.instanceBegin processing client access conversion for app instance.
app.office365.clientplatform.conversion.job.skipping.migrationSkipping migration of client access rules for app instance.
app.office365.dirsync.skipping.conflict-objectSkipping sync of conflict object.
app.office365.dirsync.skipping.critical-system-objectSkipping sync of critical system object.
app.office365.dirsync.skipping.non-security-group-invalid-mailSkipping sync of non security object with invalid mail.
app.office365.dirsync.skipping.reserved-attribute-valueSkipping sync of object with reserved attribute value.
app.office365.dirsync.skipping.systemmailboxSkipping sync of system mailbox object.
app.office365.dirsync.skipping.without-name-and-displaynameSkipping sync of non security object without name and display name.
app.office365.error.importing.userAn error occurred while importing user.
app.office365.graph.api.error.no.mailbox.foundNo MailBox found for Office 365 user.
app.office365.graph.api.error.rate-limit.exceededRate limit exceeded for Microsoft Graph.
app.office365.graph.api.error.service.principal.creation.failedFailure while trying to create service principal.
app.office365.graph.api.error.service.principal.msgraph.authentication.failureFailure while trying to create service principal due to a Mircrosoft Graph authentication issue.
app.office365.service.principal.cleanup.job.completeEnd processing Office 365 service principal cleanup.
app.office365.service.principal.cleanup.job.invalid.credentialsThe admin username or password is invalid. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal.
app.office365.service.principal.cleanup.job.processingBegin performing Office 365 service principal cleanup.
app.office365.service.principal.cleanup.job.skipping.missing.credsSkipping app instance during Office 365 service principal cleanup as it does not contain Office 365 admin user credentials. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal.
app.office365.service.principal.cleanup.job.skipping.no.service.principalSkipping app instance during Office 365 service principal cleanup as it does not have a service principal.
app.office365.service.principal.cleanup.job.unable.to.delete.service.principalUnable to automatically delete the Office 365 service principal. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal.
app.office365.user.delete.successSuccessfully deleted the Office 365 user.
app.office365.user.lifecycle.action.failedUnable to complete app user lifecycle action for AppUser.
app.office365.user.remove.licenses.successSuccessfully removed all the licenses for the Office 365 user.
app.policy.sign_on.updateUpdate app sign on policy. This event is used to audit when an app sign on policy is updated. This event is fired when an admin updates an app's sign on policy and logs what was changed.
app.radius.agent.listener.failedRadius agent listener failed.
app.radius.agent.listener.succeededRadius agent listener succeeded.
app.radius.agent.port_inaccessibleRadius agent failed to listen on port.
app.radius.agent.port_reaccessibleRadius agent was able to listen on port again.
app.radius.info_access.no_permissionNo permission accessing any Radius app info. This event can be used to monitor and notify admins when some users who access radius app info have no permission. Fired when users who access radius app info have no permission.
app.radius.info_access.partial_permissionNo permission accessing info for part of Radius apps. This event can be used to monitor and notify admins when some users who access radius app info have only partial permission. Fired when users who access radius app info have partial permission.
app.realtimesync.import.details.add_userReal time sync added new User.
app.realtimesync.import.details.delete_userReal time sync removed existing User.
app.realtimesync.import.details.update_userFired when a real time import includes an update to an existing user. This can be used to see details about the user updates included in a real time sync import. When fired, this event contains information about the type of update made, including whether or not a user was suspend or unsuspended. Related events include: app.realtimesync.import.details_add_user and app.realtimesync.import.details_delete_user.
app.request_new.notifyA user sent an application request. Used to notify admins that a user made an application request from the Enduser Dashboard. The application request attempts to send an email to an admin with the user's request. This event only indicates that the request was made, not necessarily that the email was successfully delivered.
app.rum.config.validation.errorError validating instance configuration. Can be used to identify configuration issues with remote user management.
app.rum.is.api.account.errorRUM API account is not configured or empty. Can be used to identify RUM API account configuration issues.
app.rum.package.thrown.errorErrors during execution. Can be used to identify any errors during execution of remote user management.
app.rum.validation.errorError during package validation. Can be used to identify validation issues with remote user management packages.
app.saml.sensitive.attribute.updateFired when a SAML assertion contains a sensitive attribute, and that sensitive attribute has been updated (modified/added/deleted). This event does not fire when non-sensitive SAML attributes are updated. This can be used to audit that a sensitive attribute attached to an outbound SAML assertion has been correctly modified, added, or deleted. When fired, this event contains the specific attributes that have been modified, added, or deleted to/from the SAML assertion. Related events include: application.lifecycle.update.
app.user_managementImported new or deleted existing member of an application group.
app.user_management.grouppush.mapping.created.from.ruleA Group Push mapping to the group has been created from the rule.
app.user_management.grouppush.mapping.created.from.rule.error.duplicateA Group Push mapping to the group did not get created from rule because an existing mapping already existed.
app.user_management.grouppush.mapping.created.from.rule.error.validationA Group Push mapping to the group did not get created from rule because of the validation error.
app.user_management.grouppush.mapping.created.from.rule.errorsA Group Push mapping to the group did not get created from rule.
app.user_management.grouppush.mapping.okta.users.ignoredOkta users ignored while pushing group to AppInstance.
app.user_management.import.csv.line.errorError reading line from CSV.
app.user_management.push_new_user_successSuccessfully pushed new user account to app.
app.user_management.update_from_master_failedCould not apply import.
app.user_management.user_group_import.create_failureFailed to create group from app.
app.user_management.user_group_import.delete_successDeleted the group from app.
app.user_management.user_group_import.update_failureFailed to update group from app.
app.user_management.user_group_import.upsert_failFailed to import the group from app. This event helps identify when a group is failed to be imported. Fired when we skip processing an import of a group.
app.user_management.user_group_import.upsert_successImported the group from app.

