Okta-policy

24 operations, identified by eventType in the audit log.

eventType	Description
policy.auth_reevaluate.action	Invocation of a post auth session action. This event is triggered when Okta logs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation. This event is triggered when Okta logs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation.
policy.auth_reevaluate.enforce	Evaluation of a post auth session. This event is triggered when a post auth session evaluation occurs. This event is triggered when a post auth session evaluation occurs.
policy.auth_reevaluate.fail	Auth policy re-evaluation has occurred and has resulted in a policy violation. Can be used to identify which user, apps, and session were involved in a policy violation event. Event fired when continuing access evaluation results in failure.
policy.continuous_access.action	Deprecated: Continuous Access policy action invocation. Signal that an action associated with a continuous access policy evaluation has been invoked. Event fired when an action associated with a continuous access policy evaluation has been invoked. See the event type policy.auth_reevaluate.action that replaces this deprecated event.
policy.continuous_access.evaluate	Deprecated: Evaluation of Continuous Access Policy. Signal that continuous access policy has been evaluated for a session which has failed CAE. Event fired when continuous access policy has been evaluated for a session which has failed CAE. See the event type policy.auth_reevaluate.enforce that replaces this deprecated event.
policy.entity_risk.action	Entity Risk policy action invocation. Signal that an action associated with an entity risk policy evaluation has been invoked. Event fired when an action associated with an entity risk policy evaluation has been invoked.
policy.entity_risk.evaluate	Evaluation of Entity Risk policy. Signal that entity risk policy has been evaluated for an entity for which we have received a risk change event. Event fired when entity risk policy has been evaluated for an entity for which a risk change event was generated.
policy.evaluate_sign_on	Okta evaluated sign-on policies in order to determine if the user attempting to access a resource meets the defined assurance criteria. Identifies the policy rule evaluated during an authentication flow. This may be useful to confirm that policy rule has been configured as intended, or to identify why a user is unable to access a resource such as an application. The possible outcomes of this event are ALLOW(user is authenticated to access the resource), CHALLENGE(additional verification is required for user to access the resource), and DENY(user is denied from accessing the resource). For Okta Identity Engine (OIE), a single policy.evaluate_sign_on event may include the evaluation result of Okta global session policy and authentication policy. For Okta Classic Engine, the evaluation result of Okta sign-on policy and app sign-on policy will be recorded in individual policy.evaluate_sign_on events.
policy.execute.user.start	Start execution of policy for user.
policy.lifecycle.activate	Activate policy.
policy.lifecycle.create	Create policy.
policy.lifecycle.deactivate	Deactivate policy.
policy.lifecycle.delete	Delete policy.
policy.lifecycle.overwrite	Overwrite policy.
policy.lifecycle.update	Update policy.
policy.mapping.create	Create policy mapping. This event is used to audit when a policy is mapped to a resource. This event is fired when a policy is mapped to a resource. The isPreviousPolicy attribute within the Policy Targets' Details denotes whether or not it was the previous or new policy being mapped.
policy.rule.action.execute	Scheduled execution of policy rule action.
policy.rule.activate	Activate policy rule.
policy.rule.add	Add policy rule.
policy.rule.deactivate	Deactivate policy rule.
policy.rule.delete	Delete policy rule.
policy.rule.invalidate	Invalidate policy rule.
policy.rule.update	Update policy rule.
policy.scheduled.execute	Scheduled execution of policy.

policy.auth_reevaluate.action

Namespace: Okta-policy

Description

Invocation of a post auth session action. This event is triggered when Okta logs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation. This event is triggered when Okta logs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.auth_reevaluate.action https://developer.okta.com/docs/reference/api/event-types/#policy-auth_reevaluate-action
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.auth_reevaluate.enforce

Namespace: Okta-policy

Description

Evaluation of a post auth session. This event is triggered when a post auth session evaluation occurs. This event is triggered when a post auth session evaluation occurs.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.auth_reevaluate.enforce https://developer.okta.com/docs/reference/api/event-types/#policy-auth_reevaluate-enforce
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.auth_reevaluate.fail

Namespace: Okta-policy

Description

Auth policy re-evaluation has occurred and has resulted in a policy violation. Can be used to identify which user, apps, and session were involved in a policy violation event. Event fired when continuing access evaluation results in failure.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.auth_reevaluate.fail https://developer.okta.com/docs/reference/api/event-types/#policy-auth_reevaluate-fail
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.continuous_access.action

Namespace: Okta-policy

Description

Deprecated: Continuous Access policy action invocation. Signal that an action associated with a continuous access policy evaluation has been invoked. Event fired when an action associated with a continuous access policy evaluation has been invoked. See the event type policy.auth_reevaluate.action that replaces this deprecated event.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.continuous_access.action https://developer.okta.com/docs/reference/api/event-types/#policy-continuous_access-action
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.continuous_access.evaluate

