Okta-application

84 operations, identified by eventType in the audit log.

eventType	Description
application.appuser.mapping.invalid.expression	App user property mapping has invalid expressions. Can be used to identify invalid expressions. Note that a single event is fired for all invalid expressions.
application.cache.invalidate	Event fired when a app list cache is invalidated because a new app is created. Can be used to make sure App List cache is invalidated after a new app is created.
application.configuration.detect_error	Application configuration error detected.
application.configuration.disable_delauth_outbound	Disable delegated authentication for app.
application.configuration.disable_fed_broker_mode	Disable Federation Broker Mode for app.
application.configuration.enable_delauth_outbound	Enable delegated authentication for app.
application.configuration.enable_fed_broker_mode	Enable Federation Broker Mode for app.
application.configuration.import_schema	Okta couldn't download application configuration. Can be used to identify when an app schema couldn't be downloaded from a remote application. Event fired when Okta couldn't download application-specific data from a remote app. This may happen when admin updates provisioning details.
application.configuration.read_client_secret	A client secret in an MFA-only app has been read. Verify that a client secret in an MFA-only app has been read. This events indicates that a client secret in an MFA-only app has been read.
application.configuration.reset_logo	Reset app logo.
application.configuration.update	Okta couldn't verify api credentials. Can be used when Okta couldn't check the credentials by execution some custom, application dependent, set of requests. Okta fires this event to notify issues with credentials validation. Could be issues with proper permissions as well.
application.configuration.update_api_credentials_for_pass_change	Update API credentials due to user updating password.
application.configuration.update_logo	Change app logo.
application.configuration.update_rate_limits	Update rate limits for an OAuth App. This can be used to track the updates to rate limits for an OAuth application. When fired, this event contains details about the actor, who triggered the event, the OAuth app, for which the rate limit was updated, etc. Actual value change details can be found in debug data such as the old and new values.
application.integration.api_query	Unable to query remote API. Can be used to determine when okta fails to query remote application. Okta fires this event for unspecified events which include remote api response processing.
application.integration.authentication_failure	Error authenticating. Can be used when Okta couldn't authenticate with the provided credentials to a remote api. Okta fires this event when it couldn't access a remote api with provided credentials.
application.integration.general_failure	Generic error occured. Can be used when there is some uncategorized error occurs. Okta fires this event for different unhandled exceptions.
application.integration.rate_limit_exceeded	API rate limit exceeded. Can be used when Okta reaches api calls/minute rate limit. Okta fires this event when there are too many requests for a specific customer.
application.integration.transfer_files	Unable to transfer files. Can be used when Okta fails to transfer files from one user to another. Okta fires this event when it fails to process user-to-user file transfers.
application.lifecycle.activate	Activate application.
application.lifecycle.create	Create application.
application.lifecycle.deactivate	Deactivate application.
application.lifecycle.delete	Delete application.
application.lifecycle.update	Update application.
application.policy.sign_on.deny_access	Deny user access due to app sign on policy. When fired due to app assurance being evaluated as unsatisfiable (the policy requirements could not be satisfied by the users' current set of available authenticator enrollments), this event contains information about the user and the app that the user is trying to authenticate into.
application.policy.sign_on.rule.create	Create rule for app sign on policy.
application.policy.sign_on.rule.delete	Delete rule from app sign on policy.
application.policy.sign_on.update	Update app sign on policy.
application.provision.field_mapping_rule.change	Event fired when field mapping rules modified. Can be used to make sure when custom mapping rules are modified.
application.provision.group.add	Fired when Okta provisions a new group on a remote application. Can be used to identify when Okta provisions a group on a remote application. Event fired when the group provisioning failed for any reason.
application.provision.group.import	Fired when Okta downloads a remote group. Can be used to identify when Okta tries to download remote group details. Event fired when Okta fails to reach the group detail from a remote application.
application.provision.group.remove	Fired when Okta removes a remote group. Can be used to identify when a group has been unassigned. Event fired when Okta failed to delete group from remote application.
application.provision.group.update	Fired when Okta updates the user group. Can be used to identify when a group has been updated. Event fired when Okta fails to update a remote group for any reason.
application.provision.group.verify_exists	Fired when group no longer exists on a remote application. Can be used to identify when a group no longer exists on a remote application. Event fired when group push enhancement enabled and there is no group found on update or delete.
application.provision.group_membership.add	Failed to assign a user to a group. Can be used when Okta failed to assign user to a group on remote application. Okta fires this event if there are any issues while provision a membership to a remote application.
application.provision.group_membership.import	Error while downloading memberships. Can be used when Okta failed to download users and groups relationships. Okta fires this event if there are any issues while importing a membership from a remote application.
