Okta-system
232 operations, identified by eventType in the audit log.
| eventType | Description |
|---|---|
| system.agent.ad.config_change_detected | A monitored variable in an AD agent configuration file has changed. This can be used to audit that a customer's AD agent configuration file has changed. This event occurs when a monitored variable in an AD agent configuration file has changed. |
| system.agent.ad.connect | Connect AD agent to Okta. |
| system.agent.ad.create | Create AD agent. |
| system.agent.ad.deactivate | Deactivate AD agent. |
| system.agent.ad.delete | Delete AD agent. |
| system.agent.ad.dirsync.verify | Verify AD agent compatibility for DirSync-based imports. Use this event to audit which AD agents meet DirSync requirements, set up alerts when agents need remediation before DirSync-based imports can run, and troubleshoot import failures related to agent version or configuration gaps. outcome.result = SUCCESS indicates the agent meets all DirSync requirements. FAILURE indicates the agent requires intervention, such as a version upgrade (minimum 3.20.0) or service account permission changes. |
| system.agent.ad.import_ou | Perform import OU by AD agent. |
| system.agent.ad.import_user | Perform import user by AD agent. |
| system.agent.ad.invoke_dir | Perform directory invoke command by AD agent. |
| system.agent.ad.reactivate | Reactivate AD agent. |
| system.agent.ad.read_config | Perform config read by AD agent. |
| system.agent.ad.read_dirsync | Perform dirsync read by AD agent. |
| system.agent.ad.read_ldap | Perform LDAP read by AD agent. |
| system.agent.ad.read_schema | Perform schema read by AD agent. |
| system.agent.ad.read_topology | Directory agent performed topology import operation. |
| system.agent.ad.realtimesync | Perform RealTimeSync by AD agent. |
| system.agent.ad.reset_user_password | Perform user password reset by AD agent. |
| system.agent.ad.start | Start AD agent. |
| system.agent.ad.unlock_user_account | Perform unlock user account by AD agent. |
| system.agent.ad.update | Update AD agent configuration. |
| system.agent.ad.update_user | User Auth and Update. |
| system.agent.ad.upgrade | Upgrade AD agent. |
| system.agent.ad.upload_iwa_log | Fired when an AD agent has fetched and uploaded IWA agent log file. This event fires when the log file upload is successful or fails. This can be used to audit that logs files are being fetched successfully, have been uploaded successfully, and troubleshoot why an IWA log upload has failed. When fired, this event indicates whether a log file upload has been successful or failed. This event also indicates whether the event was initiated by the Okta system or a user. Related events: none, all debugging context is included in this event. |
| system.agent.ad.upload_log | Upload AD agent log. |
| system.agent.ad.write_ldap | Perform LDAP write by AD agent. |
| system.agent.auto_update | Fired when an individual agent auto-update succeeds or fails. Confirms a successful agent auto-update, or provides troubleshooting information when the agent auto-update is unsuccessful. Indicates when an agent auto-update is successful or unsuccessful. |
| system.agent.connector.connect | Connect connector agent to Okta. |
| system.agent.connector.deactivate | Deactivate connector agent. |
| system.agent.connector.delete | Delete connector agent. |
| system.agent.connector.reactivate | Reactivate connector agent. |
| system.agent.ldap.change_user_password | Perform change user password by LDAP agent. |
| system.agent.ldap.config_change_detected | A monitored variable in an LDAP agent configuration file has changed. This can be used to audit when a customer's LDAP agent configuration file has changed. This event occurs when a monitored variable in an LDAP agent configuration file has changed. |
| system.agent.ldap.create_user_JIT | Perform create user JIT by LDAP agent. |
| system.agent.ldap.disconnect | Disconnect LDAP agent from Okta. |
| system.agent.ldap.realtimesync | Fired when LDAP Delegated Authentication is used to sign in and a user profile is updated using RealTimeSync action. Can be used by admins to identify user profile changes resulting from corresponding changes in the LDAP directory. The previous name for this event was system.agent.ad.realtimesync. |
| system.agent.ldap.reconnect | Reconnect LDAP agent to Okta. |
| system.agent.ldap.reset_user_password | LDAP agent performed a password reset. |
| system.agent.ldap.unlock_user_account | LDAP agent performed account unlock for User. |
| system.agent.ldap.update_user | Fired when LDAP Delegated Authentication is used to sign in and a user profile is updated. Can be used by admins to identify user profile changes resulting from corresponding changes in the LDAP directory. The previous name for this event was system.agent.ad.update_user. |
| system.agent.ldap.update_user_password | Perform update user password by LDAP agent. |
| system.agent.register | Agent was registered. This event indicates that an agent (such as Okta Provisioning Agent, Okta RSA SecurID Agent, and so on) has been successfully registered with the Okta org. This also provides a signal to all admins of the Okta org that a new agent was registered, which improves the overall security posture. This event can be used to track the deployment and integration of Okta agents across an org's infrastructure. This information can be useful for security audits, compliance reporting, and managing the overall Okta ecosystem. |
| system.agent_pools.auto_update | Fired when the status of an agent pool auto-update is changed. Confirms an agent pool auto-update status change and provides troubleshooting information. Indicates when the status of an agent pool auto-update is changed. |
| system.api_token.create | Create API token. This event occurs when a new unscoped API token is generated within the system. The unscoped API token grants authenticated access to the system's API for automated tasks or integration purposes. Event log details include the token ID, the user, or service it was created for, and the time of creation. This information helps maintain a secure API access framework by allowing administrators to track token issuance. Administrators can also enforce least privilege access and promptly identify any unauthorized token creation. |
| system.api_token.enable | Enable API token. |
| system.api_token.request_outside_allowed_range | Request with API tokens made from outside the allowed network zone. Use to detect when an API token comes from an IP address that's outside of the specified allowed zone. Fired when an API token comes from an IP address that's outside of the specified allowed zone of the token. |
| system.api_token.revoke | Revoke API token. |
| system.api_token.update | An API token has been updated. This event can be used to identify a change to an existing API token, such as a change to the applicable rate limits for the token. Details of the change can be found in the debugData. This event does not change whether the token is valid for use, for actions that impact validity see system.api_token.enable and system.api_token.revoke. |
| system.beta.feature.enable | Fired when an admin has enabled a BETA feature. This can be used to understand the status of the BETA Feature and identify who has enabled it for an org. When fired, this event contains information about the enabled BETA Feature, as well as the admin who enabled it. |
| system.brand.create | This event is fired when the brand resource is created. Developer and org admins can use this event to identify when the brand resource was created. The event contains information about the created brand. |
| system.brand.delete | This event is fired when a brand resource is deleted. Developer and org admins can use this event to identify when a brand resource was deleted. The event contains information about a deleted brand. |
| system.brand.update | This event is fired when the brand resource is updated. Developer and org admins can use this event to identify when the brand resource was updated. The event contains information regarding specific updates made to brand like "customPrivacyPolicyUrl". |
| system.captcha.create | A captcha instance is created for Sign-in Widget. Indicates when a captcha instance was created. This event is fired when org admin creates a captcha instance. |
| system.captcha.delete | A captcha instance is deleted. Indicates when a captcha instance was deleted. This event is fired when org admin deletes a captcha instance. |
| system.captcha.update | A captcha instance is updated. Indicates when a captcha instance was updated. This event is fired when org admin updates a captcha instance. |
| system.client.concurrency_rate_limit.notification | Notify when too many requests in flight for client. This can be used to notify whenever there are too many concurrent requests from a client without enforcing any violation. When fired, this event contains information about the request such as client, device and ip details. |
| system.client.concurrency_rate_limit.violation | Too many requests in flight for client. This can be used to track if there are too many concurrent requests from a client. When fired, this event contains information about the request such as client, device and ip details. |
| system.client.rate_limit.notification | Notify when client rate limits are exceeded. This can be used to notify whenever a client is exceeding its rate limit without enforcing any violation. When fired, this event contains information about the request such as client, device and ip details. |
| system.client.rate_limit.violation | Client rate limit violation. This can be used to track if a client is exceeding its rate limit. When fired, this event contains information about the request such as client, device and ip details. |
| system.csv.import_user | Import of user from CSV is skipped. Informs when import of a user from CSV has been skipped due to reasons such as missing required attributes or unknown unique identifier. This event is logged when import of a user is skipped during CSV directory import workflow for on-premises systems using Okta provisioning agent. |
| system.custom_email_server.lifecycle.activate | Enable a custom email server. Audit the enablement of a custom email server. |
| system.custom_email_server.lifecycle.create | Create a custom email server. Audit the creation of a custom email server. |
| system.custom_email_server.lifecycle.deactivate | Disable a custom email server. Audit the disablement of a custom email server. |
| system.custom_email_server.lifecycle.delete | Delete a custom email server. Audit the deletion of a custom email server. |
| system.custom_email_server.lifecycle.update | Update a custom email server. Audit an update to the configuration of a custom email server. |
| system.custom_error.delete | Custom error page is deleted. Can be used to identify when an admin has deleted the custom error page. Event fired when the custom error page is deleted. |
| system.custom_error.update | Custom error page is updated. Can be used to identify when an admin has customized the error page. Event fired when the error page is successfully updated. |
| system.custom_signin.delete | Custom sign-in page is deleted. Can be used to identify when an admin has deleted the custom sign-in page. Event fired when custom sign-in page is deleted. |
| system.custom_signin.update | Custom sign-in page is updated. Can be used to identify when an admin has customized the sign-in page. Event fired when custom sign-in page is updated. |
| system.custom_signout.update | Custom sign-out page is updated. Admin has updated the custom sign-out page. Event fired when custom sign-out page is updated. |
| system.custom_url_domain.cert_renew | Okta managed certificates for custom domain are renewed. Can be used to identify when okta managed certificate renewal batch job has renewed certificates for custom domain. When fired, the event contains information about the domain name and certificate source type. |
| system.custom_url_domain.cert_upload | Custom domain certificates are uploaded by an admin or generated by Okta. Can be used to identify when custom domain certificates are uploaded by an admin or generated by Okta. When fired, the event contains information about the domain name and certificate source type. |
| system.custom_url_domain.delete | Custom domain is deleted. Can be used to identify when an admin has deleted their custom domain. When fired, the event contains information about the domain name that was deleted. |
| system.custom_url_domain.initiate | Custom domain setup is initiated. Admin has initiated custom domain setup by inputting their custom domain for DNS verification. When fired, the event contains information about the domain name, certificate source type and domain validation status. |
| system.custom_url_domain.update | Custom domain brand association is updated. Admin has updated the custom domain association with the brand. When fired, the event contains the domain name, certificate source type, domain validation status and information about the brand it is associated with. |
| system.custom_url_domain.verify | Verify custom domain ownership. Identifies whether an admin has succeeded or failed to verify the ownership of the domain name. When fired, the event contains information about the domain name, certificate source type and domain validation status. |
| system.directory.debugger.extend | Extend Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access extension. When fired, this event contains information about Directory Debugger access extension. |
| system.directory.debugger.grant | Grant Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access grants to Okta support. When fired, this event contains information about Directory Debugger access grant. |
| system.directory.debugger.query_executed | A read-only query executed against AD/LDAP instance by Okta support using the Directory Debugger tool. This can be used to audit the queries executed by Okta support using Directory Debugger. When fired, this event contains information about Directory Debugger query. |
| system.directory.debugger.revoke | Revoke Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access revoke. When fired, this event contains information about Directory Debugger access revoke. |
| system.dr.failback | The Enhanced Disaster Recovery (EDR) failback operation for the org domains were initiated. Triggered when the Enhanced Disaster Recovery (EDR) failback operation for the org domains were initiated. This event is fired when the Enhanced Disaster Recovery (EDR) failback operation for the org domains were initiated. If failback is successful, the outcome for this event will be SUCCESS. If failback is not successful, the outcome for this event will be FAILURE. |
| system.dr.failover | The Enhanced Disaster Recovery (EDR) failover operation for the org domains were initiated. Triggered when the Enhanced Disaster Recovery (EDR) failover operation for the org domains were initiated. This event is fired when the Enhanced Disaster Recovery (EDR) failover operation for the org domains were initiated. If failover is successful, the outcome for this event will be SUCCESS. If failover is not successful, the outcome for this event will be FAILURE. |
| system.email.account_unlock.sent_message | Send self-service account unlock email. |
| system.email.bounce.removal | Attempted removal of one or more emails from bounce list. Identify email addresses which were submitted to Okta for removal from the email bounce list. This event does not guarantee that an email was removed from the bounce list, it only indicates that Okta contacted the email provider to attempt to remove if from the bounce list. The debugData object contains a reference to the email provider contacted by Okta which maintains the bounce list. The target object contains a list of email addresses which were submitted. A single target contains a maximum of 50 email addresses. Multiple events may be fired in response to a removal request. |
| system.email.challenge_factor_redeemed | User completed an email factor challenge. This can be used to identify when a credential sent in an email to a user has been redeemed (the link was clicked or the code was entered). When fired, this event contains information about the result. Success if successful or error reasons should be present for failure cases (e.g. incorrect code, timeout, expired, etc.). The event also contains a debugData with the action (the link was clicked or the code was entered). |
| system.email.delivery | An email's delivery status was updated. Used to notify admins of a bounced or dropped email. For certain bounce events, the context information may be lost by the email provider(s) due to email server communication delays. Such delayed bounce events will not appear in syslog. As of the 2022.08.0 release, this is also used to identify other email events e.g. delivered, deferred. See the event debugData for help identifying a remediation, such as updating an incorrect email address. |
| system.email.mfa_enroll_notification.sent_message | MFA enrollment notification email sent. Used to notify admins MFA enrollment notification email has been sent. |
