Okta-user

80 operations, identified by eventType in the audit log.

eventType	Description
user.account.expire_password	Fired when the user's Okta password is expired. This can be used to audit cases where a user's password is expired by an administrator. When fired, this event contains information about the user whose password was expired, whether a temporary password was created for the user, or if the user's sessions were revoked.
user.account.lock	Auto-lock user account for Okta.
user.account.lock.limit	User account reached lockout limit and will not be automatically unlocked. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password.
user.account.preference_update	User preferences updated. This can be used for debugging and auditing purposes. These preferences live outside the user profile.
user.account.privilege.grant	A User's admin privileges changed. This can be used to audit the provisioning of admin privileges for users. When fired, this event contains information about the type of admin privileges the user currently has. The list of current privileges contain both individually assigned roles as well as the ones granted to the user through their group membership. Related events include: USER_ACCOUNT_PRIVILEGE_REVOKE.
user.account.privilege.revoke	All of user's admin privilege revoked. This can be used to audit the deprovisioning of admin privileges from users. When fired, this event indicates the user has no more admin privileges. All of user's privileges were revoked including individually assigned roles as well as the ones granted to the user through their group membership. Related events include: USER_ACCOUNT_PRIVILEGE_GRANT.
user.account.report_suspicious_activity_by_enduser	User reported suspicious activity. This event is used to identify user account suspicious activity.
user.account.reset_password	User's Okta password has been reset.
user.account.subscriptions.update	Admin subscriptions update. Use this event to track and audit updated email subscriptions for an admin. This event contains information about email subscription updates for an admin user. Email subscriptions determine the email notification type that Okta sends to an admin user.
user.account.unlock	Auto-unlock user account for Okta.
user.account.unlock_by_admin	User account unlock by admin.
user.account.unlock_failure	Failed to schedule unlock job for user.
user.account.unlock_token	Issued recovery token for self-service account unlock.
user.account.update_password	User update password for Okta.
user.account.update_primary_email	User primary email updated.
user.account.update_profile	Update user profile for Okta.
user.account.update_secondary_email	User secondary email updated.
user.account.update_user_type	Fires when a user changes from one type to another. Can be used to audit when a user gets converted from a contractor to a full-time employee, for example. Data includes the old and new type ids. There may be an accompanying update_profile event if values were changed.
user.account.use_token	Invalid self service recovery token used by user.
user.authentication.auth	Authenticate user.
user.authentication.auth_identifier_not_in_policy	Authenticate a user with an identifier that's not in the User Profile Policy. Identify users who authenticate with an identifier that's not in the User Profile Policy's configured identifier list. Add the identifier to the policy before delegated authentication is disabled (manually or through a Password Migration campaign) to prevent lockout. Distinct from user.authentication.auth_unconfigured_identifier, which concerns directory source priority rather than User Profile Policy identifier rules.
user.authentication.auth_unconfigured_identifier	Fired after a user authenticates via a directory instance that is not the highest priority profile source for the user. This can be used to track users that are using an identifier to login which is different from the admin configured identifier for that user which might result in unexpected login results. When fired, this event will contain useful information about the user, the directory instance that was used to login the user, and the directory instance that should have been used instead.
user.authentication.auth_via_AD_agent	Authenticate user with AD agent.
user.authentication.auth_via_IDP	Authenticate user via IDP.
user.authentication.auth_via_LDAP_agent	Authenticate user via LDAP agent.
user.authentication.auth_via_inbound_SAML	Authenticate user via inbound SAML.
user.authentication.auth_via_inbound_delauth	Authenticate user via inbound delauth.
user.authentication.auth_via_iwa	Authenticate user via IWA.
user.authentication.auth_via_mfa	Authentication of user via MFA. For Okta Classic orgs, this event will only fire for second factor verifications, whereas for Identity Engine orgs, this event will fire for both primary and second factor verifications.
user.authentication.auth_via_radius	Authentication of user via Radius.
user.authentication.auth_via_richclient	Authentication of a user via Rich Client.