application.provision.group_membership.remove	Fired when there is an error while removing user(s) from group. Can be used when Okta failed to unassign user from a group on remote application. Okta fires this event when there are any issues while provision a membership to a remote application.
application.provision.group_membership.update	Fired when there is an error while updating user group membership for group. Can be used when Okta failed to push updated memberships to a remote application. Okta fires this event when couldn't update memberships on a remote application. Could be user removal/addition.
application.provision.group_push.activate_mapping	Group push activated mappings.
application.provision.group_push.deactivate_mapping	Group push deactivated mappings. Can be used to audit when a group push mapping is deactivated or to trigger downstream automation. The corresponding event type for activating a group push mapping is application.provision.group_push.activate_mapping.
application.provision.group_push.delete_appgroup	Group push deleted application group.
application.provision.group_push.mapping.and.groups.deleted.rule.deleted	An existing mapping and its target groups have been deleted because a mapping rule was deleted.
application.provision.group_push.mapping.app.group.renamed	A mapped app group has been renamed because the source group was renamed.
application.provision.group_push.mapping.app.group.renamed.failed	A mapped app group couldn't be renamed when the source group was renamed.
application.provision.group_push.mapping.created	A new mapping has been created.
application.provision.group_push.mapping.created.from.rule.warning.duplicate.name	A new mapping from a rule was not created due to a duplicate group name.
application.provision.group_push.mapping.created.from.rule.warning.duplicate.name.tobecreated	A new mapping from a rule was not created due to another mapping will be created that has the same user group name.
application.provision.group_push.mapping.created.from.rule.warning.upsertGroup.duplicate.name	An upsert to a group caused group push rule re-evaluation. A new mapping from a rule was not created due to a duplicate group name.
application.provision.group_push.mapping.deactivated.source.group.renamed	An existing mapping has been deactivated because the source group was renamed.
application.provision.group_push.mapping.deactivated.source.group.renamed.failed	An existing mapping couldn't be deactivated when the source group was renamed.
application.provision.group_push.mapping.update.or.delete.failed	Group push mapping change failed and will be retried. Can be used to identify transient errors that may temporarily impact the group push mapping but likely do not require admin intervention. This event typically requires no action as the corresponding operation will be retried. Refer to application.provision.group_push.mapping.update.or.delete.failed for events that may require intervention.
application.provision.group_push.mapping.update.or.delete.failed.with.error	Group push mapping change failed and cannot be retried. Can be used to identify group push mapping errors which may require admin intervention to address. Unlike the similarly named event, application.provision.group_push.mapping.update.or.delete.failed, when this event is fired the corresponding action that triggered it will not be retried by Okta and may indicate a configuration problem. For example, invalid authorization credentials with the target application due to an expired password or invalid access token.
application.provision.group_push.push_memberships	Group push pushed memberships.
application.provision.group_push.pushed	A group was pushed to an app.
application.provision.group_push.removed	A group was removed from an app.
application.provision.group_push.updated	A group was updated in an app.
application.provision.integration.call_api	Application integration API called.
application.provision.user.activate	Activate user's application membership.
application.provision.user.deactivate	Push user deactivation to external application.
application.provision.user.deprovision	Deprovision user from external application.
application.provision.user.import	Deactivate user from external application.
application.provision.user.import_profile	Import profile from external application.
application.provision.user.password	Issue pushing user password to external application.
application.provision.user.push	Push new user to external application.
application.provision.user.push_okta_password	Push user's Okta password to application.
application.provision.user.push_password	Push user's password to application.
application.provision.user.push_profile	Push user's profile to external application.
application.provision.user.reactivate	Push user reactivation in external application.
application.provision.user.sync	Sync user in external application.
application.provision.user.verify_exists	Verify user exists in external application.
application.registration_policy.lifecycle.create	Create registration policy.
application.registration_policy.lifecycle.update	Update registration policy.
application.user_membership.add	Add user to application membership.
application.user_membership.approve	User approved for application (assigned by not provisioned).
application.user_membership.change_password	Change application password for user.
application.user_membership.change_username	Change user's application username.
application.user_membership.deprovision	User deprovisioned from application (was previously revoked).
application.user_membership.provision	User provisioned to application (was previously approved).
application.user_membership.remove	Remove user's application membership.
application.user_membership.restore	Restore user assignment to an application.
application.user_membership.restore_password	Restore user's password for an application.
application.user_membership.revoke	User revoked from application (unassigned but not yet deprovisioned).
application.user_membership.show_password	Show user's password for application.
application.user_membership.update	Updated user application property.