app.access_request.approver.approve

#
Namespace
Okta-app

Description

Request to access an app was approved by an administrator-defined approver.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.access_request.approver.deny

#
Namespace
Okta-app

Description

Request to access an app was denied by an administrator-defined approver.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.access_request.delete

#
Namespace
Okta-app

Description

Request to access an app was deleted by an administrator.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.access_request.deny

#
Namespace
Okta-app

Description

Request to access an app was denied after at least one approver denied the request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.access_request.expire

#
Namespace
Okta-app

Description

Request to access an app expired by the system due to lack of approver action.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.access_request.grant

#
Namespace
Okta-app

Description

Request to access an app was granted after all approvers approved the request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.access_request.request

#
Namespace
Okta-app

Description

Request to access an app was performed by a user.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.api.user_import.account_locked

#
Namespace
Okta-app

Description

Active Directory user account set to locked following profile update: user is locked in active directory.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.api.user_import.warn.skipped_contact.attribute_invalid_value

#
Namespace
Okta-app

Description

Skipping import of contact due to invalid attribute. Please consult with your Active Directory admin if you believe this contact should be imported.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.api.user_import.warn.skipped_user.attribute_invalid_value

#
Namespace
Okta-app

Description

Skipping import of user due to an invalid AD attribute.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.api.user_import.warn.skipped_user.missing_required_attribute

#
Namespace
Okta-app

Description

Skipping import of user due to a required AD attribute being null.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.password_migration_campaign.cancel.end

#
Namespace
Okta-app

Description

Complete cancellation of migration campaign. This can be used to confirm that the process to cancel a password migration campaign intentionally is complete. This event marks the end of the cancellation process that began with an app.ad.password_migration_campaign.cancel.start event.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.password_migration_campaign.cancel.start

#
Namespace
Okta-app

Description

Start cancellation of a password migration campaign. This can be used to track when the process to intentionally cancel a password migration campaign begins. This begins an asynchronous process. Its conclusion is marked by the app.ad.password_migration_campaign.cancel.end event.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.password_migration_campaign.create

#
Namespace
Okta-app

Description

Create Active Directory password migration campaign. This can be used to identify when a migration is created to monitor its duration and impact on users. Marks the beginning of a password migration campaign.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.password_migration_campaign.finish.end

#
Namespace
Okta-app

Description

Complete password migration campaign. This can be used to confirm that a Finish password migration campaign process has fully completed. This event marks the successful end of the entire campaign lifecycle. This is an asynchronous process and is preceded by an app.ad.password_migration_campaign.finish.start event.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.password_migration_campaign.finish.start

#
Namespace
Okta-app

Description

Start password migration campaign completion. This can be used to track the start of the Finish Campaign process. This begins an asynchronous process. Its conclusion is marked by the app.ad.password_migration_campaign.finish.end event.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.password_migration_campaign.group.add

#
Namespace
Okta-app

Description

Add group to Active Directory password migration campaign. This can be used to identify groups that have been included in a password migration campaign. This action expands the set of users eligible for password capture by the campaign.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.password_migration_campaign.user.capture_password

#
Namespace
Okta-app

Description

Capture user password from Active Directory. This can be used to track progress for individual users and confirm password collection. This event does not signify the full migration of the user, only the successful capture of their password.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.password_migration_campaign.user.migrate.end

#
Namespace
Okta-app

Description

Complete individual user password migration. This can be used as a record that a user's credential is fully migrated to Okta. The user's password is now fully migrated and active in Okta.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ad.password_migration_campaign.user.migrate.start

#
Namespace
Okta-app

Description

Start individual user password migration. This can be used to confirm that a specific user's migration process has begun. The conclusion of this asynchronous process is marked by a corresponding app.ad.password_migration_campaign.user.migrate.end event.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ai_agent_provider.activate

#
Namespace
Okta-app

Description

Activate an AI agent provider. Track when an AI agent import provider is enabled for scheduled imports.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ai_agent_provider.create

#
Namespace
Okta-app

Description

Create an AI agent provider. Track when a new connection to an external AI agent provider is established for importing agents.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ai_agent_provider.credential.validate

#
Namespace
Okta-app

Description

Validate credentials for an AI agent import provider. Verify that credentials for an AI agent import provider are valid before activating the provider. Typically follows provider.credential.update and precedes provider.activate.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ai_agent_provider.deactivate

#
Namespace
Okta-app

Description

Deactivate an AI agent provider. Track when an AI agent import provider is disabled.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ai_agent_provider.delete

#
Namespace
Okta-app

Description

Delete an AI agent provider. Track when a connection to an external AI agent provider is removed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ai_agent_provider.import.complete

#
Namespace
Okta-app

Description

Complete a bulk import of AI agents from an external provider. Audit the outcome of AI agent imports, including the number of agents found, imported, and errored. Paired with app.ai_agent_provider.import.start. Import outcome details are in the targets.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ai_agent_provider.import.start