user.authentication.auth_via_social	Authenticate user with social login.
user.authentication.authenticate	Authentication via device trust certificate.
user.authentication.dsso_via_non_priority_source	Desktop Single Sign On (DSSO) authentication has been attempted using a profile source that is not the highest priority profile source for the given Okta user. This event may indicate a potential security risk as the highest priority profile source is often expected to be used in this flow. The presence of this event may be benign, or it may indicate an attempt to authenticate the user from a compromised Active Directory domain. The debugContext object in this event contains useful information regarding the Okta user, the prioritized profile source, and the profile source that was used in the DSSO attempt.
user.authentication.slo	User single logout out (SLO) from app.
user.authentication.sso	Fired when a user performs a single sign-on (SSO) to an app instance and contains the client details of the user. Can be used to identify when a user attempted to sign into an application for audit or debugging purposes. Note that the event is fired even when the sign-on is unsuccessful.
user.authentication.universal_logout	This event is fired when an admin or system account triggers Universal Logout against an app instance. It contains the app instance details for which the Universal Logout API was fired. This event identifies when applications have had Universal Logout triggered for audit or debugging purposes. This event is only fired once. It's only fired for applications that have been configured for Universal Logout. You can configure it under Risk policy, Post Auth Session policy, or in an admin-initiated Clear User Session.
user.authentication.universal_logout.scheduled	This event is fired when an admin manually triggers Universal Logout for a user. It contains context about the initiating request, such as where the request originated and how the Universal Logout endpoint was invoked. After Universal Logout is complete, the user.authentication.universal_logout event is fired, and you can correlate both events using the traceID. This event identifies the geolocation, IP address, and IP chain of the requesting entity. This event is only fired once. You can correlate this event with the user.authentication.universal_logout event using traceID.
user.authentication.verify	Verify user identity.
user.behavior.profile.reset	User behavior profile reset. This event can be used to identify resets to a user behavior profiles, which may be helpful when troubleshooting unexpected behavior detection evaluations. This event is triggered when an administrator manually resets a user's behavior profile in the Admin Console.
user.credential.enroll	Device Trust certificate enrollment.
user.device_session.end	User ended a device session. This event is fired when a user logs out or locks their desktop. This may be useful to audit when the lifecycle of a given device session has ended.
user.device_session.start	User established a device session. This event may be used to identify users which are using Device-Bound SSO. This may be useful to audit when a user established their device session, either at desktop logon or after a successful authentication in the browser. After the device session is established, the resultant deviceSessionId will appear in the authenticationContext of events fired where the device session was used.
user.identity_snapshot.attestation.create	Create identity snapshot attestation for a user. This event can be used by administrators to audit identity snapshot attestations minted for a user. The user and the application are in the event, signifying which user the attestation token is being minted for, and which application is requesting it.
user.identity_verification	This event is fired when a user is directed to complete an Identity Verification as a result of an Okta Account Management (OAMP) Policy evaluation. This event indicates an identity verification request has occurred and will contain the results of the id verification. Completion of an id verification will determine whether the trigger OAMP operation can be completed; start is recorded by user.identity_verification.start.
user.identity_verification.start	An Okta account management policy (OAMP) prompted the user to verify their identity with an identity verification service. Helps admins audit identity-verification prompts and troubleshoot IDV-flow issues. Initiates the prompt for identity-verification flow; completion is recorded by user.identity_verification event.
user.import.password	Imported user password from external system during login. This can be used to understand if a user password import attempt was successful or if it failed. If the attempt failed, the password import will be tried again on a subsequent successful login. When fired, this event contains information about the import type, and whether or not the password import was successful. If the import is successful, it is safe to "clean up" that user from an external system. If the import failed, Okta will continue retrying the import during every successful authentication attempt until the password is successfully imported. Check the failure reason for details about whether any action is needed for the import to succeed.