application.appuser.mapping.invalid.expression

Namespace: Okta-application

Description

App user property mapping has invalid expressions. Can be used to identify invalid expressions. Note that a single event is fired for all invalid expressions.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.appuser.mapping.invalid.expression https://developer.okta.com/docs/reference/api/event-types/#application-appuser-mapping-invalid-expression
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.cache.invalidate

Namespace: Okta-application

Description

Event fired when a app list cache is invalidated because a new app is created. Can be used to make sure App List cache is invalidated after a new app is created.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.cache.invalidate https://developer.okta.com/docs/reference/api/event-types/#application-cache-invalidate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.detect_error

Namespace: Okta-application

Description

Application configuration error detected.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.detect_error https://developer.okta.com/docs/reference/api/event-types/#application-configuration-detect_error
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.disable_delauth_outbound

Namespace: Okta-application

Description

Disable delegated authentication for app.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.disable_delauth_outbound https://developer.okta.com/docs/reference/api/event-types/#application-configuration-disable_delauth_outbound
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.disable_fed_broker_mode

Namespace: Okta-application

Description

Disable Federation Broker Mode for app.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.disable_fed_broker_mode https://developer.okta.com/docs/reference/api/event-types/#application-configuration-disable_fed_broker_mode
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.enable_delauth_outbound

Namespace: Okta-application

Description

Enable delegated authentication for app.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.enable_delauth_outbound https://developer.okta.com/docs/reference/api/event-types/#application-configuration-enable_delauth_outbound
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.enable_fed_broker_mode

Namespace: Okta-application

Description

Enable Federation Broker Mode for app.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.enable_fed_broker_mode https://developer.okta.com/docs/reference/api/event-types/#application-configuration-enable_fed_broker_mode
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.import_schema

Namespace: Okta-application

Description

Okta couldn't download application configuration. Can be used to identify when an app schema couldn't be downloaded from a remote application. Event fired when Okta couldn't download application-specific data from a remote app. This may happen when admin updates provisioning details.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.import_schema https://developer.okta.com/docs/reference/api/event-types/#application-configuration-import_schema
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.read_client_secret

Namespace: Okta-application

Description

A client secret in an MFA-only app has been read. Verify that a client secret in an MFA-only app has been read. This events indicates that a client secret in an MFA-only app has been read.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.read_client_secret https://developer.okta.com/docs/reference/api/event-types/#application-configuration-read_client_secret
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.reset_logo

Namespace: Okta-application

Description

Reset app logo.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.reset_logo https://developer.okta.com/docs/reference/api/event-types/#application-configuration-reset_logo
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.update

Namespace: Okta-application

Description

Okta couldn't verify api credentials. Can be used when Okta couldn't check the credentials by execution some custom, application dependent, set of requests. Okta fires this event to notify issues with credentials validation. Could be issues with proper permissions as well.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.update https://developer.okta.com/docs/reference/api/event-types/#application-configuration-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.update_api_credentials_for_pass_change

Namespace: Okta-application

Description

Update API credentials due to user updating password.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.update_api_credentials_for_pass_change https://developer.okta.com/docs/reference/api/event-types/#application-configuration-update_api_credentials_for_pass_change
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.update_logo