#
Namespace
Okta-app

Description

Start a bulk import of AI agents from an external provider. Audit when bulk imports of AI agents from external providers begin. A corresponding app.ai_agent_provider.import.complete event is fired when the import completes.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ai_agent_provider.update

#
Namespace
Okta-app

Description

Update an AI agent provider. Track AI agent import provider changes, such as credential configuration, owner info, and schedule updates. This event refers to the OAuth2 credentials used to connect to an external AI agent provider. For AI agent workload identity credentials (JWK signing keys), see workload_principal.ai_agent.credential.* events.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.app_instance.csr.generate

#
Namespace
Okta-app

Description

Certificate signing request (CSR) generated.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.app_instance.csr.publish

#
Namespace
Okta-app

Description

Certificate signing request (CSR) published.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.app_instance.csr.revoke

#
Namespace
Okta-app

Description

Certificate signing request (CSR) revoked.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.app_instance.provision_sync_job.completed

#
Namespace
Okta-app

Description

Fired when a provision sync job has successfully completed. This can be used to confirm that a provision sync job has finished running and is no longer processing users. When fired, this event contains details about number of users processed in the job. Related events include app.app_instance.provision_sync_job.started and app.app_instance.provision_sync_job.failed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.app_instance.provision_sync_job.failed

#
Namespace
Okta-app

Description

Fired when a provision sync job has failed. This can be used to identify when a provision sync job has failed. When fired, this event contains information about the reason the provision sync job failed. Related events include app.app_instance.provision_sync_job.started and app.app_instance.provision_sync_job.completed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.app_instance.provision_sync_job.started

#
Namespace
Okta-app

Description

Fired when a provision sync job has successfully started. This can be used to confirm that a provision sync job has successfully started. Related events include app.app_instance.provision_sync_job.completed and app.app_instance.provision_sync_job.failed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.cross_app_access.connection.create

#
Namespace
Okta-app

Description

Create Cross App Access connection. Audit when a requesting application is configured to connect with one or more resource applications. This is useful for security investigations and for compliance reviews of inter-application trust establishment.

Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.cross_app_access.connection.delete

#
Namespace
Okta-app

Description

Delete Cross App Access connection. Audit when existing Cross App Access connections are removed. This is useful for tracking application lifecycle management and for security posture cleanup of inter-application trust relationships.

Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.cross_app_access.connection.update

#
Namespace
Okta-app

Description

Update Cross App Access connection. Audit when existing Cross App Access connection configuration is modified, such as toggling enabled status. The changeDetails field tracks specific modifications. It is useful for generating alerts about unexpected changes to inter-application trusts.

Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.generic.unauth_app_access_attempt

#
Namespace
Okta-app

Description

User attempted unauthorized access to app.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Elastic #

References #

app.inbound_del_auth.login_success

#
Namespace
Okta-app

Description

Successful inbound delegated authentication request for user.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.interclient_mapping.create

#
Namespace
Okta-app

Description

Create interclient trust mapping. Audit the creation of a trust mapping between a target app and a requesting app via the interclient access API.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.interclient_mapping.delete

#
Namespace
Okta-app

Description

Delete interclient trust mapping. Audit the deletion of a trust mapping between a target app and a requesting app via the interclient access API.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.interclient_mapping.delete_all

#
Namespace
Okta-app

Description

Delete all interclient trust mappings for app. Identify the automatic cleanup of all trust mappings associated with a deleted application instance.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.kerberos_rich_client.account_not_found

#
Namespace
Okta-app

Description

Kerberos based rich client authentication failed: Could not find Office 365 app user for the AD user with principal id.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.kerberos_rich_client.instance_not_found

#
Namespace
Okta-app

Description

Kerberos based rich client authentication failed: Unknown app instance id.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.kerberos_rich_client.multiple_accounts_found

#
Namespace
Okta-app

Description

Kerberos based rich client authentication failed: Multiple users with username found.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.kerberos_rich_client.user_authentication_successful

#
Namespace
Okta-app

Description

Kerberos based rich client authentication successful for Office 365 user.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.keys.clone

#
Namespace
Okta-app

Description

Application signing key cloned.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.keys.generate

#
Namespace
Okta-app

Description

New signing key generated.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.keys.rotate

#
Namespace
Okta-app

Description

Application signing key rotated.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.ldap.password.change.failed

#
Namespace
Okta-app

Description

Password change failed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.admin.consent.grant

#
Namespace
Okta-app

app.oauth2.admin.consent.revoke

#
Namespace
Okta-app

app.oauth2.as.authorize

#
Namespace
Okta-app

Description

OAuth2 authorization request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.authorize.code

#
Namespace
Okta-app

Description

OAuth2 authorization code request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.authorize.implicit.access_token

#
Namespace
Okta-app

Description

OAuth2 authorization implicit access token request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.authorize.implicit.id_token

#
Namespace
Okta-app

Description

OAuth2 authorization implicit ID token request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.authorize.scope_denied

#
Namespace
Okta-app

Description

Some of the requested scopes were denied by the policy.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.consent.grant