| system.email.mfa_reset_notification.sent_message | MFA reset notification email sent. Used to notify admins MFA reset notification email has been sent. |
| system.email.new_device_notification.sent_message | New device signin notification email sent. |
| system.email.password_reset.sent_message | Send self-service password reset email. |
| system.email.send_factor_verify_message | An email was sent to a user for verification. Used to notify admins that an email was sent to a user for verification. When fired, this event contains information about the token lifetime in the debugData. |
| system.email.template.create | This event is fired when a custom email template is created. Developers and Org Admins can use this to identify when a default email template has been overridden with a new template. The event details can be used to identify the template type and template engine. Usually this event will precede "system.email.template.update" or "system.email.template.delete" events. |
| system.email.template.delete | This event is fired when a custom email template is deleted. Developers and Org Admins can use this to identify when a custom email template has been deleted to fall back to default template. The event details can be used to identify the template type and template engine. Usually this event will follow "system.email.template.create" or "system.email.template.update" events. |
| system.email.template.settings_changed | This event is fired when the settings for an email template is changed. Developers and Org Admins can use this to identify when an email template setting has been changed. When fired, this event contains information about the email template and settings that were changed. |
| system.email.template.update | This event is fired when a custom email template has been updated. Developers and Org Admins can use this to identify when a custom email template has been updated. The event details can be used to identify the template type and template engine. Usually this event will follow "system.email.template.create" and precede "system.email.template.delete" events. |
| system.email_domain.create | Email domain is created. Admin has initiated email domain setup by inputting their domain details for DNS verification. When fired, the event contains information about the domain name, display name, user name, brand id and validation status. |
| system.email_domain.delete | Email domain is deleted. Can be used to identify when an admin has deleted their email domain. When fired, the event contains information about the email domain that was deleted. |
| system.email_domain.update | Email domain is updated. Admin has updated the email domain. When fired, the event contains information about the email domain that was updated. |
| system.email_domain.verify | Verify email domain. Identifies whether an admin has succeeded or failed to verify the email domain. When fired, the event contains information about the email domain that is being verified. |
| system.feature.disable | Fired when self service features are requested to be disabled by admins. Use to determine who enabled the features and any limitations the features have. When fired, this event contains information about the requested features, their names and lifecycle state, the admin who made the change, and any possible limitations associated with the features. Related events include 'system.feature.enable'. |
| system.feature.ea_auto_enroll | Fired when an org has subscribed to or unsubscribed from EA Feature Auto Enroll. This can be used to understand the status of EA Feature Auto Enroll subscription and identify who has made changes to the subscription. When fired, this event contains information about the status of EA Feature Auto enroll subscription, as well as the admin who made any subscription changes. |
| system.feature.enable | Fired when self service features are requested to be enabled by admins. Use to determine who enabled the features and any limitations the features have. When fired, this event contains information about the requested features, their names and lifecycle state, the admin who made the change, and any possible limitations associated with the features. Related events include 'system.feature.disable'. |
| system.hook.key.created | Create a new hook key. This event can be used to identify when an admin created a new hook key. When triggered, this events contains information about the created hook key. |
| system.hook.key.deleted | Delete a hook key. This event can be used to identify when an admin deleted a hook key. When triggered, this events contains information about the deleted hook key. |
| system.hook.key.updated | Update a hook key. This event can be used to identify when an admin updated a hook key. When triggered, this events contains information about the updated hook key. |
| system.identity_sources.bulk_delete | Upload bulk delete data. Loads bulk data into an Identity Source Session for deactivation in Okta for an identity source. This event can be used to track the deactivations of user profiles in Okta from the custom identity source. |
| system.identity_sources.bulk_group_delete | Upload bulk groups delete data. Loads bulk groups data into an Identity Source Session for deactivation in Okta for an identity source. This event can be used to track the deactivations of groups profiles in Okta from the custom identity source. |
| system.identity_sources.bulk_group_membership_delete | Upload bulk group membership delete data. Loads bulk group membership data into an Identity Source Session to delete group membership in Okta for an identity source. This event can be used to track the deletion of group membership in Okta from the custom identity source. |
| system.identity_sources.bulk_group_membership_upsert | Upload bulk group membership upsert data. Loads bulk group membership data into an Identity Source Session for adding group membership in Okta for an identity source. This event can be used to track the addition of group membership in Okta from the custom identity source. |
| system.identity_sources.bulk_group_upsert | Upload bulk groups upsert data. Loads bulk groups data into an Identity Source Session for inserting or updating groups profiles in Okta for an identity source. This event can be used to track the insertions and updates of group profiles in Okta from the custom identity source. |
| system.identity_sources.bulk_upsert | Upload bulk upsert data. Loads bulk data into an Identity Source Session for inserting or updating user profiles in Okta for an identity source. This event can be used to track the insertions and updates of Okta user profiles from the custom identity source. |
| system.identity_sources.group.create | Create an identity source group. Creates a new group in Okta from an identity source. This event tracks the creation of a group in Okta sourced from a custom identity source. |
| system.identity_sources.group.delete | Delete an identity source group. Deletes a group in Okta from an identity source. This event tracks the deletion of a group in Okta sourced from a custom identity source. |
| system.identity_sources.group.update | Update an identity source group. Updates a group in Okta from an identity source. This event tracks the update of a group profile in Okta sourced from a custom identity source. Payload must include changeDetails. |
| system.identity_sources.group.user.assign | Assign a user to an identity source group. Assigns a user to an identity source group in Okta. This event tracks the assignment of a user to a group in Okta sourced from a custom identity source. |
| system.identity_sources.group.user.revoke | Revoke a user from an identity source group. Revokes a user from an identity source group in Okta. This event tracks the removal of a user from a group in Okta sourced from a custom identity source. |
| system.identity_sources.user.create | Create an identity source user. Creates a new user in Okta from an identity source. This event tracks the creation of a user in Okta sourced from a custom identity source. |
| system.identity_sources.user.delete | Delete an identity source user. Deletes a user in Okta from an identity source. This event tracks the deletion of a user in Okta sourced from a custom identity source. |
| system.identity_sources.user.update | Update an identity source user. Updates a user in Okta from an identity source. This event tracks the update of a user profile in Okta sourced from a custom identity source. Payload must include changeDetails. |
| system.idp.key.create | Identity provider key credential created. This can be used to audit that a new identity provider key credential has been created. When fired, this event indicates a new X.509 certificate credential is added to the IdP key store. |
| system.idp.key.delete | Identity provider key credential deleted. This can be used to audit that an identity provider key credential has been deleted. When fired, this event indicates a X.509 certificate credential by kid is deleted if it isn't currently being used by an active or inactive IdP. |
| system.idp.key.update | Identity provider key credential updated. This can be used to audit that an identity provider key credential has been updated. When fired, this event indicates a X.509 certificate credential is updated in the IdP key store. |
| system.idp.lifecycle.activate | Identity provider activated. This can be used to audit that an identity provider has been activated. When fired, this event indicates an Identity provider was activated. This event also indicates the type of the identity provider that was activated. |
| system.idp.lifecycle.create | Identity provider created. This can be used to audit that a new identity provider has been created. When fired, this event indicates an Identity provider was successfully created. This event also indicates the type of the identity provider that was created. |
| system.idp.lifecycle.deactivate | Identity provider deactivated. This can be used to audit that an identity provider has been deactivated. When fired, this event indicates an Identity provider has been deactivated. This event also indicates the type of the identity provider that was deactivated. |
| system.idp.lifecycle.delete | Identity provider deleted. This can be used to audit that an identity provider has been deleted. When fired, this event indicates an Identity provider was deleted. This event also indicates the type of the identity provider that was deleted. |
| system.idp.lifecycle.read_client_secret | Identity provider(s) with a client secret is read. This can be used to audit that identity provider(s) with a client secret has been read. When fired, this event indicates one or more Identity providers with a client secret was read. |
| system.idp.lifecycle.update | Identity provider updated. This can be used to audit that an identity provider configuration has been updated. When fired, this event indicates an Identity provider configuration was updated. This event also indicates the type of the identity provider that was updated. |
| system.import.clear.unconfirmed.users.summary | Clear Unconfirmed Imported Users. Can be used for clearing unconfirmed imported users from last import result. Note that a single event is fired for clearing unconfirmed imported users instead of fire delete event on each user. |
| system.import.complete | Import process complete. |
| system.import.complete_batch | Batch import process complete. |
| system.import.custom_object.complete | Import of custom objects completed. |
| system.import.custom_object.create | Create custom object triggered by import process. |
| system.import.custom_object.delete | Delete custom object triggered by import process. |
| system.import.custom_object.update | Update custom object triggered by import process. |
| system.import.download.complete | Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. |
| system.import.download.start | Fired at the start of the download objects phase, when the objects (users, groups, devices) to be imported are being downloaded from the system of record. This can be used to determine when an import has started, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the download objects phase, when the objects (users, groups, devices) to be imported are being downloaded from the system of record. |
| system.import.entitlement | Emitted during the entitlement discovery process to identify entitlement schemas, excluding assignments. Tracks entitlement discovery status. In case of a NullPointerException (NPE), the outcome.result will be 'SKIPPED'. Use this event to track the status of entitlements during discovery. |
| system.import.entitlement.mismatch | Skipping of entitlement during import of an user. This event will be emitted during import whenever a user has some entitlement associated with it that are not present in Okta. This event can be use to track the entitlement of user which were skipped during import. |
| system.import.group.complete | Import of groups completed. |
| system.import.group.create | Create group triggered by import process. |
| system.import.group.delete | Remove group triggered by import process. |
| system.import.group.start | Start importing groups from refreshing AppGroups. |
| system.import.group.update | Update group triggered from import process. |
| system.import.group_membership.complete | Import of application group members completed. |
| system.import.implicit_deletion.complete | Fired upon completion of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. |
| system.import.implicit_deletion.start | Fired at the start of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. |
| system.import.import_profile | Import user profile triggered by import process. |
| system.import.import_provisioning_info | Import provisioning info triggered by import process. |
| system.import.membership_processing.complete | Fired upon completion of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. |
| system.import.membership_processing.start | Fired at the start of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. |
| system.import.object_creation.complete | Fired upon completion of the object creation phase, when the first batch of objects is created/updated. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the object creation phase, when the first batch of objects is created/updated. |
| system.import.object_creation.start | Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. |
| system.import.roadblock | Import roadblock triggered due to exceeded threshold. |
| system.import.roadblock.reschedule_and_resume | The affected import from AppInstance has been rescheduled. All other imports will resume. |
| system.import.roadblock.resume | The affected import from AppInstance has been canceled. All other imports will resume. |
| system.import.roadblock.updated | Fired when an import roadblock (aka, Import Safeguard) has been updated. This event can be used to identify when an admin updated the Max Import Unassignment roadblock setting, and what the setting was updated to. This event includes details on what the roadblock was updated to and who made the change. |
| system.import.schedule | Import process was scheduled. This event can be used to track when import jobs were triggered, which helps with audit trails. This event may also be useful when troubleshooting a failed import, as it indicates the time at which the process was first triggered and the user or application that invoked the import. Import is a multi-stage process which may import users, groups, and group memberships. Each stage has corresponding events in the system log. For example 'system.import.user.start' indicates beginning of user import process. |
| system.import.session.cancelled | Import session for identity source canceled. This event appears when an import session is canceled and not available for further activity. Only sessions that are in CREATED or IN_PROGRESS status can be canceled. Previously uploaded entities are deleted from a canceled identity import session. |
| system.import.session.created | Create new import session for identity source. This event appears when a new import session is created for a given identity source to bulk upload entities. This event includes information on when the session was created. |
| system.import.session.expired | Import session for identity source expired. This event appears when a session in CREATED or IN_PROGRESS status is marked as EXPIRED after 24 hours of inactivity. Expired sessions can no longer be used for import operations. |
| system.import.session.triggered | Triggered import session for identity source. This event appears when import session was triggered. It's used to make changes in Okta to insert, update, or delete the entities that are submitted by the identity source. |
| system.import.start | import started. |
| system.import.user.complete | Import of user completed. |
| system.import.user.create | Create user triggered by import process. |
| system.import.user.delete | Delete user triggered by import process. |
| system.import.user.match | Assign user triggered by import process with callback. This event can be used to alter the matching result for a given imported user. This event is fired when the matching result is altered by the synchronous callback. |