Namespace: Okta-application

Description

Change app logo.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.update_logo https://developer.okta.com/docs/reference/api/event-types/#application-configuration-update_logo
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.configuration.update_rate_limits

Namespace: Okta-application

Description

Update rate limits for an OAuth App. This can be used to track the updates to rate limits for an OAuth application. When fired, this event contains details about the actor, who triggered the event, the OAuth app, for which the rate limit was updated, etc. Actual value change details can be found in debug data such as the old and new values.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.configuration.update_rate_limits https://developer.okta.com/docs/reference/api/event-types/#application-configuration-update_rate_limits
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.integration.api_query

Namespace: Okta-application

Description

Unable to query remote API. Can be used to determine when okta fails to query remote application. Okta fires this event for unspecified events which include remote api response processing.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.integration.api_query https://developer.okta.com/docs/reference/api/event-types/#application-integration-api_query
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.integration.authentication_failure

Namespace: Okta-application

Description

Error authenticating. Can be used when Okta couldn't authenticate with the provided credentials to a remote api. Okta fires this event when it couldn't access a remote api with provided credentials.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.integration.authentication_failure https://developer.okta.com/docs/reference/api/event-types/#application-integration-authentication_failure
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.integration.general_failure

Namespace: Okta-application

Description

Generic error occured. Can be used when there is some uncategorized error occurs. Okta fires this event for different unhandled exceptions.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.integration.general_failure https://developer.okta.com/docs/reference/api/event-types/#application-integration-general_failure
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.integration.rate_limit_exceeded

Namespace: Okta-application

Description

API rate limit exceeded. Can be used when Okta reaches api calls/minute rate limit. Okta fires this event when there are too many requests for a specific customer.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Elastic #

Possible Okta DoS Attack source medium: Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.

References #

Okta Event Types Catalog: application.integration.rate_limit_exceeded https://developer.okta.com/docs/reference/api/event-types/#application-integration-rate_limit_exceeded
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.integration.transfer_files

Namespace: Okta-application

Description

Unable to transfer files. Can be used when Okta fails to transfer files from one user to another. Okta fires this event when it fails to process user-to-user file transfers.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.integration.transfer_files https://developer.okta.com/docs/reference/api/event-types/#application-integration-transfer_files
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.lifecycle.activate

Namespace: Okta-application

Description

Activate application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.lifecycle.activate https://developer.okta.com/docs/reference/api/event-types/#application-lifecycle-activate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.lifecycle.create

Namespace: Okta-application

Description

Create application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.lifecycle.create https://developer.okta.com/docs/reference/api/event-types/#application-lifecycle-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.lifecycle.deactivate

Namespace: Okta-application

Description

Deactivate application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Elastic #

Attempt to Deactivate an Okta Application source low: Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.

References #

Okta Event Types Catalog: application.lifecycle.deactivate https://developer.okta.com/docs/reference/api/event-types/#application-lifecycle-deactivate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.lifecycle.delete

Namespace: Okta-application

Description

Delete application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`eventType`	eq	`application.lifecycle.update`	1 rule	panther, sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Okta Application Modified or Deleted source medium: Detects when an application is modified or deleted.↳ also matches application.lifecycle.update

Elastic #

Attempt to Delete an Okta Application source low: Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.

References #

Okta Event Types Catalog: application.lifecycle.delete https://developer.okta.com/docs/reference/api/event-types/#application-lifecycle-delete
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.lifecycle.update

Namespace: Okta-application

Description

Update application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`eventType`	eq	`application.lifecycle.update`	1 rule	panther, sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Okta Application Modified or Deleted source medium: Detects when an application is modified or deleted.↳ also matches application.lifecycle.delete

Elastic #

Attempt to Modify an Okta Application source low: Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.