#
Namespace
Okta-app

app.oauth2.as.consent.revoke

#
Namespace
Okta-app

app.oauth2.as.consent.revoke.implicit.as

#
Namespace
Okta-app

app.oauth2.as.consent.revoke.implicit.client

#
Namespace
Okta-app

app.oauth2.as.consent.revoke.implicit.scope

#
Namespace
Okta-app

app.oauth2.as.consent.revoke.implicit.user

#
Namespace
Okta-app

app.oauth2.as.consent.revoke.user

#
Namespace
Okta-app

app.oauth2.as.consent.revoke.user.client

#
Namespace
Okta-app

app.oauth2.as.evaluate.claim

#
Namespace
Okta-app

Description

Claim evaluation for OAuth 2.0 token. This event is triggered when the OAuth 2.0 authorization server's claim evaluation process can't be completed and fails. This event is useful when detecting misconfigured claims. Recorded details include the requester's ID, the client ID, the user ID, and the claims that couldn't be evaluated. This verification ensures that access tokens are granted only to requests that fully comply with established security policies, thus safeguarding access to protected resources.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.interact.interaction_code

#
Namespace
Okta-app

Description

Interaction code is generated by OIE. This event can be used by administrators to audit interaction_code generation, and troubleshoot why the IdX transaction has failed. When fired, this event contains hashed values of the interaction_code and interaction_handle, as well as information about the client to which they were issued.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.interact.interaction_handle

#
Namespace
Okta-app

Description

Interaction handle is generated by OIE. This event can be used by administrators to detect if additional interaction is required and an interaction handle has been issued. When fired this event contains interaction handle hash and the client to which it was issued.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.key.rollover

#
Namespace
Okta-app

Description

Custom Authorization Server token signing key rolled over.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.resource_server.credentials.lifecycle.activate

#
Namespace
Okta-app

Description

Authorization server access token encryption key is activated. Use this event to find out if a new access token encryption key has been activated for an authorization server. This could be used to audit changes made to authorization server access token encryption keys.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.resource_server.credentials.lifecycle.create

#
Namespace
Okta-app

Description

Authorization server access token encryption key is created. Use this event to find out if a new access token encryption key has been created for an authorization server. This could be used to audit changes made to authorization server access token encryption keys.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.resource_server.credentials.lifecycle.deactivate

#
Namespace
Okta-app

Description

Authorization server access token encryption key is deactivated. Use this event to find out if a new access token encryption key has been deactivated for an authorization server. This could be used to audit changes made to authorization server access token encryption keys.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.resource_server.credentials.lifecycle.delete

#
Namespace
Okta-app

Description

Authorization server access token encryption key is deleted. Use this event to find out if a new access token encryption key has been deleted for an authorization server. This could be used to audit changes made to authorization server access token encryption keys.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.token.detect_reuse

#
Namespace
Okta-app

Description

Detect one-time refresh token attempted reuse. This event can be used by administrators to detect and audit attempted reuse of one-time refresh tokens. When fired this event contains information about the user, client to which the refresh token was minted, and the hash of the refresh tokens.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.token.grant

#
Namespace
Okta-app

Description

OAuth2 token request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
okta::outcome.resulteqFAILURE1 ruleelastic, kusto

Detection Rules #

View all rules referencing this event →

Elastic #

  • Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials source medium: Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an adversary is attempting to obtain an access token for unauthorized scopes. This is a New Terms rule where the okta.actor.display_name field value has not been seen in the last 14 days regarding this event.

References #

app.oauth2.as.token.grant.access_token

#
Namespace
Okta-app

Description

OAuth 2.0 access token is granted. This event is triggered within OAuth 2.0 frameworks when an app successfully grants an access token to a user or service. The event occurs post-authentication and authorization, marking the final step in accessing protected resources. Use this event as a comprehensive audit trail for issued tokens. The event captures details such as the client ID, subject ID, token attributes (for example: scope, validity period), and the grant type used. This information helps with security audits, ensuring compliance with access policies and troubleshooting authorization flows. Specifically, variations in token attributes and grant type offer insights into the security posture and operational efficiency of OAuth 2.0 implementations. While this event primarily signifies successfully issued tokens, the event details are helpful in many areas. They help flag potential misuse of token grants or anomalies in token attributes. The event details also help facilitate a prompt response to deviations from established security practices.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.token.grant.device_secret

#
Namespace
Okta-app

Description

Grant an OAuth2 device_secret for the Native SSO flow. This event adds tracking to let admins know when Native SSO is being used to protect desktop or mobile apps. When fired this event contains the device secret id which administrators can use to correlate with single logout events across native desktop apps.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.token.grant.id_token

#
Namespace
Okta-app

Description

OAuth 2.0 ID token is granted. This event occurs when an OAuth 2.0 authorization server grants an ID token to a client after successful authentication. The ID token, which encapsulates the user's identity information, verifies the user's identity to the client app. Recorded details include the client ID, user ID, token issuance time, and claims associated with the user's identity. You can use this data for security audits, enabling precise tracking of user identity verification across apps. The issuance of an ID token follows established protocols for secure authentication. This ensures that sensitive user information is transmitted securely between the authorization server and the client.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.token.grant.interclient_token

#
Namespace
Okta-app

Description

Grant interclient token. Track the successful issuance of an Interclient token via OAuth token exchange. This event will contain the target audience the interclient token is issued for.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.token.grant.refresh_token

#
Namespace
Okta-app

Description

OAuth2 refresh token is granted.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.as.token.revoke

#
Namespace
Okta-app

Description

OAuth2 token revocation request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.authorize

#
Namespace
Okta-app

Description

OIDC authorization request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.authorize.code

#
Namespace
Okta-app

Description

OIDC authorization code request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.authorize.implicit.access_token

#
Namespace
Okta-app

Description

OIDC authorization implicit access token request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.authorize.implicit.id_token

