Okta-security

39 operations, identified by eventType in the audit log.

eventType	Description
security.attack.end	Fired when Threat Insight detects that an org is no longer under attack. This can be used to monitor when our models no longer detect an attack on an org. When this event is fired, Threat Insight will stop being extra aggressive in logging and/or blocking suspicious requests. This is fired from within an internal Okta context and therefore will not have any request level context information.
security.attack.start	Fired when Threat Insight detects that an org is under attack. This can be used to monitor attacks against your organization. When this event is fired, Threat Insight will automatically become more aggressive in logging and/or blocking suspicious requests. This is fired from within an internal Okta context and therefore will not have any request level context information.
security.attack_protection.settings.update	Triggered when settings to protect against password-based attacks are updated. Useful for monitoring potential intrusion if the change was not planned. Covered features include Require possession factor before password during MFA and Block suspicious password attempts from unknown devices.
security.authenticator.lifecycle.activate	Fired when an admin activates an authenticator for the org. This event can be used to identify who activated an authenticator and which authenticator was activated. When fired, this event contains information about the authenticator type that was activated and the actor who activated the authenticator. Authenticator activation occurs when an authenticator is added. Related events include security.authenticator.lifecycle.deactivate.
security.authenticator.lifecycle.create	Fired when an admin creates an authenticator for the org. This event can be used to identify who created an authenticator and which authenticator was created. The actor specifies the user that created the authenticator and the target specifies the authenticator name and the id. This event could also contain some authenticator specific information. Authenticator creation occurs when an authenticator is added. Related events include security.authenticator.lifecycle.update.
security.authenticator.lifecycle.deactivate	Fired when an admin deactivates an authenticator for the org. This event can be used to identify who deactivated an authenticator and which authenticator was deactivated. When fired, this event contains information about the authenticator type that was deactivated and the actor who deactivated the authenticator. Authenticator deactivation occurs when an authenticator is removed. Related events include security.authenticator.lifecycle.activate.
security.authenticator.lifecycle.update	Fired when an admin updates an authenticator in the org. This event can be used to identify who updated an authenticator and which authenticator was updated. The actor specifies the user that updated the authenticator and the target specifies the authenticator name and the ID. There may be a second target with details of any authenticator method updates. This event could also contain authenticator specific information. Authenticator update occurs when an authenticator is edited. Related events include security.authenticator.lifecycle.create.
security.behavior.settings.create	Behavior settings create. This can also be used to identify when a behavior setting is created. When fired, this event contains information about a created setting.
security.behavior.settings.delete	Behavior settings delete. This can also be used to identify when a behavior setting has been deleted. When fired, this event contains information about a delete setting.
security.behavior.settings.update	Behavior settings update. This can also be used to identify when a behavior setting has been changed. When fired, this event contains information about a updated setting.
security.breached_credential.detected	A credential, such as a password, which is associated with a known breach was used during an authentication flow. Used to identify users for whom credential rotation or other risk mitigation is necessary. The actor is the user with the breached credential. For Identity Engine, a target will indicate the specific credential associated with the breach. The outcome for this event will always be SUCCESS with a severity level of WARN. If breached credential protection is enabled, auser.session.clear will also be fired. These two events can be correlated by the Request ID.
security.device.add_request_blacklist_policy	Added request blacklist to request blacklist policies.
security.device.remove_request_blacklist_policy	Removed request blacklist from request blacklist policies.
security.device.temporarily_disable_blacklisting	Temporarily disabling blacklisting.
security.events.provider.activate	Activate a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is activated.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the activated security events provider.
security.events.provider.create	Create a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is created.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the created security events provider.
security.events.provider.deactivate	Deactivate a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is deactivated.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the deactivated security events provider.
security.events.provider.delete	Delete a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is deleted.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the deleted security events provider.
security.events.provider.receive_event	Appears when a security events provider submits a valid event for each known detection. The event helps admins debug or monitor SSF provider submissions. The event contains debug context data about the provider's risk report.
security.events.provider.update	Update a security events provider. Appears when an update is made to an authorized security events provider,such as the Shared Signals Framework (SSF) transmitter.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the updated security events provider.
security.events.transmitter.create	Create security events transmitter. Appears when a specific security events transmitter, such as the Shared Signals Framework (SSF) transmitter, is created. This event helps admins troubleshoot issues with event delivery to security event receivers. This event contains configuration details of the created security events transmitter.
security.events.transmitter.delete	Delete security events transmitter. Appears when a specific security events transmitter, such as the Shared Signals Framework (SSF) transmitter, is deleted. This event helps admins troubleshoot issues with event delivery to security events receivers. This event contains configuration details of the deleted security events transmitter.
security.events.transmitter.update	Update security events transmitter. Appears when there is an update to a specific security events transmitter, such as the Shared Signals Framework (SSF) transmitter. This event helps admins troubleshoot issues with event delivery to security events receivers. This event contains configuration details of the updated security events transmitter.
security.protected_action.attempt	Protected action attempted. This event can be used to track and audit when a protected action is attempted. When fired this event contains information about what protected action is attempted.
security.protected_action.settings.update	Protected action setting disabled. This event can be used to track and audit when a protected action setting is updated. When fired this event contains information about what protected action setting is updated.
security.request.blocked	Security request blocked.
security.session.detect_client_roaming	Roaming session detected for user.
security.session_protection.status.update	Session Protection status was updated to monitoring or enforced. Indicates a change in the Session Protection status - (monitoring or enforced).
security.threat.configuration.update	Fired when a ThreatInsight configuration has been updated. This can be used to identify when an existing ThreatInsight configuration has been updated. An update can be updating the action or the excluded zones. When fired, this event contains information about who made the update to the configuration.
security.threat.detected	Request from an IP identified as malicious by Okta ThreatInsight. This can be used to monitor and act on credential based attacks (such as Brute Force, Password Spray) on your organization. The reasons why the request was classified as malicious can be found in the outcome.reason field. The outcome.result field will be 'ALLOW', 'DENY' or 'RATE_LIMIT' based on whether Okta Threat Insight is configured in log mode or log and enforce mode, where 'ALLOW' means the request continued, 'DENY' means the request was blocked and 'RATE_LIMIT' means we protected your org from exceeding your rate limit by not allowing suspicious activity to count towards your rate limit.
security.trusted_origin.activate	A trusted origin is activated. When an event is emitted upon the activation of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is activated.
security.trusted_origin.create	A trusted origin is created. When an event is emitted upon the creation of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is created.
security.trusted_origin.deactivate	A trusted origin is deactivated. When an event is emitted upon the deactivation of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is deactivated.
security.trusted_origin.delete	A trusted origin is deleted. When an event is emitted upon the deletion of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is deleted.
security.trusted_origin.update	A trusted origin is updated. When an event is emitted upon the modification of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is updated.
security.voice.add_country_blacklist	Fired when a country has been added to the voice call blacklist. This can be used to identify when a country has been blacklisted for voice call. When fired, this event contains information about the country that was added to the blacklist.Related events include security.voice.remove_country_blacklist.
security.voice.remove_country_blacklist	Fired when a country has been removed from the voice call blacklist. This can be used to identify when a country has been removed from voice call blacklist. When fired, this event contains information about the country that was removed from the blacklist.Related events include security.voice.add_country_blacklist.
security.zone.make_blacklist	Added IPs to blacklist zone.
security.zone.remove_blacklist	Removed IPs from blacklist zone.