References #

Okta Event Types Catalog: application.lifecycle.update https://developer.okta.com/docs/reference/api/event-types/#application-lifecycle-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.policy.sign_on.deny_access

Namespace: Okta-application

Description

Deny user access due to app sign on policy. When fired due to app assurance being evaluated as unsatisfiable (the policy requirements could not be satisfied by the users' current set of available authenticator enrollments), this event contains information about the user and the app that the user is trying to authenticate into.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.policy.sign_on.deny_access https://developer.okta.com/docs/reference/api/event-types/#application-policy-sign_on-deny_access
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.policy.sign_on.rule.create

Namespace: Okta-application

Description

Create rule for app sign on policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.policy.sign_on.rule.create https://developer.okta.com/docs/reference/api/event-types/#application-policy-sign_on-rule-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.policy.sign_on.rule.delete

Namespace: Okta-application

Description

Delete rule from app sign on policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	eq	`user.session.start`	1 rule	elastic, kusto
`okta::eventType`	in	`user.mfa.factor.deactivate`	1 rule	elastic, kusto
`okta::eventType`	in	`user.mfa.factor.reset_all`	1 rule	elastic, kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Okta Application Sign-On Policy Modified or Deleted source medium: Detects when an application Sign-on Policy is modified or deleted.↳ also matches application.policy.sign_on.update

Elastic #

Modification or Removal of an Okta Application Sign-On Policy source medium: Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.↳ also matches application.policy.sign_on.update

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches application.policy.sign_on.update

References #

Okta Event Types Catalog: application.policy.sign_on.rule.delete https://developer.okta.com/docs/reference/api/event-types/#application-policy-sign_on-rule-delete
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.policy.sign_on.update

Namespace: Okta-application

Description

Update app sign on policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	eq	`user.session.start`	1 rule	elastic, kusto
`okta::eventType`	in	`user.mfa.factor.deactivate`	1 rule	elastic, kusto
`okta::eventType`	in	`user.mfa.factor.reset_all`	1 rule	elastic, kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Okta Application Sign-On Policy Modified or Deleted source medium: Detects when an application Sign-on Policy is modified or deleted.↳ also matches application.policy.sign_on.rule.delete

Elastic #

Modification or Removal of an Okta Application Sign-On Policy source medium: Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.↳ also matches application.policy.sign_on.rule.delete

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches application.policy.sign_on.rule.delete

References #

Okta Event Types Catalog: application.policy.sign_on.update https://developer.okta.com/docs/reference/api/event-types/#application-policy-sign_on-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.field_mapping_rule.change

Namespace: Okta-application

Description

Event fired when field mapping rules modified. Can be used to make sure when custom mapping rules are modified.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.field_mapping_rule.change https://developer.okta.com/docs/reference/api/event-types/#application-provision-field_mapping_rule-change
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group.add

Namespace: Okta-application

Description

Fired when Okta provisions a new group on a remote application. Can be used to identify when Okta provisions a group on a remote application. Event fired when the group provisioning failed for any reason.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group.add https://developer.okta.com/docs/reference/api/event-types/#application-provision-group-add
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group.import

Namespace: Okta-application

Description

Fired when Okta downloads a remote group. Can be used to identify when Okta tries to download remote group details. Event fired when Okta fails to reach the group detail from a remote application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group.import https://developer.okta.com/docs/reference/api/event-types/#application-provision-group-import
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group.remove

Namespace: Okta-application

Description

Fired when Okta removes a remote group. Can be used to identify when a group has been unassigned. Event fired when Okta failed to delete group from remote application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group.remove https://developer.okta.com/docs/reference/api/event-types/#application-provision-group-remove
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group.update

Namespace: Okta-application

Description

Fired when Okta updates the user group. Can be used to identify when a group has been updated. Event fired when Okta fails to update a remote group for any reason.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group.update https://developer.okta.com/docs/reference/api/event-types/#application-provision-group-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group.verify_exists

Namespace: Okta-application

Description

Fired when group no longer exists on a remote application. Can be used to identify when a group no longer exists on a remote application. Event fired when group push enhancement enabled and there is no group found on update or delete.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group.verify_exists https://developer.okta.com/docs/reference/api/event-types/#application-provision-group-verify_exists
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_membership.add

Namespace: Okta-application

Description

Failed to assign a user to a group. Can be used when Okta failed to assign user to a group on remote application. Okta fires this event if there are any issues while provision a membership to a remote application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_membership.add https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_membership-add
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_membership.import

Namespace: Okta-application

Description

Error while downloading memberships. Can be used when Okta failed to download users and groups relationships. Okta fires this event if there are any issues while importing a membership from a remote application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_membership.import https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_membership-import
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_membership.remove