#
Namespace
Okta-app

Description

OIDC authorization implicit ID token request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.client.lifecycle.activate

#
Namespace
Okta-app

Description

Activate OAuth client.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.client.lifecycle.create

#
Namespace
Okta-app

Description

Create OAuth client.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.client.lifecycle.deactivate

#
Namespace
Okta-app

Description

Deactivate OAuth client.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.client.lifecycle.delete

#
Namespace
Okta-app

Description

Delete OAuth client.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.client.lifecycle.update

#
Namespace
Okta-app

Description

Update OAuth client.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.client.privilege.grant

#
Namespace
Okta-app

Description

An OAuth 2.0 client app's admin privileges changed. This can be used to audit the provisioning of admin privileges for OAuth 2.0 client apps. When fired, this event contains information about the type of admin privileges the OAuth 2.0 client app currently has. Related events include: APP_OAUTH2_CLIENT_PRIVILEGE_REVOKE.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.client.privilege.revoke

#
Namespace
Okta-app

Description

All privileges for OAuth 2.0 client app were revoked. This can be used to audit the deprovisioning of admin privileges from OAuth 2.0 client apps. When fired, this event indicates the OAuth 2.0 client app has no more admin privileges. All of OAuth 2.0 client app's privileges were revoked. Related events include: APP_OAUTH2_CLIENT_PRIVILEGE_GRANT.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.client.read_client_secret

#
Namespace
Okta-app

Description

Read OAuth client's secret(s). Use this event to verify that an OAuth client's secret(s) have been read when the client is returned in certain API responses. For example, an admin might use this event to audit if a client's secrets were read when using the client credentials management API. When fired, this event indicates that an OAuth client's secrets were read. The targets array may include references to multiple client secrets.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.client_id_rate_limit_warning

#
Namespace
Okta-app

Description

Requests from a single client ID consumed the majority of an organization's OAuth2 endpoint rate limit. This event can be used by admins to discover and deactivate a rogue client. The admin is able to manage the client via the Syslog UI. When fired, this event contains information about the responsible client id. As of release, this event is fired when a single client id consumes 90% of an org's OAuth2 rate limit; this threshold is subject to change.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.consent.grant

#
Namespace
Okta-app

app.oauth2.credentials.lifecycle.activate

#
Namespace
Okta-app

Description

OAuth client credentials (either client secret or JWK) is added for an application. Use this event to find out if an application has a new client secret or private/public key that has been added. This could be used to audit changes made to client credentials.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.credentials.lifecycle.create

#
Namespace
Okta-app

Description

OAuth client credentials (either client secret or JWK) is activated for an application. Use this event to find out if an application has activated a new client secret or private/public key. This could be used to audit changes made to client credentials.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.credentials.lifecycle.deactivate

#
Namespace
Okta-app

Description

OAuth client credentials (either client secret or JWK) is deactivated for an application. Use this event to find out if an application has an existing client secret or private/public key that has been deactivated. This could be used to audit changes made to client credentials.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.credentials.lifecycle.delete

#
Namespace
Okta-app

Description

OAuth client credentials (either client secret or JWK) is deleted for an application. Use this event to find out if an application has an existing client secret or private/public key that has been deleted. This could be used to audit changes made to client credentials.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.interact.interaction_code

#
Namespace
Okta-app

Description

Interaction code generated by OIE. This event can be used by administrators to audit interaction_code generation, and troubleshoot why the IdX transaction has failed. When fired, this event contains hashed values of the interaction_code and interaction_handle, as well as information about the client to which they were issued.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.interact.interaction_handle

#
Namespace
Okta-app

Description

Interaction handle generated by OIE. This event can be used by administrators to detect if additional interaction is required and an interaction handle has been issued. When fired this event contains interaction handle hash and the client to which it was issued.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.invalid_client_credentials

#
Namespace
Okta-app

Description

Multiple requests with invalid client credentials for client id.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.key.rollover

#
Namespace
Okta-app

Description

Org Authorization Server token signing key rolled over.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.signon

#
Namespace
Okta-app

Description

User performed OIDC single sign on to app.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.detect_reuse

#
Namespace
Okta-app

Description

Detect one-time refresh token attempted reuse. This event can be used by administrators to detect and audit attempted reuse of one-time refresh tokens. When fired this event contains information about the user, client to which the refresh token was minted, and the hash of the refresh tokens.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.grant

#
Namespace
Okta-app

Description

OIDC token request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.grant.access_token

#
Namespace
Okta-app

Description

OIDC access token is granted.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.grant.id_jag

#
Namespace
Okta-app

Description

OAuth 2.0 Identity Assertion JWT Authorization Grant (ID-JAG) granted. This event is triggered when an app successfully completes an OAuth token exchange to generate an Identity Assertion JWT Authorization Grant. The Identity Assertion relies on a valid ID token obtained from a single sign-on (SSO) flow and the ID-JAG JWT is used in Cross App Access.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.grant.id_token

#
Namespace
Okta-app

Description

OIDC id token is granted.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.grant.interclient_token

#
Namespace
Okta-app

Description

Grant interclient token. Track the successful issuance of an Interclient token via OAuth token exchange. This event will contain the target audience the interclient token is issued for.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.grant.oauth_sts

#
Namespace
Okta-app

Description

Grant OAuth Security Token Service (STS) access token. Audit when an application successfully exchanges an OAuth token for an access token from a third-party authorization server.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.grant.refresh_token