| system.import.user.start | Start importing users triggered import process. |
| system.import.user.suspend | Suspend user triggered by import process. |
| system.import.user.unsuspend | Unsuspend user triggered by import process. |
| system.import.user.unsuspend_after_confirm | |
| system.import.user.update | Update user triggered by import process. |
| system.import.user.update_user_lifecycle_from_master | Update user status triggered by import process. |
| system.import.user_csv.complete | Bulk Import users from CSV is completed. Informs when bulk user import from CSV has been completed. This event is logged when bulk user import from CSV has completed with the outcome as success or failure. When fired, this event also contains debug context about the number of users added/updated/unchanged or with errors. |
| system.import.user_csv.start | Bulk Import of users from CSV is started. Informs when bulk import of users from CSV has been attempted to be uploaded. This event is logged when bulk user import from CSV has started and is a precursor to user.lifecycle.create; user.lifecycle.activate events. |
| system.import.user_match.confirm | Import user matching assignment confirmed. This event can be used to track when the confirmation of user matching assignments was triggered on the Import page, which helps with audit trails. This event may also be useful when troubleshooting incorrect user matches. After users are imported from the app, they're matched and assigned with existing Okta users on the basis of Name, Username, and Email. The assignment confirmation is a manual step, needing admin intervention. |
| system.import.user_match.unignore | Assignment was unignored. This event indicates that a user match, which was previously marked to be ignored during imports, has been reactivated for consideration. It's important for tracking changes in user matching policies and decisions during the import process. This event can be of critical importance for auditing purposes, especially when investigating why certain user accounts were matched or updated after being ignored in previous imports. It helps maintain the accuracy and integrity of user data by ensuring that valid matches are not permanently overlooked. |
| system.import.user_match.update | Assignment was modified. This event can be used to track when an assignment was modified. This may also be useful when troubleshooting incorrect user assignments. After users are imported from the app, they're matched and assigned with existing Okta users on the basis of Name, Username, and Email. Assignments can be modified by the admin through a manual intervention. |
| system.import.user_matching.complete | Fired upon completion of the user matching phase, when Okta attempts to match imported users to existing Okta users. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the user matching phase, when Okta attempts to match imported users to existing Okta users. |
| system.import.user_matching.start | Fired at the start of the user matching phase, when Okta attempts to match imported users to existing Okta users. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the user matching phase, when Okta attempts to match imported users to existing Okta users. |
| system.iwa.create | Create IWA agent. |
| system.iwa.go_offline | IWA going offline. |
| system.iwa.go_online | IWA going online. |
| system.iwa.promote_primary | Promote IWA agent to primary. |
| system.iwa.remove | Remove IWA agent. |
| system.iwa.update | Update IWA agent. |
| system.iwa.use_default | No primary IWA app found. Using default login. |
| system.iwa_agentless.auth | Agentless IWA authentication. |
| system.iwa_agentless.auth_after_redirect | Fired after redirection from Agentless DSSO failure. This can be used to track the start of a subsequent authentication request after Agentless DSSO fails. This can also be used for end-to-end tracking of an ADSSO failure to the subsequent authentication it is redirected to by searching for the common stateTokenHash. When fired, this event contains the stateTokenHash which will be common before and after the redirection occurs. |
| system.iwa_agentless.redirect | Fired when an Agentless DSSO authentication request is redirected to an onprem IWA authentication or the default login page. This can be used to identify when an agentless authentication request resulted in a redirect to an onprem IWA or default login page. This can also be used to identify the potential cause of the redirect. When fired, this event identifies the cause of the redirection. When a custom error page is defined, a redirect event is not always generated when a redirection occurs. |
| system.iwa_agentless.update | Update to agentless IWA. |
| system.iwa_agentless.user.not_found | Fired when a user could not be found during Agentless DSSO authentication, resulting in an authentication failure. This can be used to identify when an agentless authentication request resulted in a failure. The failure could be due to the user not being found in Okta, Okta not being able to connect to AD, or the user not being found in AD. This can also be used to identify the potential cause of the failure. When fired, this event contains information about the potential cause of the failure. |
| system.iwa_agentless_kerberos.update | Fires when a Kerberos realm settings is updated by an admin. This event fires when the update is successful or fails. This can be used to audit Kerberos realm setting, and troubleshoot why Kerberos authentication failed. When fired, this event indicates whether Kerberos realm setting update has been successful or failed. This event also indicates the initiator of the event and the current setting for Kerberos Realm. Related events: none, all debugging context is included in this event. |
| system.ldapi.admin_limit_exceeded | This event indicates that an administrative limit was exceeded when processing an LDAP interface operation. It can be used to audit and debug failures caused by exceeding an administrative limit. This event may occur periodically when an LDAP operation results in a large number of corresponding actions in the Okta directory. These errors are often temporary and will subside when Okta has processed the actions. Contact Okta support if you see such errors consistently over the course of a day or more. |
| system.ldapi.bind | Fired when a user performs a BIND to LDAP Interface. Can be used to identify when a user attempted to perform an LDAP authentication for audit or debugging purposes. The firing of this event is subject to LDAPi event filtering rules and is only logged when a failure is returned for the given LDAP operation. |
| system.ldapi.search | Fired when a user performs a SEARCH to LDAP Interface. Can be used to identify when a user attempted to perform a search on LDAP Interface for audit or debugging purposes. The firing of this event is subject to LDAPi event filtering rules and is only logged when a failure is returned for the given LDAP operation. |
| system.ldapi.unbind | Fired when a user performs an UNBIND to LDAP Interface. Can be used to identify when a user attempted to end an LDAP Interface session for audit or debugging purposes. The firing of this event is subject to LDAPi event filtering rules and is only logged when a failure is returned for the given LDAP operation. |
| system.log_stream.lifecycle.activate | Log stream activated. This event can be used to track and audit when a user activates a log stream. When fired, this event indicates that a user activated a log stream configuration. |
| system.log_stream.lifecycle.create | Log stream created. This event can be used to track and audit when a user creates a log stream. When fired, this event indicates that a user created a log stream configuration. |
| system.log_stream.lifecycle.deactivate | Log stream deactivated. This event can be used to track and audit when a user or Okta deactivates a log stream. When fired, this event indicates that a user or Okta deactivated a log stream configuration. |
| system.log_stream.lifecycle.delete | Log stream deleted. This event can be used to track and audit when a user deletes a log stream. When fired, this event indicates that a user deleted a log stream configuration. |
| system.log_stream.lifecycle.update | Log stream updated. This event can be used to track and audit when a user updates a log stream. When fired, this event indicates that a user updated a log stream configuration. |
| system.mfa.factor.activate | Activate a new authentication factor. Can be used to identify when an admin has enabled a new factor for authentication. When fired the event will contain details of which factor is enabled. |
| system.mfa.factor.deactivate | Deactivate MFA factor. Can be used to identify when an admin has disabled a factor for MFA. When fired the event will contain details of which factor is disabled. |
| system.oauth2.token.request_outside_allowed_range | Request with valid bearer tokens made from outside the allowed network zone. Use to detect when a bearer token comes from an IP address that's outside of the specified allowed zone. Fired when a bearer token comes from an IP address that's outside of the specified allowed zone of the client. |
| system.operation.concurrency_limit.violation | Operation concurrency limit violation. This can be used to track if there are too many concurrent operations of the given type. The operation type information is available in debugData. When fired, this event contains information about the operation such as its actor, type, scope and threshold details. OperationRateLimitType in debugData will indicate the category to which the concurrency limit is being applied (e.g. web_request), OperationRateLimitSubtype defines specific subtypes (e.g. ssws_token) and OperationRateLimitScope will indicate the scope of the rate limit (e.g. token). |
| system.operation.rate_limit.violation | Operation rate limit violation. This can be used to track if an operation is exceeding its rate limit. When fired, this event contains information about the operation such as actor, type, scope and threshold details. OperationRateLimitType in debugData will indicate the category to which the rate limit is being applied (e.g. authenticator_otp_verification), OperationRateLimitSubtype defines specific subtypes (e.g. Email Factor for authenticator_otp_verification) and OperationRateLimitScope will indicate the scope of the rate limit (e.g. user or org level). Formerly, this event was used to indicate blocked SMS/Call transactions, please see system.sms.send*/system.voice.send* for blocked transactions. |
| system.operation.rate_limit.warning | Operation rate limit warning. This can be used to track if an operation is approaching its rate limit. When fired, this event contains information about the operation such as actor, type, scope and threshold details. OperationRateLimitType in debugData will indicate the category to which the rate limit is being applied (e.g. authenticator_otp_verification), OperationRateLimitSubtype defines specific subtypes (e.g. Email, SMS or Voice call for authenticator_otp_verification type) and OperationRateLimitScope will indicate the scope of the rate limit (e.g. user or org level). |
| system.org.captcha.activate | Enable org-wide captcha support. Indicates when org-wide captcha support is enabled, for which pages and using which captcha instance. This event is fired when org admin enables org-wide captcha for any supported pages. |
| system.org.captcha.deactivate | Disable org-wide captcha support. Indicates when org-wide captcha support is disabled. This event is fired when org admin disables org-wide captcha support for all pages. |
| system.org.lifecycle.create | Org creation. |
| system.org.rate_limit.burst | Fired when burst rate limit capacity is activated. This can be used to identify when an API in the Org exceeds standard rate limits and the frequency with which the activities occur. This event is fired after a corresponding warning event. If usage continues on this API the risk is hitting a rate limit violation which will fire a corresponding violation event. The event contains a burst rate limit threshold which informs how much capacity is remaining before a violation occurs. |
| system.org.rate_limit.expiration.warning | Rate limit approaching expiration date. |
| system.org.rate_limit.violation | Rate limit violation. |
| system.org.rate_limit.warning | Rate limit warning. |
| system.org.task.remove | Tasks removed. |
| system.push.send_factor_verify_push | Fired when a Push notification is sent to a device. Used to notify admins when a push was sent to a user for verification. Note that this event is fired whenever a Push is sent. |
| system.rate_limit.configuration.update | Rate limit configuration update. This can be used to trace the change that an org admin updates rate limit configuration. This event is triggered when an admin updates rate limit related settings in the admin portal, including but not limited to:1. update client rate limit enforcement mode2. enable or disable rate limit notification3. update the warning threshold of rate limit notification4. update rate limit percentage of API token. |
| system.self_service.configuration.update | Self-service for apps configuration updated. Identify changes to self-service application request settings which may allow a user to request to add an application to their end user dashboard. Self-service application requests are different than Okta Identity Governance (OIG) Access requests. See events beginning with access.request for events relevant to OIG Access requests. |
| system.sms.receive_status | Fired when receiving a status update on SMS message from provider. This event can be used by Org Admins to identify users that are/aren't getting one-time passcodes delivered successfully via SMS, provider status can be obtained from status field in debug data. For any system.sms.send_* event, there should be exactly one of this event. |
| system.sms.send_account_unlock_message | Send self-service account unlock SMS message. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. |
| system.sms.send_factor_verify_message | Send second factor auth SMS. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. |
| system.sms.send_okta_push_verify_message | Send activate Okta Verify Push for mobile SMS. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. |
| system.sms.send_password_reset_message | Send self-service password reset SMS message. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. |
| system.sms.send_phone_verification_message | Send phone verification SMS message. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. |
| system.theme.update | This event is fired when the theme resource is updated. Developer and org admins can use this event to identify when and how the theme resource was updated. Event details can be used to identify changes made to theme assets including updates to theme hex codes, logo, background image, and favicon. This event also tracks which combination of theme assets was applied to end users pages such as the sign-in page, error pages, and email templates. |
| system.voice.receive_status | Fired when receiving a status update on voice call from provider. This event can be used by Org Admins to identify users that are/aren't getting one-time passcodes delivered successfully via voice call, provider status can be obtained from status field in debug data. For any system.voice.send_* event, there should be exactly one of this event. |
| system.voice.send_account_unlock_call | Send self-service account unlock call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. |
| system.voice.send_call | Send phone call. |
| system.voice.send_mfa_challenge_call | Send second factor auth call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. |
| system.voice.send_password_reset_call | Send self-service password reset call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. |
| system.voice.send_phone_verification_call | Send phone verification call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. |
| system.well_known_uri.update | The well-known URI was updated. Identify the previous and current versions of a well-known URI for a custom brand, such as a assetlinks.json. The brand id and specific well-known URI are available in the target resource. |
system.agent.ad.config_change_detected
#Description
A monitored variable in an AD agent configuration file has changed. This can be used to audit that a customer's AD agent configuration file has changed. This event occurs when a monitored variable in an AD agent configuration file has changed.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.config_change_detected https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-config_change_detected
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.connect
#Description
Connect AD agent to Okta.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.connect https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-connect
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.create
#Description