Namespace: Okta-application

Description

Fired when there is an error while removing user(s) from group. Can be used when Okta failed to unassign user from a group on remote application. Okta fires this event when there are any issues while provision a membership to a remote application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_membership.remove https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_membership-remove
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_membership.update

Namespace: Okta-application

Description

Fired when there is an error while updating user group membership for group. Can be used when Okta failed to push updated memberships to a remote application. Okta fires this event when couldn't update memberships on a remote application. Could be user removal/addition.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_membership.update https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_membership-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.activate_mapping

Namespace: Okta-application

Description

Group push activated mappings.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.activate_mapping https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-activate_mapping
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.deactivate_mapping

Namespace: Okta-application

Description

Group push deactivated mappings. Can be used to audit when a group push mapping is deactivated or to trigger downstream automation. The corresponding event type for activating a group push mapping is application.provision.group_push.activate_mapping.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.deactivate_mapping https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-deactivate_mapping
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.delete_appgroup

Namespace: Okta-application

Description

Group push deleted application group.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.delete_appgroup https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-delete_appgroup
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.mapping.and.groups.deleted.rule.deleted

Namespace: Okta-application

Description

An existing mapping and its target groups have been deleted because a mapping rule was deleted.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.mapping.and.groups.deleted.rule.deleted https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-mapping-and-groups-deleted-rule-deleted
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.mapping.app.group.renamed

Namespace: Okta-application

Description

A mapped app group has been renamed because the source group was renamed.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.mapping.app.group.renamed https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-mapping-app-group-renamed
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.mapping.app.group.renamed.failed

Namespace: Okta-application

Description

A mapped app group couldn't be renamed when the source group was renamed.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.mapping.app.group.renamed.failed https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-mapping-app-group-renamed-failed
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.mapping.created

Namespace: Okta-application

Description

A new mapping has been created.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.mapping.created https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-mapping-created
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.mapping.created.from.rule.warning.duplicate.name

Namespace: Okta-application

Description

A new mapping from a rule was not created due to a duplicate group name.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.mapping.created.from.rule.warning.duplicate.name https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-mapping-created-from-rule-warning-duplicate-name
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.mapping.created.from.rule.warning.duplicate.name.tobecreated

Namespace: Okta-application

Description

A new mapping from a rule was not created due to another mapping will be created that has the same user group name.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.mapping.created.from.rule.warning.duplicate.name.tobecreated https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-mapping-created-from-rule-warning-duplicate-name-tobecreated
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.mapping.created.from.rule.warning.upsertGroup.duplicate.name

Namespace: Okta-application

Description

An upsert to a group caused group push rule re-evaluation. A new mapping from a rule was not created due to a duplicate group name.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.mapping.created.from.rule.warning.upsertGroup.duplicate.name https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-mapping-created-from-rule-warning-upsertGroup-duplicate-name
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.mapping.deactivated.source.group.renamed

Namespace: Okta-application

Description

An existing mapping has been deactivated because the source group was renamed.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.mapping.deactivated.source.group.renamed https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-mapping-deactivated-source-group-renamed
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.mapping.deactivated.source.group.renamed.failed

Namespace: Okta-application

Description

An existing mapping couldn't be deactivated when the source group was renamed.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.mapping.deactivated.source.group.renamed.failed https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-mapping-deactivated-source-group-renamed-failed
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.mapping.update.or.delete.failed

Namespace: Okta-application

Description

Group push mapping change failed and will be retried. Can be used to identify transient errors that may temporarily impact the group push mapping but likely do not require admin intervention. This event typically requires no action as the corresponding operation will be retried. Refer to application.provision.group_push.mapping.update.or.delete.failed for events that may require intervention.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.mapping.update.or.delete.failed https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-mapping-update-or-delete-failed
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.mapping.update.or.delete.failed.with.error

Namespace: Okta-application

Description

Group push mapping change failed and cannot be retried. Can be used to identify group push mapping errors which may require admin intervention to address. Unlike the similarly named event, application.provision.group_push.mapping.update.or.delete.failed, when this event is fired the corresponding action that triggered it will not be retried by Okta and may indicate a configuration problem. For example, invalid authorization credentials with the target application due to an expired password or invalid access token.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.mapping.update.or.delete.failed.with.error https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-mapping-update-or-delete-failed-with-error
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.push_memberships