#
Namespace
Okta-app

Description

OIDC refresh token is granted.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.grant.service_account

#
Namespace
Okta-app

Description

Grant Okta Privileged Access service account credentials. Audit when an application successfully exchanges an OAuth token for credentials for a service account in Okta Privileged Access.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.grant.vaulted_secret

#
Namespace
Okta-app

Description

Grant Okta Privileged Access vaulted secret. Audit when an application successfully exchanges an OAuth token for a vaulted secret in Okta Privileged Access.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.oauth_sts.request_token

#
Namespace
Okta-app

Description

Request OAuth tokens from a third-party authorization server. This event is triggered when Okta requests OAuth tokens from a third-party authorization server.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.revoke

#
Namespace
Okta-app

Description

OIDC token revocation request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.revoke.implicit.as

#
Namespace
Okta-app

Description

Tokens revoked for authorization server.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.revoke.implicit.client

#
Namespace
Okta-app

Description

Tokens revoked for client.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.token.revoke.implicit.user

#
Namespace
Okta-app

Description

Tokens revoked for user.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.trusted_server.add

#
Namespace
Okta-app

Description

Trusted authorization server is added. Administrators can use this event to debug and audit trusted authorization server operations. When fired, this event contains the authorization server IDs of the servers involved.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.oauth2.trusted_server.delete

#
Namespace
Okta-app

Description

Trusted authorization server is removed. Administrators can use this event to debug and audit trusted authorization server operations. When fired, this event contains the authorization server IDs of the servers involved.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.change.domain.federation.success

#
Namespace
Okta-app

Description

Successfully updated the domain federation from old settings to new settings.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.ad.user

#
Namespace
Okta-app

Description

User is assigned to more than one instance of Active Directory, could not set Immutable ID.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.check.user.exists

#
Namespace
Okta-app

Description

Could not determine status of Office 365 user, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.create.user

#
Namespace
Okta-app

Description

Could not create user in Office 365, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.deactivate.user

#
Namespace
Okta-app

Description

Could not deactivate Office 365 user, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.download.custom.objects

#
Namespace
Okta-app

Description

Could not download group/role/license data for your Office 365 instance, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.download.groups

#
Namespace
Okta-app

Description

Could not download all groups from your Office 365 instance, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.download.users

#
Namespace
Okta-app

Description

Could not download all users from your Office 365 instance, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.endpoint.unavailable

#
Namespace
Okta-app

Description

Unable to reach the Office 365 endpoint.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.get.company.dirsync.failure

#
Namespace
Okta-app

Description

Unable to read Office 365 directory sync for the company, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.get.company.dirsync.status.failure

#
Namespace
Okta-app

Description

Unable to provision user to Office 365, because 'Directory Sync' value in Azure Active Directory is unsupported. Please visit the Azure Active Directory portal and set 'Directory Sync' state to Activated and retry.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.get.company.dirsync.status.pending

#
Namespace
Okta-app

Description

Unable to provision user to Office 365, because 'Directory Sync' value in Azure Active Directory not yet in Activated state. This may take up to 72 hours. Please visit the Azure Active Directory portal and retry when in Activated state.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.get.object.ids.by.group.id

#
Namespace
Okta-app

Description

Could not get users by group id from your Office 365 instance, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.group.create.failure

#
Namespace
Okta-app

Description

Could not create Office 365 group, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.group.create.failure.name.in.use

#
Namespace
Okta-app

Description

Could not create Office 365 group because the name is already in use, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.group.delete.failure

#
Namespace
Okta-app

Description

Could not delete Office 365 group, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.group.membership.update.failure

#
Namespace
Okta-app

Description

Could not update the Office 365 group membership, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.group.membership.update.group.not.found.failure

#
Namespace
Okta-app

Description

Could not update the Office 365 group membership because the group could not be found, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.group.update.failure

#
Namespace
Okta-app

Description

Could not update Office 365 group, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.group.update.failure.not.found

#
Namespace
Okta-app

Description

Could not update Office 365 group because it was not found, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.import.profile

#
Namespace
Okta-app

Description

Could not import profile for Office 365 user, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.push.password

#
Namespace
Okta-app

Description

Could not push password for Office 365 user, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.push.profile

#
Namespace
Okta-app

Description

Could not push profile for Office 365 user, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.reactivate.user

#
Namespace
Okta-app

Description

Could not reactivate Office 365 user, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.remove.domain.federation.failure

#
Namespace
Okta-app

Description

Unable to remove the domain federation, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.remove.domain.federation.failure.access.denied

#
Namespace
Okta-app

Description

Unable to remove the domain federation because the admin user is not authorized to perform the task.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.remove.domain.federation.failure.domain.not.found

#
Namespace
Okta-app

Description

Unable to remove the domain federation because the specified domain was not found.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.revoke.refresh.token

#
Namespace
Okta-app

Description

Failed to revoke refresh tokens for user.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.set.company.dirsync.failure

#
Namespace
Okta-app

Description

Unable to enable Office 365 directory sync for the company, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.set.company.dirsync.status.failure

#
Namespace
Okta-app

Description

Unable to enable Office 365 directory sync for the company, because 'Directory Sync' value in Azure Active Directory is unsupported. Please visit the Azure Active Directory portal and set 'Directory Sync' state to Activated.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.set.domain.federation.failure