Create AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.create https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.deactivate
#Description
Deactivate AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.deactivate https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-deactivate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.delete
#Description
Delete AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.delete https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.dirsync.verify
#Description
Verify AD agent compatibility for DirSync-based imports. Use this event to audit which AD agents meet DirSync requirements, set up alerts when agents need remediation before DirSync-based imports can run, and troubleshoot import failures related to agent version or configuration gaps. outcome.result = SUCCESS indicates the agent meets all DirSync requirements. FAILURE indicates the agent requires intervention, such as a version upgrade (minimum 3.20.0) or service account permission changes.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.dirsync.verify https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-dirsync-verify
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.import_ou
#Description
Perform import OU by AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.import_ou https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-import_ou
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.import_user
#Description
Perform import user by AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.import_user https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-import_user
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.invoke_dir
#Description
Perform directory invoke command by AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.invoke_dir https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-invoke_dir
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.reactivate
#Description
Reactivate AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.reactivate https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-reactivate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.read_config
#Description
Perform config read by AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.read_config https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-read_config
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.read_dirsync
#Description
Perform dirsync read by AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.read_dirsync https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-read_dirsync
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.read_ldap
#Description
Perform LDAP read by AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.read_ldap https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-read_ldap
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.read_schema
#Description
Perform schema read by AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.read_schema https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-read_schema
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.read_topology
#Description
Directory agent performed topology import operation.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.read_topology https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-read_topology
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.realtimesync
#Description
Perform RealTimeSync by AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.realtimesync https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-realtimesync
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.reset_user_password
#Description
Perform user password reset by AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.reset_user_password https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-reset_user_password
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.start
#Description
Start AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.start https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-start
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.unlock_user_account
#Description
Perform unlock user account by AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.unlock_user_account https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-unlock_user_account
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.update
#Description
Update AD agent configuration.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.update https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.update_user
#Description
User Auth and Update.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.update_user https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-update_user
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.upgrade
#Description
Upgrade AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.upgrade https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-upgrade
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.upload_iwa_log
#Description
Fired when an AD agent has fetched and uploaded IWA agent log file. This event fires when the log file upload is successful or fails. This can be used to audit that logs files are being fetched successfully, have been uploaded successfully, and troubleshoot why an IWA log upload has failed. When fired, this event indicates whether a log file upload has been successful or failed. This event also indicates whether the event was initiated by the Okta system or a user. Related events: none, all debugging context is included in this event.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.upload_iwa_log https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-upload_iwa_log
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.upload_log
#Description
Upload AD agent log.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.upload_log https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-upload_log
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ad.write_ldap
#Description
Perform LDAP write by AD agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ad.write_ldap https://developer.okta.com/docs/reference/api/event-types/#system-agent-ad-write_ldap
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.auto_update
#Description
Fired when an individual agent auto-update succeeds or fails. Confirms a successful agent auto-update, or provides troubleshooting information when the agent auto-update is unsuccessful. Indicates when an agent auto-update is successful or unsuccessful.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.auto_update https://developer.okta.com/docs/reference/api/event-types/#system-agent-auto_update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.connector.connect
#Description
Connect connector agent to Okta.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.connector.connect https://developer.okta.com/docs/reference/api/event-types/#system-agent-connector-connect
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.connector.deactivate
#Description
Deactivate connector agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.connector.deactivate https://developer.okta.com/docs/reference/api/event-types/#system-agent-connector-deactivate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.connector.delete
#Description
Delete connector agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.connector.delete https://developer.okta.com/docs/reference/api/event-types/#system-agent-connector-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.connector.reactivate
#Description
Reactivate connector agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.connector.reactivate https://developer.okta.com/docs/reference/api/event-types/#system-agent-connector-reactivate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ldap.change_user_password
#Description
Perform change user password by LDAP agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ldap.change_user_password https://developer.okta.com/docs/reference/api/event-types/#system-agent-ldap-change_user_password
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ldap.config_change_detected
#Description
A monitored variable in an LDAP agent configuration file has changed. This can be used to audit when a customer's LDAP agent configuration file has changed. This event occurs when a monitored variable in an LDAP agent configuration file has changed.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ldap.config_change_detected https://developer.okta.com/docs/reference/api/event-types/#system-agent-ldap-config_change_detected
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ldap.create_user_JIT
#Description
Perform create user JIT by LDAP agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ldap.create_user_JIT https://developer.okta.com/docs/reference/api/event-types/#system-agent-ldap-create_user_JIT
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ldap.disconnect
#Description
Disconnect LDAP agent from Okta.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ldap.disconnect https://developer.okta.com/docs/reference/api/event-types/#system-agent-ldap-disconnect
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ldap.realtimesync
#Description
Fired when LDAP Delegated Authentication is used to sign in and a user profile is updated using RealTimeSync action. Can be used by admins to identify user profile changes resulting from corresponding changes in the LDAP directory. The previous name for this event was system.agent.ad.realtimesync.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ldap.realtimesync https://developer.okta.com/docs/reference/api/event-types/#system-agent-ldap-realtimesync
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ldap.reconnect
#Description
Reconnect LDAP agent to Okta.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ldap.reconnect https://developer.okta.com/docs/reference/api/event-types/#system-agent-ldap-reconnect
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ldap.reset_user_password
#Description
LDAP agent performed a password reset.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ldap.reset_user_password https://developer.okta.com/docs/reference/api/event-types/#system-agent-ldap-reset_user_password
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ldap.unlock_user_account
#Description
LDAP agent performed account unlock for User.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ldap.unlock_user_account https://developer.okta.com/docs/reference/api/event-types/#system-agent-ldap-unlock_user_account
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ldap.update_user
#Description
Fired when LDAP Delegated Authentication is used to sign in and a user profile is updated. Can be used by admins to identify user profile changes resulting from corresponding changes in the LDAP directory. The previous name for this event was system.agent.ad.update_user.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ldap.update_user https://developer.okta.com/docs/reference/api/event-types/#system-agent-ldap-update_user
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.ldap.update_user_password
#Description
Perform update user password by LDAP agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.ldap.update_user_password https://developer.okta.com/docs/reference/api/event-types/#system-agent-ldap-update_user_password
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent.register
#Description
Agent was registered. This event indicates that an agent (such as Okta Provisioning Agent, Okta RSA SecurID Agent, and so on) has been successfully registered with the Okta org. This also provides a signal to all admins of the Okta org that a new agent was registered, which improves the overall security posture. This event can be used to track the deployment and integration of Okta agents across an org's infrastructure. This information can be useful for security audits, compliance reporting, and managing the overall Okta ecosystem.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent.register https://developer.okta.com/docs/reference/api/event-types/#system-agent-register
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.agent_pools.auto_update
#Description
Fired when the status of an agent pool auto-update is changed. Confirms an agent pool auto-update status change and provides troubleshooting information. Indicates when the status of an agent pool auto-update is changed.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.agent_pools.auto_update https://developer.okta.com/docs/reference/api/event-types/#system-agent_pools-auto_update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.api_token.create
#Description
Create API token. This event occurs when a new unscoped API token is generated within the system. The unscoped API token grants authenticated access to the system's API for automated tasks or integration purposes. Event log details include the token ID, the user, or service it was created for, and the time of creation. This information helps maintain a secure API access framework by allowing administrators to track token issuance. Administrators can also enforce least privilege access and promptly identify any unauthorized token creation.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
okta::eventType | in | system.api_token.create | 2 rules | kusto |
okta::eventType | in | policy.evaluate_sign_on | 1 rule | elastic, kusto |
okta::outcome.result | eq | SUCCESS | 2 rules | elastic, kusto |
eventType | eq | system.api_token.create | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
Elastic #
Kusto #
YARA-L #
References #
- Okta Event Types Catalog: system.api_token.create https://developer.okta.com/docs/reference/api/event-types/#system-api_token-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.api_token.enable
#Description
Enable API token.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.api_token.enable https://developer.okta.com/docs/reference/api/event-types/#system-api_token-enable
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.api_token.request_outside_allowed_range
#Description
Request with API tokens made from outside the allowed network zone. Use to detect when an API token comes from an IP address that's outside of the specified allowed zone. Fired when an API token comes from an IP address that's outside of the specified allowed zone of the token.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.api_token.request_outside_allowed_range https://developer.okta.com/docs/reference/api/event-types/#system-api_token-request_outside_allowed_range
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.api_token.revoke
#Description
Revoke API token.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
eventType | eq | system.api_token.revoke | 1 rule | panther, sigma |
Detection Rules #
View all rules referencing this event →Sigma #
Elastic #
Kusto #
References #
- Okta Event Types Catalog: system.api_token.revoke https://developer.okta.com/docs/reference/api/event-types/#system-api_token-revoke
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.api_token.update
#Description
An API token has been updated. This event can be used to identify a change to an existing API token, such as a change to the applicable rate limits for the token. Details of the change can be found in the debugData. This event does not change whether the token is valid for use, for actions that impact validity see system.api_token.enable and system.api_token.revoke.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.api_token.update https://developer.okta.com/docs/reference/api/event-types/#system-api_token-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.beta.feature.enable
#Description
Fired when an admin has enabled a BETA feature. This can be used to understand the status of the BETA Feature and identify who has enabled it for an org. When fired, this event contains information about the enabled BETA Feature, as well as the admin who enabled it.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.beta.feature.enable https://developer.okta.com/docs/reference/api/event-types/#system-beta-feature-enable
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.brand.create
#Description
This event is fired when the brand resource is created. Developer and org admins can use this event to identify when the brand resource was created. The event contains information about the created brand.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.brand.create https://developer.okta.com/docs/reference/api/event-types/#system-brand-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.brand.delete
#Description
This event is fired when a brand resource is deleted. Developer and org admins can use this event to identify when a brand resource was deleted. The event contains information about a deleted brand.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.brand.delete https://developer.okta.com/docs/reference/api/event-types/#system-brand-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.brand.update
#Description
This event is fired when the brand resource is updated. Developer and org admins can use this event to identify when the brand resource was updated. The event contains information regarding specific updates made to brand like "customPrivacyPolicyUrl".