user.lifecycle.activate	Activate Okta user.
user.lifecycle.create	Create Okta user.
user.lifecycle.deactivate	Deactivate Okta user.
user.lifecycle.delete.completed	Delete Okta user completed.
user.lifecycle.delete.initiated	Delete Okta user initiated.
user.lifecycle.jit.error.read_only	Failed to JIT create user.
user.lifecycle.password_mass_expiry	Mass expire all users' passwords initiated.
user.lifecycle.reactivate	Reactivate Okta user.
user.lifecycle.suspend	Suspend Okta user.
user.lifecycle.unsuspend	Unsuspend Okta user.
user.mfa.attempt_bypass	Attempt bypass of factor.
user.mfa.factor.activate	Activate factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for an MFA factor when it is activated. When fired, the event contains information about the MFA factor that has been activated, as well as the target user and the user activating the factor. For Identity Engine orgs, this event will fire when an authentication method is enrolled.
user.mfa.factor.deactivate	Reset factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle status when a specific factor is permanently deactivated. When fired, the event contains information about the MFA factor that has been deactivated, as well as the target user and the user deactivating the factor. For Identity Engine orgs, this event will fire when an authentication method is unenrolled.
user.mfa.factor.reset_all	Reset all factors or authenticator enrollments for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle statuses when all MFA factors for a user are permanently deactivated. When fired, the event contains information about the target user for whom all factors have been deactivated, as well as the user resetting the factors. For Identity Engine orgs, this event contains information about a target user for whom all authenticator enrollments have been reset.
user.mfa.factor.suspend	Suspend factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle status when a factor is suspended, usually as a result of suspected compromise. When fired, the event contains information about the MFA factor that has been suspended, as well as the target user and the user suspending the factor. When unsuspended, related event user.mfa.factor.unsuspend will be fired.
user.mfa.factor.unsuspend	Unsuspend factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle status when a factor is reactivated from a state of suspension, after it has been determined that the authenticator is secure. When fired, the event contains information about the MFA factor that has been unsuspended, as well as the target user and the user reactivating the suspended factor. Before suspension, related event user.mfa.factor.suspend would have been fired.
user.mfa.factor.update	Update factor for user.
user.mfa.okta_verify	Verify user with Okta verify.
user.mfa.okta_verify.deny_push	User rejected Okta push verify. This event is triggered in classic V1 API calls. In OIE we use a generic event for factor verification failure: user.authentication.auth_via_mfa with reason INVALID_CREDENTIALS.
user.mfa.okta_verify.deny_push_upgrade_needed	Rejected Okta push verify as Upgrade Needed. This can be used to audit events where Okta push verify was rejected as the app needed upgrade. Note that the event is fired when Okta Verify push is rejected. It is possible that the user might have chosen another factor and made successful login as well.
user.risk.change	Indicates a user's risk level has changed. This event can be used to monitor risk level changes for users. This event triggers when Okta determines that a user is associated with a change in risk activity or context.
user.risk.detect	Indicates a user risk was detected. This event can be used to monitor risk level detections for users. This event triggers when Okta detects that a user is associated with risk activity or context.
user.session.access_admin_app	User accessing Okta admin app.
user.session.clear	Clear user session.
user.session.context.change	User session context changed. This event indicates that the context in which the session is being used has changed significantly enough from the context in which the event was created, that re-evaluation of policy may be required. Often this indicates a security issue related to the session.
user.session.end	User logout from Okta.
user.session.expire	Expire user session. This event does not appear in the system logs unless the user explicitly signs out or the user session is revoked by an admin.
user.session.impersonation.end	End impersonation session.
user.session.impersonation.extend	Extend impersonation session.
user.session.impersonation.grant	Enable impersonation grant.
user.session.impersonation.initiate	Initiate impersonation session.
user.session.impersonation.revoke	Revoke impersonation grant.
user.session.start	User login to Okta.