#
Namespace
Okta-app

Description

Unable to setup the domain federation, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.set.domain.federation.failure.access.denied

#
Namespace
Okta-app

Description

Unable to setup the domain federation because the admin user is not authorized to perform the task.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.set.domain.federation.failure.domain.default

#
Namespace
Okta-app

Description

Unable to setup the domain federation because the specified domain is the default domain.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.set.domain.federation.failure.domain.not.found

#
Namespace
Okta-app

Description

Unable to setup the domain federation because the specified domain was not found.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.sync.contact

#
Namespace
Okta-app

Description

Failed to sync contact, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.sync.finalize

#
Namespace
Okta-app

Description

Failed to finalize export to Office 365, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.sync.group

#
Namespace
Okta-app

Description

Failed to sync group, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.sync.not.activated

#
Namespace
Okta-app

Description

Sync could not execute because Office 365 directory sync for the company not yet Activated. Sync will retry after a period of time.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.sync.set.attribute

#
Namespace
Okta-app

Description

Failed to set attribute, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.sync.user

#
Namespace
Okta-app

Description

Failed to sync user, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.unable.to.create.graph.client

#
Namespace
Okta-app

Description

An error occurred while creating the Azure Active Directory Graph API client. Please try the last operation again. If this error persists, please contact Okta support.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.validate.admin.creds

#
Namespace
Okta-app

Description

User does not have the Company Administrator role. Please try again with a user which has this role.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.validate.creds

#
Namespace
Okta-app

Description

Could not validate your Office 365 credentials, received error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.error.x-ms-forwarded-client-ip-header.absent

#
Namespace
Okta-app

Description

X-MS-Forwarded-Client-IP header either empty or not found in the request.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.remove.domain.federation.success

#
Namespace
Okta-app

Description

Successfully removed the domain federation.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.set.domain.federation.success

#
Namespace
Okta-app

Description

Successfully set up the domain federation with new settings.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.sync.complete

#
Namespace
Okta-app

Description

User sync completed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.sync.heartbeat.sent

#
Namespace
Okta-app

Description

Heartbeat sent to Microsoft Azure Active Directory.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.sync.job.complete

#
Namespace
Okta-app

Description

Sync job completed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.sync.job.complete.contact

#
Namespace
Okta-app

Description

Sync job completed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.sync.job.complete.group

#
Namespace
Okta-app

Description

Sync job completed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.api.sync.job.complete.user

#
Namespace
Okta-app

Description

Sync job completed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.clientplatform.conversion.job.processing.app.instance

#
Namespace
Okta-app

Description

Begin processing client access conversion for app instance.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.clientplatform.conversion.job.skipping.migration

#
Namespace
Okta-app

Description

Skipping migration of client access rules for app instance.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.dirsync.skipping.conflict-object

#
Namespace
Okta-app

Description

Skipping sync of conflict object.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.dirsync.skipping.critical-system-object

#
Namespace
Okta-app

Description

Skipping sync of critical system object.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.dirsync.skipping.non-security-group-invalid-mail

#
Namespace
Okta-app

Description

Skipping sync of non security object with invalid mail.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.dirsync.skipping.reserved-attribute-value

#
Namespace
Okta-app

Description

Skipping sync of object with reserved attribute value.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.dirsync.skipping.systemmailbox

#
Namespace
Okta-app

Description

Skipping sync of system mailbox object.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.dirsync.skipping.without-name-and-displayname

#
Namespace
Okta-app

Description

Skipping sync of non security object without name and display name.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.error.importing.user

#
Namespace
Okta-app

Description

An error occurred while importing user.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.graph.api.error.no.mailbox.found

#
Namespace
Okta-app

Description

No MailBox found for Office 365 user.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.graph.api.error.rate-limit.exceeded

#
Namespace
Okta-app

Description

Rate limit exceeded for Microsoft Graph.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.graph.api.error.service.principal.creation.failed

#
Namespace
Okta-app

Description

Failure while trying to create service principal.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.graph.api.error.service.principal.msgraph.authentication.failure

#
Namespace
Okta-app

Description

Failure while trying to create service principal due to a Mircrosoft Graph authentication issue.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.service.principal.cleanup.job.complete

#
Namespace
Okta-app

Description

End processing Office 365 service principal cleanup.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.service.principal.cleanup.job.invalid.credentials

#
Namespace
Okta-app

Description

The admin username or password is invalid. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.service.principal.cleanup.job.processing

#
Namespace
Okta-app

Description

Begin performing Office 365 service principal cleanup.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.service.principal.cleanup.job.skipping.missing.creds

#
Namespace
Okta-app

Description

Skipping app instance during Office 365 service principal cleanup as it does not contain Office 365 admin user credentials. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.service.principal.cleanup.job.skipping.no.service.principal

#
Namespace
Okta-app

Description

Skipping app instance during Office 365 service principal cleanup as it does not have a service principal.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.service.principal.cleanup.job.unable.to.delete.service.principal

#
Namespace
Okta-app

Description

Unable to automatically delete the Office 365 service principal. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.user.delete.success

#
Namespace
Okta-app

Description

Successfully deleted the Office 365 user.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.user.lifecycle.action.failed

#
Namespace
Okta-app

Description

Unable to complete app user lifecycle action for AppUser.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.office365.user.remove.licenses.success

#
Namespace
Okta-app

Description

Successfully removed all the licenses for the Office 365 user.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.policy.sign_on.update