Namespace: Okta-policy

Description

Deprecated: Evaluation of Continuous Access Policy. Signal that continuous access policy has been evaluated for a session which has failed CAE. Event fired when continuous access policy has been evaluated for a session which has failed CAE. See the event type policy.auth_reevaluate.enforce that replaces this deprecated event.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.continuous_access.evaluate https://developer.okta.com/docs/reference/api/event-types/#policy-continuous_access-evaluate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.entity_risk.action

Namespace: Okta-policy

Description

Entity Risk policy action invocation. Signal that an action associated with an entity risk policy evaluation has been invoked. Event fired when an action associated with an entity risk policy evaluation has been invoked.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.entity_risk.action https://developer.okta.com/docs/reference/api/event-types/#policy-entity_risk-action
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.entity_risk.evaluate

Namespace: Okta-policy

Description

Evaluation of Entity Risk policy. Signal that entity risk policy has been evaluated for an entity for which we have received a risk change event. Event fired when entity risk policy has been evaluated for an entity for which a risk change event was generated.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.entity_risk.evaluate https://developer.okta.com/docs/reference/api/event-types/#policy-entity_risk-evaluate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.evaluate_sign_on

Namespace: Okta-policy

Description

Okta evaluated sign-on policies in order to determine if the user attempting to access a resource meets the defined assurance criteria. Identifies the policy rule evaluated during an authentication flow. This may be useful to confirm that policy rule has been configured as intended, or to identify why a user is unable to access a resource such as an application. The possible outcomes of this event are ALLOW(user is authenticated to access the resource), CHALLENGE(additional verification is required for user to access the resource), and DENY(user is denied from accessing the resource). For Okta Identity Engine (OIE), a single policy.evaluate_sign_on event may include the evaluation result of Okta global session policy and authentication policy. For Okta Classic Engine, the evaluation result of Okta sign-on policy and app sign-on policy will be recorded in individual policy.evaluate_sign_on events.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	in	`policy.evaluate_sign_on`	2 rules	elastic, kusto
`okta::eventType`	in	`user.session.start`	2 rules	elastic, kusto
`okta::eventType`	in	`system.api_token.create`	1 rule	kusto
`okta::eventType`	in	`user.authentication.sso`	1 rule	elastic
`security_result.action`	eq	`CHALLENGE`	2 rules	chronicle
`eventType`	eq	`policy.evaluate_sign_on`	1 rule	sigma, splunk
`okta::actor.alternateId`	ne	`system@okta.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Sigma #

Okta New Admin Console Behaviours source high: Detects when Okta identifies new activity in the Admin Console.

Elastic #

Okta AiTM Session Cookie Replay source high: Detects potential Adversary-in-the-Middle (AiTM) session cookie replay attacks against Okta. This rule identifies when an Okta session is used from multiple IP addresses or with suspicious non-browser user agents after initial authentication. AiTM attacks capture session cookies via phishing proxies (e.g., Evilginx, Modlishka) and replay them from attacker infrastructure, bypassing MFA. The detection correlates session start events with subsequent policy evaluations or SSO attempts that occur from different IPs or programmatic user agents.

Kusto #

High-Risk Admin Activity source medium: The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles.

YARA-L #

Okta Multiple Failed Requests To Access Applications source: Detects multiple failed requests to access applications
Okta Suspicious Use Of A Session Cookie source: Detects when an adversary attempts to reuse a stolen web session cookie in a different device that has a different OS, IP, Browser or User Agent.

References #

Okta Event Types Catalog: policy.evaluate_sign_on https://developer.okta.com/docs/reference/api/event-types/#policy-evaluate_sign_on
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.execute.user.start

Namespace: Okta-policy

Description

Start execution of policy for user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.execute.user.start https://developer.okta.com/docs/reference/api/event-types/#policy-execute-user-start
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.lifecycle.activate

Namespace: Okta-policy

Description

Activate policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.lifecycle.activate https://developer.okta.com/docs/reference/api/event-types/#policy-lifecycle-activate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.lifecycle.create

Namespace: Okta-policy

Description

Create policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	eq	`user.session.start`	1 rule	elastic, kusto
`okta::eventType`	in	`user.mfa.factor.deactivate`	1 rule	elastic, kusto
`okta::eventType`	in	`user.mfa.factor.reset_all`	1 rule	elastic, kusto

Detection Rules #

View all rules referencing this event →

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches policy.lifecycle.deactivate, policy.lifecycle.delete, policy.lifecycle.update, policy.rule.deactivate, policy.rule.delete, policy.rule.update

References #

Okta Event Types Catalog: policy.lifecycle.create https://developer.okta.com/docs/reference/api/event-types/#policy-lifecycle-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.lifecycle.deactivate

Namespace: Okta-policy

Description

Deactivate policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	eq	`user.session.start`	1 rule	elastic, kusto
`okta::eventType`	in	`user.mfa.factor.deactivate`	1 rule	elastic, kusto
`okta::eventType`	in	`user.mfa.factor.reset_all`	1 rule	elastic, kusto