security.attack.end

Namespace: Okta-security

Description

Fired when Threat Insight detects that an org is no longer under attack. This can be used to monitor when our models no longer detect an attack on an org. When this event is fired, Threat Insight will stop being extra aggressive in logging and/or blocking suspicious requests. This is fired from within an internal Okta context and therefore will not have any request level context information.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Kusto #

Device Registration from Malicious IP source high: This query identifies Device Registration from IP addresses identified as malicious by Okta ThreatInsight.↳ also matches security.attack.start, security.threat.detected

References #

Okta Event Types Catalog: security.attack.end https://developer.okta.com/docs/reference/api/event-types/#security-attack-end
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.attack.start

Namespace: Okta-security

Description

Fired when Threat Insight detects that an org is under attack. This can be used to monitor attacks against your organization. When this event is fired, Threat Insight will automatically become more aggressive in logging and/or blocking suspicious requests. This is fired from within an internal Okta context and therefore will not have any request level context information.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Kusto #

Device Registration from Malicious IP source high: This query identifies Device Registration from IP addresses identified as malicious by Okta ThreatInsight.↳ also matches security.attack.end, security.threat.detected

YARA-L #

Okta ThreatInsight Targeted Bruteforce Attack source: Okta ThreatInsight detects access requests from known malicious IPs targeting a specific org.