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.brand.update https://developer.okta.com/docs/reference/api/event-types/#system-brand-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.captcha.create
#Description
A captcha instance is created for Sign-in Widget. Indicates when a captcha instance was created. This event is fired when org admin creates a captcha instance.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.captcha.create https://developer.okta.com/docs/reference/api/event-types/#system-captcha-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.captcha.delete
#Description
A captcha instance is deleted. Indicates when a captcha instance was deleted. This event is fired when org admin deletes a captcha instance.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.captcha.delete https://developer.okta.com/docs/reference/api/event-types/#system-captcha-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.captcha.update
#Description
A captcha instance is updated. Indicates when a captcha instance was updated. This event is fired when org admin updates a captcha instance.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.captcha.update https://developer.okta.com/docs/reference/api/event-types/#system-captcha-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.client.concurrency_rate_limit.notification
#Description
Notify when too many requests in flight for client. This can be used to notify whenever there are too many concurrent requests from a client without enforcing any violation. When fired, this event contains information about the request such as client, device and ip details.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.client.concurrency_rate_limit.notification https://developer.okta.com/docs/reference/api/event-types/#system-client-concurrency_rate_limit-notification
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.client.concurrency_rate_limit.violation
#Description
Too many requests in flight for client. This can be used to track if there are too many concurrent requests from a client. When fired, this event contains information about the request such as client, device and ip details.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.client.concurrency_rate_limit.violation https://developer.okta.com/docs/reference/api/event-types/#system-client-concurrency_rate_limit-violation
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.client.rate_limit.notification
#Description
Notify when client rate limits are exceeded. This can be used to notify whenever a client is exceeding its rate limit without enforcing any violation. When fired, this event contains information about the request such as client, device and ip details.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.client.rate_limit.notification https://developer.okta.com/docs/reference/api/event-types/#system-client-rate_limit-notification
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.client.rate_limit.violation
#Description
Client rate limit violation. This can be used to track if a client is exceeding its rate limit. When fired, this event contains information about the request such as client, device and ip details.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.client.rate_limit.violation https://developer.okta.com/docs/reference/api/event-types/#system-client-rate_limit-violation
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.csv.import_user
#Description
Import of user from CSV is skipped. Informs when import of a user from CSV has been skipped due to reasons such as missing required attributes or unknown unique identifier. This event is logged when import of a user is skipped during CSV directory import workflow for on-premises systems using Okta provisioning agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.csv.import_user https://developer.okta.com/docs/reference/api/event-types/#system-csv-import_user
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_email_server.lifecycle.activate
#Description
Enable a custom email server. Audit the enablement of a custom email server.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_email_server.lifecycle.activate https://developer.okta.com/docs/reference/api/event-types/#system-custom_email_server-lifecycle-activate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_email_server.lifecycle.create
#Description
Create a custom email server. Audit the creation of a custom email server.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_email_server.lifecycle.create https://developer.okta.com/docs/reference/api/event-types/#system-custom_email_server-lifecycle-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_email_server.lifecycle.deactivate
#Description
Disable a custom email server. Audit the disablement of a custom email server.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_email_server.lifecycle.deactivate https://developer.okta.com/docs/reference/api/event-types/#system-custom_email_server-lifecycle-deactivate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_email_server.lifecycle.delete
#Description
Delete a custom email server. Audit the deletion of a custom email server.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_email_server.lifecycle.delete https://developer.okta.com/docs/reference/api/event-types/#system-custom_email_server-lifecycle-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_email_server.lifecycle.update
#Description
Update a custom email server. Audit an update to the configuration of a custom email server.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_email_server.lifecycle.update https://developer.okta.com/docs/reference/api/event-types/#system-custom_email_server-lifecycle-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_error.delete
#Description
Custom error page is deleted. Can be used to identify when an admin has deleted the custom error page. Event fired when the custom error page is deleted.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_error.delete https://developer.okta.com/docs/reference/api/event-types/#system-custom_error-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_error.update
#Description
Custom error page is updated. Can be used to identify when an admin has customized the error page. Event fired when the error page is successfully updated.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_error.update https://developer.okta.com/docs/reference/api/event-types/#system-custom_error-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_signin.delete
#Description
Custom sign-in page is deleted. Can be used to identify when an admin has deleted the custom sign-in page. Event fired when custom sign-in page is deleted.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_signin.delete https://developer.okta.com/docs/reference/api/event-types/#system-custom_signin-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_signin.update
#Description
Custom sign-in page is updated. Can be used to identify when an admin has customized the sign-in page. Event fired when custom sign-in page is updated.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_signin.update https://developer.okta.com/docs/reference/api/event-types/#system-custom_signin-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_signout.update
#Description
Custom sign-out page is updated. Admin has updated the custom sign-out page. Event fired when custom sign-out page is updated.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_signout.update https://developer.okta.com/docs/reference/api/event-types/#system-custom_signout-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_url_domain.cert_renew
#Description
Okta managed certificates for custom domain are renewed. Can be used to identify when okta managed certificate renewal batch job has renewed certificates for custom domain. When fired, the event contains information about the domain name and certificate source type.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_url_domain.cert_renew https://developer.okta.com/docs/reference/api/event-types/#system-custom_url_domain-cert_renew
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_url_domain.cert_upload
#Description
Custom domain certificates are uploaded by an admin or generated by Okta. Can be used to identify when custom domain certificates are uploaded by an admin or generated by Okta. When fired, the event contains information about the domain name and certificate source type.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_url_domain.cert_upload https://developer.okta.com/docs/reference/api/event-types/#system-custom_url_domain-cert_upload
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_url_domain.delete
#Description
Custom domain is deleted. Can be used to identify when an admin has deleted their custom domain. When fired, the event contains information about the domain name that was deleted.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_url_domain.delete https://developer.okta.com/docs/reference/api/event-types/#system-custom_url_domain-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_url_domain.initiate
#Description
Custom domain setup is initiated. Admin has initiated custom domain setup by inputting their custom domain for DNS verification. When fired, the event contains information about the domain name, certificate source type and domain validation status.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_url_domain.initiate https://developer.okta.com/docs/reference/api/event-types/#system-custom_url_domain-initiate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_url_domain.update
#Description
Custom domain brand association is updated. Admin has updated the custom domain association with the brand. When fired, the event contains the domain name, certificate source type, domain validation status and information about the brand it is associated with.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_url_domain.update https://developer.okta.com/docs/reference/api/event-types/#system-custom_url_domain-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.custom_url_domain.verify
#Description
Verify custom domain ownership. Identifies whether an admin has succeeded or failed to verify the ownership of the domain name. When fired, the event contains information about the domain name, certificate source type and domain validation status.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.custom_url_domain.verify https://developer.okta.com/docs/reference/api/event-types/#system-custom_url_domain-verify
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.directory.debugger.extend
#Description
Extend Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access extension. When fired, this event contains information about Directory Debugger access extension.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.directory.debugger.extend https://developer.okta.com/docs/reference/api/event-types/#system-directory-debugger-extend
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.directory.debugger.grant
#Description
Grant Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access grants to Okta support. When fired, this event contains information about Directory Debugger access grant.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.directory.debugger.grant https://developer.okta.com/docs/reference/api/event-types/#system-directory-debugger-grant
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.directory.debugger.query_executed
#Description
A read-only query executed against AD/LDAP instance by Okta support using the Directory Debugger tool. This can be used to audit the queries executed by Okta support using Directory Debugger. When fired, this event contains information about Directory Debugger query.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.directory.debugger.query_executed https://developer.okta.com/docs/reference/api/event-types/#system-directory-debugger-query_executed
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.directory.debugger.revoke
#Description
Revoke Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access revoke. When fired, this event contains information about Directory Debugger access revoke.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.directory.debugger.revoke https://developer.okta.com/docs/reference/api/event-types/#system-directory-debugger-revoke
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.dr.failback
#Description
The Enhanced Disaster Recovery (EDR) failback operation for the org domains were initiated. Triggered when the Enhanced Disaster Recovery (EDR) failback operation for the org domains were initiated. This event is fired when the Enhanced Disaster Recovery (EDR) failback operation for the org domains were initiated. If failback is successful, the outcome for this event will be SUCCESS. If failback is not successful, the outcome for this event will be FAILURE.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.dr.failback https://developer.okta.com/docs/reference/api/event-types/#system-dr-failback
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.dr.failover
#Description
The Enhanced Disaster Recovery (EDR) failover operation for the org domains were initiated. Triggered when the Enhanced Disaster Recovery (EDR) failover operation for the org domains were initiated. This event is fired when the Enhanced Disaster Recovery (EDR) failover operation for the org domains were initiated. If failover is successful, the outcome for this event will be SUCCESS. If failover is not successful, the outcome for this event will be FAILURE.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.dr.failover https://developer.okta.com/docs/reference/api/event-types/#system-dr-failover
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.account_unlock.sent_message
#Description
Send self-service account unlock email.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Detection Rules #
View all rules referencing this event →Elastic #
References #
- Okta Event Types Catalog: system.email.account_unlock.sent_message https://developer.okta.com/docs/reference/api/event-types/#system-email-account_unlock-sent_message
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.bounce.removal
#Description
Attempted removal of one or more emails from bounce list. Identify email addresses which were submitted to Okta for removal from the email bounce list. This event does not guarantee that an email was removed from the bounce list, it only indicates that Okta contacted the email provider to attempt to remove if from the bounce list. The debugData object contains a reference to the email provider contacted by Okta which maintains the bounce list. The target object contains a list of email addresses which were submitted. A single target contains a maximum of 50 email addresses. Multiple events may be fired in response to a removal request.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email.bounce.removal https://developer.okta.com/docs/reference/api/event-types/#system-email-bounce-removal
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.challenge_factor_redeemed
#Description
User completed an email factor challenge. This can be used to identify when a credential sent in an email to a user has been redeemed (the link was clicked or the code was entered). When fired, this event contains information about the result. Success if successful or error reasons should be present for failure cases (e.g. incorrect code, timeout, expired, etc.). The event also contains a debugData with the action (the link was clicked or the code was entered).
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email.challenge_factor_redeemed https://developer.okta.com/docs/reference/api/event-types/#system-email-challenge_factor_redeemed
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.delivery
#Description
An email's delivery status was updated. Used to notify admins of a bounced or dropped email. For certain bounce events, the context information may be lost by the email provider(s) due to email server communication delays. Such delayed bounce events will not appear in syslog. As of the 2022.08.0 release, this is also used to identify other email events e.g. delivered, deferred. See the event debugData for help identifying a remediation, such as updating an incorrect email address.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email.delivery https://developer.okta.com/docs/reference/api/event-types/#system-email-delivery
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.mfa_enroll_notification.sent_message
#Description
MFA enrollment notification email sent. Used to notify admins MFA enrollment notification email has been sent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email.mfa_enroll_notification.sent_message https://developer.okta.com/docs/reference/api/event-types/#system-email-mfa_enroll_notification-sent_message
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.mfa_reset_notification.sent_message
#Description
MFA reset notification email sent. Used to notify admins MFA reset notification email has been sent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email.mfa_reset_notification.sent_message https://developer.okta.com/docs/reference/api/event-types/#system-email-mfa_reset_notification-sent_message
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.new_device_notification.sent_message
#Description
New device signin notification email sent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email.new_device_notification.sent_message https://developer.okta.com/docs/reference/api/event-types/#system-email-new_device_notification-sent_message
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.password_reset.sent_message
#Description
Send self-service password reset email.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Detection Rules #
View all rules referencing this event →Elastic #
References #
- Okta Event Types Catalog: system.email.password_reset.sent_message https://developer.okta.com/docs/reference/api/event-types/#system-email-password_reset-sent_message
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.send_factor_verify_message
#Description
An email was sent to a user for verification. Used to notify admins that an email was sent to a user for verification. When fired, this event contains information about the token lifetime in the debugData.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email.send_factor_verify_message https://developer.okta.com/docs/reference/api/event-types/#system-email-send_factor_verify_message
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.template.create
#Description
This event is fired when a custom email template is created. Developers and Org Admins can use this to identify when a default email template has been overridden with a new template. The event details can be used to identify the template type and template engine. Usually this event will precede "system.email.template.update" or "system.email.template.delete" events.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email.template.create https://developer.okta.com/docs/reference/api/event-types/#system-email-template-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.template.delete
#Description
This event is fired when a custom email template is deleted. Developers and Org Admins can use this to identify when a custom email template has been deleted to fall back to default template. The event details can be used to identify the template type and template engine. Usually this event will follow "system.email.template.create" or "system.email.template.update" events.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email.template.delete https://developer.okta.com/docs/reference/api/event-types/#system-email-template-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.template.settings_changed
#Description
This event is fired when the settings for an email template is changed. Developers and Org Admins can use this to identify when an email template setting has been changed. When fired, this event contains information about the email template and settings that were changed.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email.template.settings_changed https://developer.okta.com/docs/reference/api/event-types/#system-email-template-settings_changed
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email.template.update
#Description
This event is fired when a custom email template has been updated. Developers and Org Admins can use this to identify when a custom email template has been updated. The event details can be used to identify the template type and template engine. Usually this event will follow "system.email.template.create" and precede "system.email.template.delete" events.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email.template.update https://developer.okta.com/docs/reference/api/event-types/#system-email-template-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email_domain.create
#Description
Email domain is created. Admin has initiated email domain setup by inputting their domain details for DNS verification. When fired, the event contains information about the domain name, display name, user name, brand id and validation status.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email_domain.create https://developer.okta.com/docs/reference/api/event-types/#system-email_domain-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email_domain.delete
#Description
Email domain is deleted. Can be used to identify when an admin has deleted their email domain. When fired, the event contains information about the email domain that was deleted.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email_domain.delete https://developer.okta.com/docs/reference/api/event-types/#system-email_domain-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email_domain.update
#Description
Email domain is updated. Admin has updated the email domain. When fired, the event contains information about the email domain that was updated.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email_domain.update https://developer.okta.com/docs/reference/api/event-types/#system-email_domain-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.email_domain.verify
#Description
Verify email domain. Identifies whether an admin has succeeded or failed to verify the email domain. When fired, the event contains information about the email domain that is being verified.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.email_domain.verify https://developer.okta.com/docs/reference/api/event-types/#system-email_domain-verify