#
Namespace
Okta-app

Description

Update app sign on policy. This event is used to audit when an app sign on policy is updated. This event is fired when an admin updates an app's sign on policy and logs what was changed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.radius.agent.listener.failed

#
Namespace
Okta-app

Description

Radius agent listener failed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.radius.agent.listener.succeeded

#
Namespace
Okta-app

Description

Radius agent listener succeeded.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.radius.agent.port_inaccessible

#
Namespace
Okta-app

Description

Radius agent failed to listen on port.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.radius.agent.port_reaccessible

#
Namespace
Okta-app

Description

Radius agent was able to listen on port again.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.radius.info_access.no_permission

#
Namespace
Okta-app

Description

No permission accessing any Radius app info. This event can be used to monitor and notify admins when some users who access radius app info have no permission. Fired when users who access radius app info have no permission.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.radius.info_access.partial_permission

#
Namespace
Okta-app

Description

No permission accessing info for part of Radius apps. This event can be used to monitor and notify admins when some users who access radius app info have only partial permission. Fired when users who access radius app info have partial permission.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.realtimesync.import.details.add_user

#
Namespace
Okta-app

Description

Real time sync added new User.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.realtimesync.import.details.delete_user

#
Namespace
Okta-app

Description

Real time sync removed existing User.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.realtimesync.import.details.update_user

#
Namespace
Okta-app

Description

Fired when a real time import includes an update to an existing user. This can be used to see details about the user updates included in a real time sync import. When fired, this event contains information about the type of update made, including whether or not a user was suspend or unsuspended. Related events include: app.realtimesync.import.details_add_user and app.realtimesync.import.details_delete_user.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.request_new.notify

#
Namespace
Okta-app

Description

A user sent an application request. Used to notify admins that a user made an application request from the Enduser Dashboard. The application request attempts to send an email to an admin with the user's request. This event only indicates that the request was made, not necessarily that the email was successfully delivered.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.rum.config.validation.error

#
Namespace
Okta-app

Description

Error validating instance configuration. Can be used to identify configuration issues with remote user management.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.rum.is.api.account.error

#
Namespace
Okta-app

Description

RUM API account is not configured or empty. Can be used to identify RUM API account configuration issues.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.rum.package.thrown.error

#
Namespace
Okta-app

Description

Errors during execution. Can be used to identify any errors during execution of remote user management.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.rum.validation.error

#
Namespace
Okta-app

Description

Error during package validation. Can be used to identify validation issues with remote user management packages.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.saml.sensitive.attribute.update

#
Namespace
Okta-app

Description

Fired when a SAML assertion contains a sensitive attribute, and that sensitive attribute has been updated (modified/added/deleted). This event does not fire when non-sensitive SAML attributes are updated. This can be used to audit that a sensitive attribute attached to an outbound SAML assertion has been correctly modified, added, or deleted. When fired, this event contains the specific attributes that have been modified, added, or deleted to/from the SAML assertion. Related events include: application.lifecycle.update.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management

#
Namespace
Okta-app

Description

Imported new or deleted existing member of an application group.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.grouppush.mapping.created.from.rule

#
Namespace
Okta-app

Description

A Group Push mapping to the group has been created from the rule.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.grouppush.mapping.created.from.rule.error.duplicate

#
Namespace
Okta-app

Description

A Group Push mapping to the group did not get created from rule because an existing mapping already existed.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.grouppush.mapping.created.from.rule.error.validation

#
Namespace
Okta-app

Description

A Group Push mapping to the group did not get created from rule because of the validation error.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.grouppush.mapping.created.from.rule.errors

#
Namespace
Okta-app

Description

A Group Push mapping to the group did not get created from rule.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.grouppush.mapping.okta.users.ignored

#
Namespace
Okta-app

Description

Okta users ignored while pushing group to AppInstance.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.import.csv.line.error

#
Namespace
Okta-app

Description

Error reading line from CSV.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.push_new_user_success

#
Namespace
Okta-app

Description

Successfully pushed new user account to app.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.update_from_master_failed

#
Namespace
Okta-app

Description

Could not apply import.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.user_group_import.create_failure

#
Namespace
Okta-app

Description

Failed to create group from app.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.user_group_import.delete_success

#
Namespace
Okta-app

Description

Deleted the group from app.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.user_group_import.update_failure

#
Namespace
Okta-app

Description

Failed to update group from app.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.user_group_import.upsert_fail

#
Namespace
Okta-app

Description

Failed to import the group from app. This event helps identify when a group is failed to be imported. Fired when we skip processing an import of a group.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #

app.user_management.user_group_import.upsert_success

#
Namespace
Okta-app

Description

Imported the group from app.

Fields #

NameDescription
actor.idUnique ID of the actor performing the event.
actor.typeType of actor: User, Client, System, PublicClientApp, etc.
actor.alternateIdUsername or email of the actor.
actor.displayNameDisplay name of the actor.
target[].idID of each target object (user, group, application, ...).
target[].typeType of each target object.
target[].alternateIdUsername or email of each target object.
outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
outcome.reasonHuman-readable reason for the outcome.
client.ipAddressIP address of the client.
client.userAgent.rawUserAgentRaw user agent string.
client.geographicalContext.countryCountry of origin for the request.
securityContext.isProxyWhether the request came through a proxy or anonymizer.
authenticationContext.externalSessionIdSession ID correlating events in one user session.
transaction.idTransaction ID correlating multiple log entries for one action.

References #