user.account.expire_password

Namespace: Okta-user

Description

Fired when the user's Okta password is expired. This can be used to audit cases where a user's password is expired by an administrator. When fired, this event contains information about the user whose password was expired, whether a temporary password was created for the user, or if the user's sessions were revoked.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.expire_password https://developer.okta.com/docs/reference/api/event-types/#user-account-expire_password
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.lock

Namespace: Okta-user

Description

Auto-lock user account for Okta.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`security_result.action`	eq	`BLOCK`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Elastic #

Attempts to Brute Force an Okta User Account source medium: Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.

YARA-L #

Okta User Account Lockout source: Detects when a user's account is locked out or a user account has reached the lockout limit.↳ also matches user.account.lock.limit

References #

Okta Event Types Catalog: user.account.lock https://developer.okta.com/docs/reference/api/event-types/#user-account-lock
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.lock.limit

Namespace: Okta-user

Description

User account reached lockout limit and will not be automatically unlocked. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`security_result.action`	eq	`BLOCK`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

Okta User Account Lockout source: Detects when a user's account is locked out or a user account has reached the lockout limit.↳ also matches user.account.lock

References #

Okta Event Types Catalog: user.account.lock.limit https://developer.okta.com/docs/reference/api/event-types/#user-account-lock-limit
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.preference_update

Namespace: Okta-user

Description

User preferences updated. This can be used for debugging and auditing purposes. These preferences live outside the user profile.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.preference_update https://developer.okta.com/docs/reference/api/event-types/#user-account-preference_update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.privilege.grant

Namespace: Okta-user

Description

A User's admin privileges changed. This can be used to audit the provisioning of admin privileges for users. When fired, this event contains information about the type of admin privileges the user currently has. The list of current privileges contain both individually assigned roles as well as the ones granted to the user through their group membership. Related events include: USER_ACCOUNT_PRIVILEGE_REVOKE.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`eventType`	eq	`group.privilege.grant`	1 rule	panther, sigma
`eventType`	eq	`user.account.privilege.grant`	1 rule	panther, sigma
`okta::eventType`	in	`policy.evaluate_sign_on`	1 rule	elastic, kusto
`okta::eventType`	in	`system.api_token.create`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Okta Admin Role Assigned to an User or Group source medium: Detects when an the Administrator role is assigned to an user or group.

Elastic #

Okta User Assigned Administrator Role source medium: Identifies when an administrator role is assigned to an Okta user or group. Adversaries may assign administrator privileges to compromised accounts to establish persistence, escalate privileges, and maintain long-term access to the environment. This detection monitors for both user-level and group-level administrator privilege grants, which can be used to bypass security controls and perform unauthorized administrative actions.

Kusto #

High-Risk Admin Activity source medium: The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles.↳ also matches user.mfa.factor.suspend, user.session.access_admin_app, user.session.impersonation.grant, user.session.start

References #

Okta Event Types Catalog: user.account.privilege.grant https://developer.okta.com/docs/reference/api/event-types/#user-account-privilege-grant
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.privilege.revoke

Namespace: Okta-user

Description

All of user's admin privilege revoked. This can be used to audit the deprovisioning of admin privileges from users. When fired, this event indicates the user has no more admin privileges. All of user's privileges were revoked including individually assigned roles as well as the ones granted to the user through their group membership. Related events include: USER_ACCOUNT_PRIVILEGE_GRANT.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.privilege.revoke https://developer.okta.com/docs/reference/api/event-types/#user-account-privilege-revoke
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.report_suspicious_activity_by_enduser

Namespace: Okta-user

Description

User reported suspicious activity. This event is used to identify user account suspicious activity.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`eventType`	eq	`user.account.report_suspicious_activity_by_enduser`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Okta Suspicious Activity Reported by End-user source high: Detects when an Okta end-user reports activity by their account as being potentially suspicious.

Elastic #

Suspicious Activity Reported by Okta User source medium: Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.

YARA-L #

Okta User Suspicious Activity Reported source: An Okta user reports suspicious activity in response to an end user security notification.

References #

Okta Event Types Catalog: user.account.report_suspicious_activity_by_enduser https://developer.okta.com/docs/reference/api/event-types/#user-account-report_suspicious_activity_by_enduser
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.reset_password

Namespace: Okta-user

Description

User's Okta password has been reset.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

YARA-L #

Okta User Password and MFA Factor Reset or Deactivated source: Detects when an Okta user's password is reset and MFA factor(s) are deactivated or reset within a 30 minute time window. This activity may indicate that the user account has been compromised.↳ also matches user.mfa.factor.deactivate, user.mfa.factor.reset_all

References #

Okta Event Types Catalog: user.account.reset_password https://developer.okta.com/docs/reference/api/event-types/#user-account-reset_password
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.subscriptions.update

Namespace: Okta-user

Description

Admin subscriptions update. Use this event to track and audit updated email subscriptions for an admin. This event contains information about email subscription updates for an admin user. Email subscriptions determine the email notification type that Okta sends to an admin user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.subscriptions.update https://developer.okta.com/docs/reference/api/event-types/#user-account-subscriptions-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.unlock