Detection Rules #

View all rules referencing this event →

Elastic #

Attempt to Deactivate an Okta Policy source low: Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches policy.lifecycle.create, policy.lifecycle.delete, policy.lifecycle.update, policy.rule.deactivate, policy.rule.delete, policy.rule.update

References #

Okta Event Types Catalog: policy.lifecycle.deactivate https://developer.okta.com/docs/reference/api/event-types/#policy-lifecycle-deactivate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.lifecycle.delete

Namespace: Okta-policy

Description

Delete policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	eq	`user.session.start`	1 rule	elastic, kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Okta Policy Modified or Deleted source low: Detects when an Okta policy is modified or deleted.↳ also matches policy.lifecycle.update

Elastic #

Attempt to Delete an Okta Policy source medium: Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches policy.lifecycle.create, policy.lifecycle.deactivate, policy.lifecycle.update, policy.rule.deactivate, policy.rule.delete, policy.rule.update

References #

Okta Event Types Catalog: policy.lifecycle.delete https://developer.okta.com/docs/reference/api/event-types/#policy-lifecycle-delete
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.lifecycle.overwrite

Namespace: Okta-policy

Description

Overwrite policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.lifecycle.overwrite https://developer.okta.com/docs/reference/api/event-types/#policy-lifecycle-overwrite
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.lifecycle.update

Namespace: Okta-policy

Description

Update policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	eq	`user.session.start`	1 rule	elastic, kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Okta Policy Modified or Deleted source low: Detects when an Okta policy is modified or deleted.↳ also matches policy.lifecycle.delete

Elastic #

Attempt to Modify an Okta Policy source low: Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches policy.lifecycle.create, policy.lifecycle.deactivate, policy.lifecycle.delete, policy.rule.deactivate, policy.rule.delete, policy.rule.update

References #

Okta Event Types Catalog: policy.lifecycle.update https://developer.okta.com/docs/reference/api/event-types/#policy-lifecycle-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.mapping.create

Namespace: Okta-policy

Description

Create policy mapping. This event is used to audit when a policy is mapped to a resource. This event is fired when a policy is mapped to a resource. The isPreviousPolicy attribute within the Policy Targets' Details denotes whether or not it was the previous or new policy being mapped.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.mapping.create https://developer.okta.com/docs/reference/api/event-types/#policy-mapping-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.rule.action.execute

Namespace: Okta-policy

Description

Scheduled execution of policy rule action.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.rule.action.execute https://developer.okta.com/docs/reference/api/event-types/#policy-rule-action-execute
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.rule.activate

Namespace: Okta-policy

Description

Activate policy rule.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.rule.activate https://developer.okta.com/docs/reference/api/event-types/#policy-rule-activate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.rule.add

Namespace: Okta-policy

Description

Add policy rule.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.rule.add https://developer.okta.com/docs/reference/api/event-types/#policy-rule-add
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.rule.deactivate

Namespace: Okta-policy

Description

Deactivate policy rule.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Elastic #

Attempt to Deactivate an Okta Policy Rule source medium: Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches policy.lifecycle.create, policy.lifecycle.deactivate, policy.lifecycle.delete, policy.lifecycle.update, policy.rule.delete, policy.rule.update

References #

Okta Event Types Catalog: policy.rule.deactivate https://developer.okta.com/docs/reference/api/event-types/#policy-rule-deactivate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.rule.delete

Namespace: Okta-policy

Description

Delete policy rule.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Sigma #

Okta Policy Rule Modified or Deleted source medium: Detects when an Policy Rule is Modified or Deleted.↳ also matches policy.rule.update

Elastic #

Attempt to Delete an Okta Policy Rule source low: Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches policy.lifecycle.create, policy.lifecycle.deactivate, policy.lifecycle.delete, policy.lifecycle.update, policy.rule.deactivate, policy.rule.update

References #

Okta Event Types Catalog: policy.rule.delete https://developer.okta.com/docs/reference/api/event-types/#policy-rule-delete
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.rule.invalidate

Namespace: Okta-policy

Description

Invalidate policy rule.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.rule.invalidate https://developer.okta.com/docs/reference/api/event-types/#policy-rule-invalidate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.rule.update

Namespace: Okta-policy

Description

Update policy rule.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Sigma #

Okta Policy Rule Modified or Deleted source medium: Detects when an Policy Rule is Modified or Deleted.↳ also matches policy.rule.delete

Elastic #

Attempt to Modify an Okta Policy Rule source low: Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches policy.lifecycle.create, policy.lifecycle.deactivate, policy.lifecycle.delete, policy.lifecycle.update, policy.rule.deactivate, policy.rule.delete

References #

Okta Event Types Catalog: policy.rule.update https://developer.okta.com/docs/reference/api/event-types/#policy-rule-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

policy.scheduled.execute

Namespace: Okta-policy

Description

Scheduled execution of policy.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: policy.scheduled.execute https://developer.okta.com/docs/reference/api/event-types/#policy-scheduled-execute
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)