References #

Okta Event Types Catalog: security.attack.start https://developer.okta.com/docs/reference/api/event-types/#security-attack-start
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.attack_protection.settings.update

Namespace: Okta-security

Description

Triggered when settings to protect against password-based attacks are updated. Useful for monitoring potential intrusion if the change was not planned. Covered features include Require possession factor before password during MFA and Block suspicious password attempts from unknown devices.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.attack_protection.settings.update https://developer.okta.com/docs/reference/api/event-types/#security-attack_protection-settings-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.authenticator.lifecycle.activate

Namespace: Okta-security

Description

Fired when an admin activates an authenticator for the org. This event can be used to identify who activated an authenticator and which authenticator was activated. When fired, this event contains information about the authenticator type that was activated and the actor who activated the authenticator. Authenticator activation occurs when an authenticator is added. Related events include security.authenticator.lifecycle.deactivate.

Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.authenticator.lifecycle.activate https://developer.okta.com/docs/reference/api/event-types/#security-authenticator-lifecycle-activate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.authenticator.lifecycle.create

Namespace: Okta-security

Description

Fired when an admin creates an authenticator for the org. This event can be used to identify who created an authenticator and which authenticator was created. The actor specifies the user that created the authenticator and the target specifies the authenticator name and the id. This event could also contain some authenticator specific information. Authenticator creation occurs when an authenticator is added. Related events include security.authenticator.lifecycle.update.

Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.authenticator.lifecycle.create https://developer.okta.com/docs/reference/api/event-types/#security-authenticator-lifecycle-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.authenticator.lifecycle.deactivate

Namespace: Okta-security

Description

Fired when an admin deactivates an authenticator for the org. This event can be used to identify who deactivated an authenticator and which authenticator was deactivated. When fired, this event contains information about the authenticator type that was deactivated and the actor who deactivated the authenticator. Authenticator deactivation occurs when an authenticator is removed. Related events include security.authenticator.lifecycle.activate.

Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.authenticator.lifecycle.deactivate https://developer.okta.com/docs/reference/api/event-types/#security-authenticator-lifecycle-deactivate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.authenticator.lifecycle.update

Namespace: Okta-security

Description

Fired when an admin updates an authenticator in the org. This event can be used to identify who updated an authenticator and which authenticator was updated. The actor specifies the user that updated the authenticator and the target specifies the authenticator name and the ID. There may be a second target with details of any authenticator method updates. This event could also contain authenticator specific information. Authenticator update occurs when an authenticator is edited. Related events include security.authenticator.lifecycle.create.

Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.authenticator.lifecycle.update https://developer.okta.com/docs/reference/api/event-types/#security-authenticator-lifecycle-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.behavior.settings.create

Namespace: Okta-security

Description

Behavior settings create. This can also be used to identify when a behavior setting is created. When fired, this event contains information about a created setting.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.behavior.settings.create https://developer.okta.com/docs/reference/api/event-types/#security-behavior-settings-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.behavior.settings.delete

Namespace: Okta-security

Description

Behavior settings delete. This can also be used to identify when a behavior setting has been deleted. When fired, this event contains information about a delete setting.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.behavior.settings.delete https://developer.okta.com/docs/reference/api/event-types/#security-behavior-settings-delete
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.behavior.settings.update

Namespace: Okta-security

Description

Behavior settings update. This can also be used to identify when a behavior setting has been changed. When fired, this event contains information about a updated setting.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.behavior.settings.update https://developer.okta.com/docs/reference/api/event-types/#security-behavior-settings-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.breached_credential.detected

Namespace: Okta-security

Description

A credential, such as a password, which is associated with a known breach was used during an authentication flow. Used to identify users for whom credential rotation or other risk mitigation is necessary. The actor is the user with the breached credential. For Identity Engine, a target will indicate the specific credential associated with the breach. The outcome for this event will always be SUCCESS with a severity level of WARN. If breached credential protection is enabled, auser.session.clear will also be fired. These two events can be correlated by the Request ID.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.breached_credential.detected https://developer.okta.com/docs/reference/api/event-types/#security-breached_credential-detected
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.device.add_request_blacklist_policy

Namespace: Okta-security

Description

Added request blacklist to request blacklist policies.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.device.add_request_blacklist_policy https://developer.okta.com/docs/reference/api/event-types/#security-device-add_request_blacklist_policy
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.device.remove_request_blacklist_policy