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.feature.disable
#Description
Fired when self service features are requested to be disabled by admins. Use to determine who enabled the features and any limitations the features have. When fired, this event contains information about the requested features, their names and lifecycle state, the admin who made the change, and any possible limitations associated with the features. Related events include 'system.feature.enable'.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.feature.disable https://developer.okta.com/docs/reference/api/event-types/#system-feature-disable
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.feature.ea_auto_enroll
#Description
Fired when an org has subscribed to or unsubscribed from EA Feature Auto Enroll. This can be used to understand the status of EA Feature Auto Enroll subscription and identify who has made changes to the subscription. When fired, this event contains information about the status of EA Feature Auto enroll subscription, as well as the admin who made any subscription changes.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.feature.ea_auto_enroll https://developer.okta.com/docs/reference/api/event-types/#system-feature-ea_auto_enroll
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.feature.enable
#Description
Fired when self service features are requested to be enabled by admins. Use to determine who enabled the features and any limitations the features have. When fired, this event contains information about the requested features, their names and lifecycle state, the admin who made the change, and any possible limitations associated with the features. Related events include 'system.feature.disable'.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.feature.enable https://developer.okta.com/docs/reference/api/event-types/#system-feature-enable
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.hook.key.created
#Description
Create a new hook key. This event can be used to identify when an admin created a new hook key. When triggered, this events contains information about the created hook key.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.hook.key.created https://developer.okta.com/docs/reference/api/event-types/#system-hook-key-created
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.hook.key.deleted
#Description
Delete a hook key. This event can be used to identify when an admin deleted a hook key. When triggered, this events contains information about the deleted hook key.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.hook.key.deleted https://developer.okta.com/docs/reference/api/event-types/#system-hook-key-deleted
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.hook.key.updated
#Description
Update a hook key. This event can be used to identify when an admin updated a hook key. When triggered, this events contains information about the updated hook key.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.hook.key.updated https://developer.okta.com/docs/reference/api/event-types/#system-hook-key-updated
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.bulk_delete
#Description
Upload bulk delete data. Loads bulk data into an Identity Source Session for deactivation in Okta for an identity source. This event can be used to track the deactivations of user profiles in Okta from the custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.bulk_delete https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-bulk_delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.bulk_group_delete
#Description
Upload bulk groups delete data. Loads bulk groups data into an Identity Source Session for deactivation in Okta for an identity source. This event can be used to track the deactivations of groups profiles in Okta from the custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.bulk_group_delete https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-bulk_group_delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.bulk_group_membership_delete
#Description
Upload bulk group membership delete data. Loads bulk group membership data into an Identity Source Session to delete group membership in Okta for an identity source. This event can be used to track the deletion of group membership in Okta from the custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.bulk_group_membership_delete https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-bulk_group_membership_delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.bulk_group_membership_upsert
#Description
Upload bulk group membership upsert data. Loads bulk group membership data into an Identity Source Session for adding group membership in Okta for an identity source. This event can be used to track the addition of group membership in Okta from the custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.bulk_group_membership_upsert https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-bulk_group_membership_upsert
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.bulk_group_upsert
#Description
Upload bulk groups upsert data. Loads bulk groups data into an Identity Source Session for inserting or updating groups profiles in Okta for an identity source. This event can be used to track the insertions and updates of group profiles in Okta from the custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.bulk_group_upsert https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-bulk_group_upsert
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.bulk_upsert
#Description
Upload bulk upsert data. Loads bulk data into an Identity Source Session for inserting or updating user profiles in Okta for an identity source. This event can be used to track the insertions and updates of Okta user profiles from the custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.bulk_upsert https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-bulk_upsert
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.group.create
#Description
Create an identity source group. Creates a new group in Okta from an identity source. This event tracks the creation of a group in Okta sourced from a custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.group.create https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-group-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.group.delete
#Description
Delete an identity source group. Deletes a group in Okta from an identity source. This event tracks the deletion of a group in Okta sourced from a custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.group.delete https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-group-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.group.update
#Description
Update an identity source group. Updates a group in Okta from an identity source. This event tracks the update of a group profile in Okta sourced from a custom identity source. Payload must include changeDetails.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.group.update https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-group-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.group.user.assign
#Description
Assign a user to an identity source group. Assigns a user to an identity source group in Okta. This event tracks the assignment of a user to a group in Okta sourced from a custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.group.user.assign https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-group-user-assign
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.group.user.revoke
#Description
Revoke a user from an identity source group. Revokes a user from an identity source group in Okta. This event tracks the removal of a user from a group in Okta sourced from a custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.group.user.revoke https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-group-user-revoke
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.user.create
#Description
Create an identity source user. Creates a new user in Okta from an identity source. This event tracks the creation of a user in Okta sourced from a custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.user.create https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-user-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.user.delete
#Description
Delete an identity source user. Deletes a user in Okta from an identity source. This event tracks the deletion of a user in Okta sourced from a custom identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.user.delete https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-user-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.identity_sources.user.update
#Description
Update an identity source user. Updates a user in Okta from an identity source. This event tracks the update of a user profile in Okta sourced from a custom identity source. Payload must include changeDetails.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.identity_sources.user.update https://developer.okta.com/docs/reference/api/event-types/#system-identity_sources-user-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.idp.key.create
#Description
Identity provider key credential created. This can be used to audit that a new identity provider key credential has been created. When fired, this event indicates a new X.509 certificate credential is added to the IdP key store.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.idp.key.create https://developer.okta.com/docs/reference/api/event-types/#system-idp-key-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.idp.key.delete
#Description
Identity provider key credential deleted. This can be used to audit that an identity provider key credential has been deleted. When fired, this event indicates a X.509 certificate credential by kid is deleted if it isn't currently being used by an active or inactive IdP.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.idp.key.delete https://developer.okta.com/docs/reference/api/event-types/#system-idp-key-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.idp.key.update
#Description
Identity provider key credential updated. This can be used to audit that an identity provider key credential has been updated. When fired, this event indicates a X.509 certificate credential is updated in the IdP key store.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.idp.key.update https://developer.okta.com/docs/reference/api/event-types/#system-idp-key-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.idp.lifecycle.activate
#Description
Identity provider activated. This can be used to audit that an identity provider has been activated. When fired, this event indicates an Identity provider was activated. This event also indicates the type of the identity provider that was activated.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.idp.lifecycle.activate https://developer.okta.com/docs/reference/api/event-types/#system-idp-lifecycle-activate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.idp.lifecycle.create
#Description
Identity provider created. This can be used to audit that a new identity provider has been created. When fired, this event indicates an Identity provider was successfully created. This event also indicates the type of the identity provider that was created.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Detection Rules #
View all rules referencing this event →Sigma #
Elastic #
References #
- Okta Event Types Catalog: system.idp.lifecycle.create https://developer.okta.com/docs/reference/api/event-types/#system-idp-lifecycle-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.idp.lifecycle.deactivate
#Description
Identity provider deactivated. This can be used to audit that an identity provider has been deactivated. When fired, this event indicates an Identity provider has been deactivated. This event also indicates the type of the identity provider that was deactivated.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.idp.lifecycle.deactivate https://developer.okta.com/docs/reference/api/event-types/#system-idp-lifecycle-deactivate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.idp.lifecycle.delete
#Description
Identity provider deleted. This can be used to audit that an identity provider has been deleted. When fired, this event indicates an Identity provider was deleted. This event also indicates the type of the identity provider that was deleted.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.idp.lifecycle.delete https://developer.okta.com/docs/reference/api/event-types/#system-idp-lifecycle-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.idp.lifecycle.read_client_secret
#Description
Identity provider(s) with a client secret is read. This can be used to audit that identity provider(s) with a client secret has been read. When fired, this event indicates one or more Identity providers with a client secret was read.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.idp.lifecycle.read_client_secret https://developer.okta.com/docs/reference/api/event-types/#system-idp-lifecycle-read_client_secret
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.idp.lifecycle.update
#Description
Identity provider updated. This can be used to audit that an identity provider configuration has been updated. When fired, this event indicates an Identity provider configuration was updated. This event also indicates the type of the identity provider that was updated.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.idp.lifecycle.update https://developer.okta.com/docs/reference/api/event-types/#system-idp-lifecycle-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.clear.unconfirmed.users.summary
#Description
Clear Unconfirmed Imported Users. Can be used for clearing unconfirmed imported users from last import result. Note that a single event is fired for clearing unconfirmed imported users instead of fire delete event on each user.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.clear.unconfirmed.users.summary https://developer.okta.com/docs/reference/api/event-types/#system-import-clear-unconfirmed-users-summary
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.complete
#Description
Import process complete.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.complete https://developer.okta.com/docs/reference/api/event-types/#system-import-complete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.complete_batch
#Description
Batch import process complete.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.complete_batch https://developer.okta.com/docs/reference/api/event-types/#system-import-complete_batch
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.custom_object.complete
#Description
Import of custom objects completed.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.custom_object.complete https://developer.okta.com/docs/reference/api/event-types/#system-import-custom_object-complete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.custom_object.create
#Description
Create custom object triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.custom_object.create https://developer.okta.com/docs/reference/api/event-types/#system-import-custom_object-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.custom_object.delete
#Description
Delete custom object triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.custom_object.delete https://developer.okta.com/docs/reference/api/event-types/#system-import-custom_object-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.custom_object.update
#Description
Update custom object triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.custom_object.update https://developer.okta.com/docs/reference/api/event-types/#system-import-custom_object-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.download.complete
#Description
Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.download.complete https://developer.okta.com/docs/reference/api/event-types/#system-import-download-complete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.download.start
#Description
Fired at the start of the download objects phase, when the objects (users, groups, devices) to be imported are being downloaded from the system of record. This can be used to determine when an import has started, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the download objects phase, when the objects (users, groups, devices) to be imported are being downloaded from the system of record.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.download.start https://developer.okta.com/docs/reference/api/event-types/#system-import-download-start
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.entitlement
#Description
Emitted during the entitlement discovery process to identify entitlement schemas, excluding assignments. Tracks entitlement discovery status. In case of a NullPointerException (NPE), the outcome.result will be 'SKIPPED'. Use this event to track the status of entitlements during discovery.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.entitlement https://developer.okta.com/docs/reference/api/event-types/#system-import-entitlement
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.entitlement.mismatch
#Description
Skipping of entitlement during import of an user. This event will be emitted during import whenever a user has some entitlement associated with it that are not present in Okta. This event can be use to track the entitlement of user which were skipped during import.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.entitlement.mismatch https://developer.okta.com/docs/reference/api/event-types/#system-import-entitlement-mismatch
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.group.complete
#Description
Import of groups completed.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.group.complete https://developer.okta.com/docs/reference/api/event-types/#system-import-group-complete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.group.create
#Description
Create group triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.group.create https://developer.okta.com/docs/reference/api/event-types/#system-import-group-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.group.delete
#Description
Remove group triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.group.delete https://developer.okta.com/docs/reference/api/event-types/#system-import-group-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.group.start
#Description
Start importing groups from refreshing AppGroups.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.group.start https://developer.okta.com/docs/reference/api/event-types/#system-import-group-start
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.group.update
#Description
Update group triggered from import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.group.update https://developer.okta.com/docs/reference/api/event-types/#system-import-group-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.group_membership.complete
#Description
Import of application group members completed.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.group_membership.complete https://developer.okta.com/docs/reference/api/event-types/#system-import-group_membership-complete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.implicit_deletion.complete
#Description
Fired upon completion of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.implicit_deletion.complete https://developer.okta.com/docs/reference/api/event-types/#system-import-implicit_deletion-complete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.implicit_deletion.start
#Description
Fired at the start of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.implicit_deletion.start https://developer.okta.com/docs/reference/api/event-types/#system-import-implicit_deletion-start
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.import_profile
#Description
Import user profile triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.import_profile https://developer.okta.com/docs/reference/api/event-types/#system-import-import_profile
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.import_provisioning_info
#Description
Import provisioning info triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.import_provisioning_info https://developer.okta.com/docs/reference/api/event-types/#system-import-import_provisioning_info
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.membership_processing.complete
#Description
Fired upon completion of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.membership_processing.complete https://developer.okta.com/docs/reference/api/event-types/#system-import-membership_processing-complete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.membership_processing.start
#Description
Fired at the start of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.membership_processing.start https://developer.okta.com/docs/reference/api/event-types/#system-import-membership_processing-start
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.object_creation.complete
#Description
Fired upon completion of the object creation phase, when the first batch of objects is created/updated. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the object creation phase, when the first batch of objects is created/updated.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.object_creation.complete https://developer.okta.com/docs/reference/api/event-types/#system-import-object_creation-complete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.object_creation.start
#Description
Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.object_creation.start https://developer.okta.com/docs/reference/api/event-types/#system-import-object_creation-start
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.roadblock
#Description
Import roadblock triggered due to exceeded threshold.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.roadblock https://developer.okta.com/docs/reference/api/event-types/#system-import-roadblock
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.roadblock.reschedule_and_resume
#Description
The affected import from AppInstance has been rescheduled. All other imports will resume.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.roadblock.reschedule_and_resume https://developer.okta.com/docs/reference/api/event-types/#system-import-roadblock-reschedule_and_resume
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.roadblock.resume
#Description
The affected import from AppInstance has been canceled. All other imports will resume.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.roadblock.resume https://developer.okta.com/docs/reference/api/event-types/#system-import-roadblock-resume