Namespace: Okta-application

Description

Group push pushed memberships.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.push_memberships https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-push_memberships
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.pushed

Namespace: Okta-application

Description

A group was pushed to an app.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.pushed https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-pushed
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.removed

Namespace: Okta-application

Description

A group was removed from an app.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.removed https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-removed
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.group_push.updated

Namespace: Okta-application

Description

A group was updated in an app.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.group_push.updated https://developer.okta.com/docs/reference/api/event-types/#application-provision-group_push-updated
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.integration.call_api

Namespace: Okta-application

Description

Application integration API called.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.integration.call_api https://developer.okta.com/docs/reference/api/event-types/#application-provision-integration-call_api
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.activate

Namespace: Okta-application

Description

Activate user's application membership.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.activate https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-activate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.deactivate

Namespace: Okta-application

Description

Push user deactivation to external application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.deactivate https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-deactivate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.deprovision

Namespace: Okta-application

Description

Deprovision user from external application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.deprovision https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-deprovision
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.import

Namespace: Okta-application

Description

Deactivate user from external application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.import https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-import
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.import_profile

Namespace: Okta-application

Description

Import profile from external application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.import_profile https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-import_profile
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.password

Namespace: Okta-application

Description

Issue pushing user password to external application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.password https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-password
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.push

Namespace: Okta-application

Description

Push new user to external application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.push https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-push
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.push_okta_password

Namespace: Okta-application

Description

Push user's Okta password to application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.push_okta_password https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-push_okta_password
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.push_password

Namespace: Okta-application

Description

Push user's password to application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.push_password https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-push_password
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.push_profile

Namespace: Okta-application

Description

Push user's profile to external application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.push_profile https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-push_profile
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.reactivate

Namespace: Okta-application

Description

Push user reactivation in external application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.reactivate https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-reactivate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.sync

Namespace: Okta-application

Description

Sync user in external application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.sync https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-sync
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.provision.user.verify_exists

Namespace: Okta-application

Description

Verify user exists in external application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.provision.user.verify_exists https://developer.okta.com/docs/reference/api/event-types/#application-provision-user-verify_exists
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.registration_policy.lifecycle.create

Namespace: Okta-application

Description

Create registration policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.registration_policy.lifecycle.create https://developer.okta.com/docs/reference/api/event-types/#application-registration_policy-lifecycle-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.registration_policy.lifecycle.update

Namespace: Okta-application

Description

Update registration policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.registration_policy.lifecycle.update https://developer.okta.com/docs/reference/api/event-types/#application-registration_policy-lifecycle-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.add

Namespace: Okta-application

Description

Add user to application membership.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.add https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-add
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.approve

Namespace: Okta-application

Description

User approved for application (assigned by not provisioned).

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.approve https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-approve
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.change_password

Namespace: Okta-application

Description

Change application password for user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.change_password https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-change_password
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.change_username

Namespace: Okta-application

Description

Change user's application username.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.change_username https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-change_username
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.deprovision

Namespace: Okta-application

Description

User deprovisioned from application (was previously revoked).

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.deprovision https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-deprovision
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.provision

Namespace: Okta-application

Description

User provisioned to application (was previously approved).

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.provision https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-provision
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.remove

Namespace: Okta-application

Description

Remove user's application membership.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.remove https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-remove
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.restore

Namespace: Okta-application

Description

Restore user assignment to an application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.restore https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-restore
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.restore_password

Namespace: Okta-application

Description

Restore user's password for an application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.restore_password https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-restore_password
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.revoke

Namespace: Okta-application

Description

User revoked from application (unassigned but not yet deprovisioned).

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.revoke https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-revoke
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.show_password

Namespace: Okta-application

Description

Show user's password for application.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.show_password https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-show_password
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

application.user_membership.update

Namespace: Okta-application

Description

Updated user application property.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: application.user_membership.update https://developer.okta.com/docs/reference/api/event-types/#application-user_membership-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)