Namespace: Okta-security

Description

Removed request blacklist from request blacklist policies.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.device.remove_request_blacklist_policy https://developer.okta.com/docs/reference/api/event-types/#security-device-remove_request_blacklist_policy
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.device.temporarily_disable_blacklisting

Namespace: Okta-security

Description

Temporarily disabling blacklisting.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.device.temporarily_disable_blacklisting https://developer.okta.com/docs/reference/api/event-types/#security-device-temporarily_disable_blacklisting
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.events.provider.activate

Namespace: Okta-security

Description

Activate a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is activated.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the activated security events provider.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.events.provider.activate https://developer.okta.com/docs/reference/api/event-types/#security-events-provider-activate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.events.provider.create

Namespace: Okta-security

Description

Create a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is created.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the created security events provider.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.events.provider.create https://developer.okta.com/docs/reference/api/event-types/#security-events-provider-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.events.provider.deactivate

Namespace: Okta-security

Description

Deactivate a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is deactivated.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the deactivated security events provider.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.events.provider.deactivate https://developer.okta.com/docs/reference/api/event-types/#security-events-provider-deactivate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.events.provider.delete

Namespace: Okta-security

Description

Delete a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is deleted.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the deleted security events provider.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.events.provider.delete https://developer.okta.com/docs/reference/api/event-types/#security-events-provider-delete
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.events.provider.receive_event

Namespace: Okta-security

Description

Appears when a security events provider submits a valid event for each known detection. The event helps admins debug or monitor SSF provider submissions. The event contains debug context data about the provider's risk report.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.events.provider.receive_event https://developer.okta.com/docs/reference/api/event-types/#security-events-provider-receive_event
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.events.provider.update

Namespace: Okta-security

Description

Update a security events provider. Appears when an update is made to an authorized security events provider,such as the Shared Signals Framework (SSF) transmitter.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the updated security events provider.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.events.provider.update https://developer.okta.com/docs/reference/api/event-types/#security-events-provider-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.events.transmitter.create

Namespace: Okta-security

Description

Create security events transmitter. Appears when a specific security events transmitter, such as the Shared Signals Framework (SSF) transmitter, is created. This event helps admins troubleshoot issues with event delivery to security event receivers. This event contains configuration details of the created security events transmitter.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.events.transmitter.create https://developer.okta.com/docs/reference/api/event-types/#security-events-transmitter-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.events.transmitter.delete

Namespace: Okta-security

Description

Delete security events transmitter. Appears when a specific security events transmitter, such as the Shared Signals Framework (SSF) transmitter, is deleted. This event helps admins troubleshoot issues with event delivery to security events receivers. This event contains configuration details of the deleted security events transmitter.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.events.transmitter.delete https://developer.okta.com/docs/reference/api/event-types/#security-events-transmitter-delete
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.events.transmitter.update

Namespace: Okta-security

Description

Update security events transmitter. Appears when there is an update to a specific security events transmitter, such as the Shared Signals Framework (SSF) transmitter. This event helps admins troubleshoot issues with event delivery to security events receivers. This event contains configuration details of the updated security events transmitter.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.events.transmitter.update https://developer.okta.com/docs/reference/api/event-types/#security-events-transmitter-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.protected_action.attempt

Namespace: Okta-security

Description

Protected action attempted. This event can be used to track and audit when a protected action is attempted. When fired this event contains information about what protected action is attempted.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.protected_action.attempt https://developer.okta.com/docs/reference/api/event-types/#security-protected_action-attempt
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.protected_action.settings.update

Namespace: Okta-security

Description

Protected action setting disabled. This event can be used to track and audit when a protected action setting is updated. When fired this event contains information about what protected action setting is updated.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.protected_action.settings.update https://developer.okta.com/docs/reference/api/event-types/#security-protected_action-settings-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.request.blocked

Namespace: Okta-security

Description

Security request blocked.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.request.blocked https://developer.okta.com/docs/reference/api/event-types/#security-request-blocked
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.session.detect_client_roaming

Namespace: Okta-security

Description

Roaming session detected for user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.session.detect_client_roaming https://developer.okta.com/docs/reference/api/event-types/#security-session-detect_client_roaming
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.session_protection.status.update

Namespace: Okta-security

Description

Session Protection status was updated to monitoring or enforced. Indicates a change in the Session Protection status - (monitoring or enforced).