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.roadblock.updated
#Description
Fired when an import roadblock (aka, Import Safeguard) has been updated. This event can be used to identify when an admin updated the Max Import Unassignment roadblock setting, and what the setting was updated to. This event includes details on what the roadblock was updated to and who made the change.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.roadblock.updated https://developer.okta.com/docs/reference/api/event-types/#system-import-roadblock-updated
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.schedule
#Description
Import process was scheduled. This event can be used to track when import jobs were triggered, which helps with audit trails. This event may also be useful when troubleshooting a failed import, as it indicates the time at which the process was first triggered and the user or application that invoked the import. Import is a multi-stage process which may import users, groups, and group memberships. Each stage has corresponding events in the system log. For example 'system.import.user.start' indicates beginning of user import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.schedule https://developer.okta.com/docs/reference/api/event-types/#system-import-schedule
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.session.cancelled
#Description
Import session for identity source canceled. This event appears when an import session is canceled and not available for further activity. Only sessions that are in CREATED or IN_PROGRESS status can be canceled. Previously uploaded entities are deleted from a canceled identity import session.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.session.cancelled https://developer.okta.com/docs/reference/api/event-types/#system-import-session-cancelled
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.session.created
#Description
Create new import session for identity source. This event appears when a new import session is created for a given identity source to bulk upload entities. This event includes information on when the session was created.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.session.created https://developer.okta.com/docs/reference/api/event-types/#system-import-session-created
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.session.expired
#Description
Import session for identity source expired. This event appears when a session in CREATED or IN_PROGRESS status is marked as EXPIRED after 24 hours of inactivity. Expired sessions can no longer be used for import operations.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.session.expired https://developer.okta.com/docs/reference/api/event-types/#system-import-session-expired
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.session.triggered
#Description
Triggered import session for identity source. This event appears when import session was triggered. It's used to make changes in Okta to insert, update, or delete the entities that are submitted by the identity source.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.session.triggered https://developer.okta.com/docs/reference/api/event-types/#system-import-session-triggered
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.start
#Description
import started.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.start https://developer.okta.com/docs/reference/api/event-types/#system-import-start
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user.complete
#Description
Import of user completed.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user.complete https://developer.okta.com/docs/reference/api/event-types/#system-import-user-complete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user.create
#Description
Create user triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user.create https://developer.okta.com/docs/reference/api/event-types/#system-import-user-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user.delete
#Description
Delete user triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user.delete https://developer.okta.com/docs/reference/api/event-types/#system-import-user-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user.match
#Description
Assign user triggered by import process with callback. This event can be used to alter the matching result for a given imported user. This event is fired when the matching result is altered by the synchronous callback.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user.match https://developer.okta.com/docs/reference/api/event-types/#system-import-user-match
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user.start
#Description
Start importing users triggered import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user.start https://developer.okta.com/docs/reference/api/event-types/#system-import-user-start
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user.suspend
#Description
Suspend user triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user.suspend https://developer.okta.com/docs/reference/api/event-types/#system-import-user-suspend
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user.unsuspend
#Description
Unsuspend user triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user.unsuspend https://developer.okta.com/docs/reference/api/event-types/#system-import-user-unsuspend
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user.unsuspend_after_confirm
#Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user.unsuspend_after_confirm https://developer.okta.com/docs/reference/api/event-types/#system-import-user-unsuspend_after_confirm
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user.update
#Description
Update user triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user.update https://developer.okta.com/docs/reference/api/event-types/#system-import-user-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user.update_user_lifecycle_from_master
#Description
Update user status triggered by import process.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user.update_user_lifecycle_from_master https://developer.okta.com/docs/reference/api/event-types/#system-import-user-update_user_lifecycle_from_master
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user_csv.complete
#Description
Bulk Import users from CSV is completed. Informs when bulk user import from CSV has been completed. This event is logged when bulk user import from CSV has completed with the outcome as success or failure. When fired, this event also contains debug context about the number of users added/updated/unchanged or with errors.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user_csv.complete https://developer.okta.com/docs/reference/api/event-types/#system-import-user_csv-complete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user_csv.start
#Description
Bulk Import of users from CSV is started. Informs when bulk import of users from CSV has been attempted to be uploaded. This event is logged when bulk user import from CSV has started and is a precursor to user.lifecycle.create; user.lifecycle.activate events.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user_csv.start https://developer.okta.com/docs/reference/api/event-types/#system-import-user_csv-start
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user_match.confirm
#Description
Import user matching assignment confirmed. This event can be used to track when the confirmation of user matching assignments was triggered on the Import page, which helps with audit trails. This event may also be useful when troubleshooting incorrect user matches. After users are imported from the app, they're matched and assigned with existing Okta users on the basis of Name, Username, and Email. The assignment confirmation is a manual step, needing admin intervention.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user_match.confirm https://developer.okta.com/docs/reference/api/event-types/#system-import-user_match-confirm
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user_match.unignore
#Description
Assignment was unignored. This event indicates that a user match, which was previously marked to be ignored during imports, has been reactivated for consideration. It's important for tracking changes in user matching policies and decisions during the import process. This event can be of critical importance for auditing purposes, especially when investigating why certain user accounts were matched or updated after being ignored in previous imports. It helps maintain the accuracy and integrity of user data by ensuring that valid matches are not permanently overlooked.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user_match.unignore https://developer.okta.com/docs/reference/api/event-types/#system-import-user_match-unignore
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user_match.update
#Description
Assignment was modified. This event can be used to track when an assignment was modified. This may also be useful when troubleshooting incorrect user assignments. After users are imported from the app, they're matched and assigned with existing Okta users on the basis of Name, Username, and Email. Assignments can be modified by the admin through a manual intervention.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user_match.update https://developer.okta.com/docs/reference/api/event-types/#system-import-user_match-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user_matching.complete
#Description
Fired upon completion of the user matching phase, when Okta attempts to match imported users to existing Okta users. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the user matching phase, when Okta attempts to match imported users to existing Okta users.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user_matching.complete https://developer.okta.com/docs/reference/api/event-types/#system-import-user_matching-complete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.import.user_matching.start
#Description
Fired at the start of the user matching phase, when Okta attempts to match imported users to existing Okta users. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the user matching phase, when Okta attempts to match imported users to existing Okta users.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.import.user_matching.start https://developer.okta.com/docs/reference/api/event-types/#system-import-user_matching-start
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa.create
#Description
Create IWA agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa.create https://developer.okta.com/docs/reference/api/event-types/#system-iwa-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa.go_offline
#Description
IWA going offline.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa.go_offline https://developer.okta.com/docs/reference/api/event-types/#system-iwa-go_offline
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa.go_online
#Description
IWA going online.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa.go_online https://developer.okta.com/docs/reference/api/event-types/#system-iwa-go_online
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa.promote_primary
#Description
Promote IWA agent to primary.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa.promote_primary https://developer.okta.com/docs/reference/api/event-types/#system-iwa-promote_primary
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa.remove
#Description
Remove IWA agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa.remove https://developer.okta.com/docs/reference/api/event-types/#system-iwa-remove
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa.update
#Description
Update IWA agent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa.update https://developer.okta.com/docs/reference/api/event-types/#system-iwa-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa.use_default
#Description
No primary IWA app found. Using default login.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa.use_default https://developer.okta.com/docs/reference/api/event-types/#system-iwa-use_default
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa_agentless.auth
#Description
Agentless IWA authentication.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa_agentless.auth https://developer.okta.com/docs/reference/api/event-types/#system-iwa_agentless-auth
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa_agentless.auth_after_redirect
#Description
Fired after redirection from Agentless DSSO failure. This can be used to track the start of a subsequent authentication request after Agentless DSSO fails. This can also be used for end-to-end tracking of an ADSSO failure to the subsequent authentication it is redirected to by searching for the common stateTokenHash. When fired, this event contains the stateTokenHash which will be common before and after the redirection occurs.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa_agentless.auth_after_redirect https://developer.okta.com/docs/reference/api/event-types/#system-iwa_agentless-auth_after_redirect
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa_agentless.redirect
#Description
Fired when an Agentless DSSO authentication request is redirected to an onprem IWA authentication or the default login page. This can be used to identify when an agentless authentication request resulted in a redirect to an onprem IWA or default login page. This can also be used to identify the potential cause of the redirect. When fired, this event identifies the cause of the redirection. When a custom error page is defined, a redirect event is not always generated when a redirection occurs.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa_agentless.redirect https://developer.okta.com/docs/reference/api/event-types/#system-iwa_agentless-redirect
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa_agentless.update
#Description
Update to agentless IWA.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa_agentless.update https://developer.okta.com/docs/reference/api/event-types/#system-iwa_agentless-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa_agentless.user.not_found
#Description
Fired when a user could not be found during Agentless DSSO authentication, resulting in an authentication failure. This can be used to identify when an agentless authentication request resulted in a failure. The failure could be due to the user not being found in Okta, Okta not being able to connect to AD, or the user not being found in AD. This can also be used to identify the potential cause of the failure. When fired, this event contains information about the potential cause of the failure.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa_agentless.user.not_found https://developer.okta.com/docs/reference/api/event-types/#system-iwa_agentless-user-not_found
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.iwa_agentless_kerberos.update
#Description
Fires when a Kerberos realm settings is updated by an admin. This event fires when the update is successful or fails. This can be used to audit Kerberos realm setting, and troubleshoot why Kerberos authentication failed. When fired, this event indicates whether Kerberos realm setting update has been successful or failed. This event also indicates the initiator of the event and the current setting for Kerberos Realm. Related events: none, all debugging context is included in this event.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.iwa_agentless_kerberos.update https://developer.okta.com/docs/reference/api/event-types/#system-iwa_agentless_kerberos-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.ldapi.admin_limit_exceeded
#Description
This event indicates that an administrative limit was exceeded when processing an LDAP interface operation. It can be used to audit and debug failures caused by exceeding an administrative limit. This event may occur periodically when an LDAP operation results in a large number of corresponding actions in the Okta directory. These errors are often temporary and will subside when Okta has processed the actions. Contact Okta support if you see such errors consistently over the course of a day or more.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.ldapi.admin_limit_exceeded https://developer.okta.com/docs/reference/api/event-types/#system-ldapi-admin_limit_exceeded
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.ldapi.bind
#Description
Fired when a user performs a BIND to LDAP Interface. Can be used to identify when a user attempted to perform an LDAP authentication for audit or debugging purposes. The firing of this event is subject to LDAPi event filtering rules and is only logged when a failure is returned for the given LDAP operation.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.ldapi.bind https://developer.okta.com/docs/reference/api/event-types/#system-ldapi-bind
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.ldapi.search
#Description
Fired when a user performs a SEARCH to LDAP Interface. Can be used to identify when a user attempted to perform a search on LDAP Interface for audit or debugging purposes. The firing of this event is subject to LDAPi event filtering rules and is only logged when a failure is returned for the given LDAP operation.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.ldapi.search https://developer.okta.com/docs/reference/api/event-types/#system-ldapi-search
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.ldapi.unbind
#Description
Fired when a user performs an UNBIND to LDAP Interface. Can be used to identify when a user attempted to end an LDAP Interface session for audit or debugging purposes. The firing of this event is subject to LDAPi event filtering rules and is only logged when a failure is returned for the given LDAP operation.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.ldapi.unbind https://developer.okta.com/docs/reference/api/event-types/#system-ldapi-unbind
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.log_stream.lifecycle.activate
#Description
Log stream activated. This event can be used to track and audit when a user activates a log stream. When fired, this event indicates that a user activated a log stream configuration.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.log_stream.lifecycle.activate https://developer.okta.com/docs/reference/api/event-types/#system-log_stream-lifecycle-activate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.log_stream.lifecycle.create
#Description
Log stream created. This event can be used to track and audit when a user creates a log stream. When fired, this event indicates that a user created a log stream configuration.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.log_stream.lifecycle.create https://developer.okta.com/docs/reference/api/event-types/#system-log_stream-lifecycle-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.log_stream.lifecycle.deactivate
#Description
Log stream deactivated. This event can be used to track and audit when a user or Okta deactivates a log stream. When fired, this event indicates that a user or Okta deactivated a log stream configuration.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.log_stream.lifecycle.deactivate https://developer.okta.com/docs/reference/api/event-types/#system-log_stream-lifecycle-deactivate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.log_stream.lifecycle.delete
#Description
Log stream deleted. This event can be used to track and audit when a user deletes a log stream. When fired, this event indicates that a user deleted a log stream configuration.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.log_stream.lifecycle.delete https://developer.okta.com/docs/reference/api/event-types/#system-log_stream-lifecycle-delete
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.log_stream.lifecycle.update
#Description
Log stream updated. This event can be used to track and audit when a user updates a log stream. When fired, this event indicates that a user updated a log stream configuration.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.log_stream.lifecycle.update https://developer.okta.com/docs/reference/api/event-types/#system-log_stream-lifecycle-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.mfa.factor.activate
#Description
Activate a new authentication factor. Can be used to identify when an admin has enabled a new factor for authentication. When fired the event will contain details of which factor is enabled.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.mfa.factor.activate https://developer.okta.com/docs/reference/api/event-types/#system-mfa-factor-activate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.mfa.factor.deactivate
#Description
Deactivate MFA factor. Can be used to identify when an admin has disabled a factor for MFA. When fired the event will contain details of which factor is disabled.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Detection Rules #
View all rules referencing this event →Kusto #
References #
- Okta Event Types Catalog: system.mfa.factor.deactivate https://developer.okta.com/docs/reference/api/event-types/#system-mfa-factor-deactivate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.oauth2.token.request_outside_allowed_range
#Description
Request with valid bearer tokens made from outside the allowed network zone. Use to detect when a bearer token comes from an IP address that's outside of the specified allowed zone. Fired when a bearer token comes from an IP address that's outside of the specified allowed zone of the client.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.oauth2.token.request_outside_allowed_range https://developer.okta.com/docs/reference/api/event-types/#system-oauth2-token-request_outside_allowed_range
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.operation.concurrency_limit.violation
#Description
Operation concurrency limit violation. This can be used to track if there are too many concurrent operations of the given type. The operation type information is available in debugData. When fired, this event contains information about the operation such as its actor, type, scope and threshold details. OperationRateLimitType in debugData will indicate the category to which the concurrency limit is being applied (e.g. web_request), OperationRateLimitSubtype defines specific subtypes (e.g. ssws_token) and OperationRateLimitScope will indicate the scope of the rate limit (e.g. token).