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.session_protection.status.update https://developer.okta.com/docs/reference/api/event-types/#security-session_protection-status-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.threat.configuration.update

Namespace: Okta-security

Description

Fired when a ThreatInsight configuration has been updated. This can be used to identify when an existing ThreatInsight configuration has been updated. An update can be updating the action or the excluded zones. When fired, this event contains information about who made the update to the configuration.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.threat.configuration.update https://developer.okta.com/docs/reference/api/event-types/#security-threat-configuration-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.threat.detected

Namespace: Okta-security

Description

Request from an IP identified as malicious by Okta ThreatInsight. This can be used to monitor and act on credential based attacks (such as Brute Force, Password Spray) on your organization. The reasons why the request was classified as malicious can be found in the outcome.reason field. The outcome.result field will be 'ALLOW', 'DENY' or 'RATE_LIMIT' based on whether Okta Threat Insight is configured in log mode or log and enforce mode, where 'ALLOW' means the request continued, 'DENY' means the request was blocked and 'RATE_LIMIT' means we protected your org from exceeding your rate limit by not allowing suspicious activity to count towards your rate limit.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`eventType`	eq	`security.threat.detected`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Okta Security Threat Detected source medium: Detects when an security threat is detected in Okta.

Elastic #

Okta ThreatInsight Threat Suspected Promotion source medium: Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.

Kusto #

Device Registration from Malicious IP source high: This query identifies Device Registration from IP addresses identified as malicious by Okta ThreatInsight.↳ also matches security.attack.end, security.attack.start

YARA-L #

Okta ThreatInsight Login Failure With High Unknown Users source: Okta's ThreatInsight can identify multiple login failures with high unknown users count from the same IP across one or more Okta orgs.
Okta ThreatInsight Suspected Bruteforce Attack source: Okta ThreatInsight detects multiple login failures from the same IP across one or more Okta orgs.
Okta ThreatInsight Suspected Password Spray Attack source: Okta's ThreatInsight can identify Password Spray attacks.

References #

Okta Event Types Catalog: security.threat.detected https://developer.okta.com/docs/reference/api/event-types/#security-threat-detected
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.trusted_origin.activate

Namespace: Okta-security

Description

A trusted origin is activated. When an event is emitted upon the activation of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is activated.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.trusted_origin.activate https://developer.okta.com/docs/reference/api/event-types/#security-trusted_origin-activate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.trusted_origin.create

Namespace: Okta-security

Description

A trusted origin is created. When an event is emitted upon the creation of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is created.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.trusted_origin.create https://developer.okta.com/docs/reference/api/event-types/#security-trusted_origin-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.trusted_origin.deactivate

Namespace: Okta-security

Description

A trusted origin is deactivated. When an event is emitted upon the deactivation of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is deactivated.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.trusted_origin.deactivate https://developer.okta.com/docs/reference/api/event-types/#security-trusted_origin-deactivate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.trusted_origin.delete

Namespace: Okta-security

Description

A trusted origin is deleted. When an event is emitted upon the deletion of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is deleted.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.trusted_origin.delete https://developer.okta.com/docs/reference/api/event-types/#security-trusted_origin-delete
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.trusted_origin.update

Namespace: Okta-security

Description

A trusted origin is updated. When an event is emitted upon the modification of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is updated.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.trusted_origin.update https://developer.okta.com/docs/reference/api/event-types/#security-trusted_origin-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.voice.add_country_blacklist

Namespace: Okta-security

Description

Fired when a country has been added to the voice call blacklist. This can be used to identify when a country has been blacklisted for voice call. When fired, this event contains information about the country that was added to the blacklist.Related events include security.voice.remove_country_blacklist.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.voice.add_country_blacklist https://developer.okta.com/docs/reference/api/event-types/#security-voice-add_country_blacklist
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.voice.remove_country_blacklist

Namespace: Okta-security

Description

Fired when a country has been removed from the voice call blacklist. This can be used to identify when a country has been removed from voice call blacklist. When fired, this event contains information about the country that was removed from the blacklist.Related events include security.voice.add_country_blacklist.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.voice.remove_country_blacklist https://developer.okta.com/docs/reference/api/event-types/#security-voice-remove_country_blacklist
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.zone.make_blacklist

Namespace: Okta-security

Description

Added IPs to blacklist zone.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.zone.make_blacklist https://developer.okta.com/docs/reference/api/event-types/#security-zone-make_blacklist
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

security.zone.remove_blacklist

Namespace: Okta-security

Description

Removed IPs from blacklist zone.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: security.zone.remove_blacklist https://developer.okta.com/docs/reference/api/event-types/#security-zone-remove_blacklist
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)