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.operation.concurrency_limit.violation https://developer.okta.com/docs/reference/api/event-types/#system-operation-concurrency_limit-violation
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.operation.rate_limit.violation
#Description
Operation rate limit violation. This can be used to track if an operation is exceeding its rate limit. When fired, this event contains information about the operation such as actor, type, scope and threshold details. OperationRateLimitType in debugData will indicate the category to which the rate limit is being applied (e.g. authenticator_otp_verification), OperationRateLimitSubtype defines specific subtypes (e.g. Email Factor for authenticator_otp_verification) and OperationRateLimitScope will indicate the scope of the rate limit (e.g. user or org level). Formerly, this event was used to indicate blocked SMS/Call transactions, please see system.sms.send*/system.voice.send* for blocked transactions.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.operation.rate_limit.violation https://developer.okta.com/docs/reference/api/event-types/#system-operation-rate_limit-violation
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.operation.rate_limit.warning
#Description
Operation rate limit warning. This can be used to track if an operation is approaching its rate limit. When fired, this event contains information about the operation such as actor, type, scope and threshold details. OperationRateLimitType in debugData will indicate the category to which the rate limit is being applied (e.g. authenticator_otp_verification), OperationRateLimitSubtype defines specific subtypes (e.g. Email, SMS or Voice call for authenticator_otp_verification type) and OperationRateLimitScope will indicate the scope of the rate limit (e.g. user or org level).
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.operation.rate_limit.warning https://developer.okta.com/docs/reference/api/event-types/#system-operation-rate_limit-warning
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.org.captcha.activate
#Description
Enable org-wide captcha support. Indicates when org-wide captcha support is enabled, for which pages and using which captcha instance. This event is fired when org admin enables org-wide captcha for any supported pages.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.org.captcha.activate https://developer.okta.com/docs/reference/api/event-types/#system-org-captcha-activate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.org.captcha.deactivate
#Description
Disable org-wide captcha support. Indicates when org-wide captcha support is disabled. This event is fired when org admin disables org-wide captcha support for all pages.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.org.captcha.deactivate https://developer.okta.com/docs/reference/api/event-types/#system-org-captcha-deactivate
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.org.lifecycle.create
#Description
Org creation.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.org.lifecycle.create https://developer.okta.com/docs/reference/api/event-types/#system-org-lifecycle-create
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.org.rate_limit.burst
#Description
Fired when burst rate limit capacity is activated. This can be used to identify when an API in the Org exceeds standard rate limits and the frequency with which the activities occur. This event is fired after a corresponding warning event. If usage continues on this API the risk is hitting a rate limit violation which will fire a corresponding violation event. The event contains a burst rate limit threshold which informs how much capacity is remaining before a violation occurs.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.org.rate_limit.burst https://developer.okta.com/docs/reference/api/event-types/#system-org-rate_limit-burst
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.org.rate_limit.expiration.warning
#Description
Rate limit approaching expiration date.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.org.rate_limit.expiration.warning https://developer.okta.com/docs/reference/api/event-types/#system-org-rate_limit-expiration-warning
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.org.rate_limit.violation
#Description
Rate limit violation.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Detection Rules #
View all rules referencing this event →Elastic #
References #
- Okta Event Types Catalog: system.org.rate_limit.violation https://developer.okta.com/docs/reference/api/event-types/#system-org-rate_limit-violation
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.org.rate_limit.warning
#Description
Rate limit warning.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Detection Rules #
View all rules referencing this event →Elastic #
References #
- Okta Event Types Catalog: system.org.rate_limit.warning https://developer.okta.com/docs/reference/api/event-types/#system-org-rate_limit-warning
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.org.task.remove
#Description
Tasks removed.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.org.task.remove https://developer.okta.com/docs/reference/api/event-types/#system-org-task-remove
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.push.send_factor_verify_push
#Description
Fired when a Push notification is sent to a device. Used to notify admins when a push was sent to a user for verification. Note that this event is fired whenever a Push is sent.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
okta::eventType | eq | user.authentication.auth_via_mfa | 1 rule | elastic, kusto |
okta::eventType | eq | user.mfa.okta_verify.deny_push | 1 rule | elastic, kusto |
security_result.detection_fields["factor"] | eq | OKTA_VERIFY_PUSH | 1 rule | chronicle |
Detection Rules #
View all rules referencing this event →Kusto #
YARA-L #
References #
- Okta Event Types Catalog: system.push.send_factor_verify_push https://developer.okta.com/docs/reference/api/event-types/#system-push-send_factor_verify_push
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.rate_limit.configuration.update
#Description
Rate limit configuration update. This can be used to trace the change that an org admin updates rate limit configuration. This event is triggered when an admin updates rate limit related settings in the admin portal, including but not limited to:1. update client rate limit enforcement mode2. enable or disable rate limit notification3. update the warning threshold of rate limit notification4. update rate limit percentage of API token.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.rate_limit.configuration.update https://developer.okta.com/docs/reference/api/event-types/#system-rate_limit-configuration-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.self_service.configuration.update
#Description
Self-service for apps configuration updated. Identify changes to self-service application request settings which may allow a user to request to add an application to their end user dashboard. Self-service application requests are different than Okta Identity Governance (OIG) Access requests. See events beginning with access.request for events relevant to OIG Access requests.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.self_service.configuration.update https://developer.okta.com/docs/reference/api/event-types/#system-self_service-configuration-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.sms.receive_status
#Description
Fired when receiving a status update on SMS message from provider. This event can be used by Org Admins to identify users that are/aren't getting one-time passcodes delivered successfully via SMS, provider status can be obtained from status field in debug data. For any system.sms.send_* event, there should be exactly one of this event.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.sms.receive_status https://developer.okta.com/docs/reference/api/event-types/#system-sms-receive_status
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.sms.send_account_unlock_message
#Description
Send self-service account unlock SMS message. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Detection Rules #
View all rules referencing this event →Elastic #
References #
- Okta Event Types Catalog: system.sms.send_account_unlock_message https://developer.okta.com/docs/reference/api/event-types/#system-sms-send_account_unlock_message
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.sms.send_factor_verify_message
#Description
Send second factor auth SMS. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.sms.send_factor_verify_message https://developer.okta.com/docs/reference/api/event-types/#system-sms-send_factor_verify_message
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.sms.send_okta_push_verify_message
#Description
Send activate Okta Verify Push for mobile SMS. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.sms.send_okta_push_verify_message https://developer.okta.com/docs/reference/api/event-types/#system-sms-send_okta_push_verify_message
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.sms.send_password_reset_message
#Description
Send self-service password reset SMS message. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Detection Rules #
View all rules referencing this event →Elastic #
References #
- Okta Event Types Catalog: system.sms.send_password_reset_message https://developer.okta.com/docs/reference/api/event-types/#system-sms-send_password_reset_message
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.sms.send_phone_verification_message
#Description
Send phone verification SMS message. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.sms.send_phone_verification_message https://developer.okta.com/docs/reference/api/event-types/#system-sms-send_phone_verification_message
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.theme.update
#Description
This event is fired when the theme resource is updated. Developer and org admins can use this event to identify when and how the theme resource was updated. Event details can be used to identify changes made to theme assets including updates to theme hex codes, logo, background image, and favicon. This event also tracks which combination of theme assets was applied to end users pages such as the sign-in page, error pages, and email templates.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.theme.update https://developer.okta.com/docs/reference/api/event-types/#system-theme-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.voice.receive_status
#Description
Fired when receiving a status update on voice call from provider. This event can be used by Org Admins to identify users that are/aren't getting one-time passcodes delivered successfully via voice call, provider status can be obtained from status field in debug data. For any system.voice.send_* event, there should be exactly one of this event.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.voice.receive_status https://developer.okta.com/docs/reference/api/event-types/#system-voice-receive_status
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.voice.send_account_unlock_call
#Description
Send self-service account unlock call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Detection Rules #
View all rules referencing this event →Elastic #
References #
- Okta Event Types Catalog: system.voice.send_account_unlock_call https://developer.okta.com/docs/reference/api/event-types/#system-voice-send_account_unlock_call
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.voice.send_call
#Description
Send phone call.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.voice.send_call https://developer.okta.com/docs/reference/api/event-types/#system-voice-send_call
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.voice.send_mfa_challenge_call
#Description
Send second factor auth call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.voice.send_mfa_challenge_call https://developer.okta.com/docs/reference/api/event-types/#system-voice-send_mfa_challenge_call
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.voice.send_password_reset_call
#Description
Send self-service password reset call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
Detection Rules #
View all rules referencing this event →Elastic #
References #
- Okta Event Types Catalog: system.voice.send_password_reset_call https://developer.okta.com/docs/reference/api/event-types/#system-voice-send_password_reset_call
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.voice.send_phone_verification_call
#Description
Send phone verification call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.voice.send_phone_verification_call https://developer.okta.com/docs/reference/api/event-types/#system-voice-send_phone_verification_call
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
system.well_known_uri.update
#Description
The well-known URI was updated. Identify the previous and current versions of a well-known URI for a custom brand, such as a assetlinks.json. The brand id and specific well-known URI are available in the target resource.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: system.well_known_uri.update https://developer.okta.com/docs/reference/api/event-types/#system-well_known_uri-update
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/