Namespace: Okta-user

Description

Auto-unlock user account for Okta.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.unlock https://developer.okta.com/docs/reference/api/event-types/#user-account-unlock
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.unlock_by_admin

Namespace: Okta-user

Description

User account unlock by admin.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.unlock_by_admin https://developer.okta.com/docs/reference/api/event-types/#user-account-unlock_by_admin
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.unlock_failure

Namespace: Okta-user

Description

Failed to schedule unlock job for user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.unlock_failure https://developer.okta.com/docs/reference/api/event-types/#user-account-unlock_failure
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.unlock_token

Namespace: Okta-user

Description

Issued recovery token for self-service account unlock.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Elastic #

High Number of Okta User Password Reset or Unlock Attempts source medium: Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.

References #

Okta Event Types Catalog: user.account.unlock_token https://developer.okta.com/docs/reference/api/event-types/#user-account-unlock_token
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.update_password

Namespace: Okta-user

Description

User update password for Okta.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.update_password https://developer.okta.com/docs/reference/api/event-types/#user-account-update_password
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.update_primary_email

Namespace: Okta-user

Description

User primary email updated.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.update_primary_email https://developer.okta.com/docs/reference/api/event-types/#user-account-update_primary_email
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.update_profile

Namespace: Okta-user

Description

Update user profile for Okta.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.update_profile https://developer.okta.com/docs/reference/api/event-types/#user-account-update_profile
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.update_secondary_email

Namespace: Okta-user

Description

User secondary email updated.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.update_secondary_email https://developer.okta.com/docs/reference/api/event-types/#user-account-update_secondary_email
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.update_user_type

Namespace: Okta-user

Description

Fires when a user changes from one type to another. Can be used to audit when a user gets converted from a contractor to a full-time employee, for example. Data includes the old and new type ids. There may be an accompanying update_profile event if values were changed.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.update_user_type https://developer.okta.com/docs/reference/api/event-types/#user-account-update_user_type
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.account.use_token

Namespace: Okta-user

Description

Invalid self service recovery token used by user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.account.use_token https://developer.okta.com/docs/reference/api/event-types/#user-account-use_token
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth

Namespace: Okta-user

Description

Authenticate user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.auth https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_identifier_not_in_policy

Namespace: Okta-user

Description

Authenticate a user with an identifier that's not in the User Profile Policy. Identify users who authenticate with an identifier that's not in the User Profile Policy's configured identifier list. Add the identifier to the policy before delegated authentication is disabled (manually or through a Password Migration campaign) to prevent lockout. Distinct from user.authentication.auth_unconfigured_identifier, which concerns directory source priority rather than User Profile Policy identifier rules.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.auth_identifier_not_in_policy https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth_identifier_not_in_policy
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_unconfigured_identifier

Namespace: Okta-user

Description

Fired after a user authenticates via a directory instance that is not the highest priority profile source for the user. This can be used to track users that are using an identifier to login which is different from the admin configured identifier for that user which might result in unexpected login results. When fired, this event will contain useful information about the user, the directory instance that was used to login the user, and the directory instance that should have been used instead.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.auth_unconfigured_identifier https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth_unconfigured_identifier
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_via_AD_agent

Namespace: Okta-user

Description

Authenticate user with AD agent.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.auth_via_AD_agent https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth_via_AD_agent
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_via_IDP

Namespace: Okta-user

Description

Authenticate user via IDP.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::outcome.result`	eq	`FAILURE`	1 rule	elastic, kusto

Detection Rules #

View all rules referencing this event →

Elastic #

Okta Sign-In Events via Third-Party IdP source medium: Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP) that has not been seen before. Adversaries may add an unauthorized IdP to an Okta tenant to gain persistent access. This rule uses New Terms detection to only alert when a previously unseen IdP is used for authentication, reducing noise from legitimate federated identity providers while highlighting potentially rogue IdP additions.↳ also matches user.authentication.auth_via_inbound_SAML, user.authentication.auth_via_social

References #

Okta Event Types Catalog: user.authentication.auth_via_IDP https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth_via_IDP
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_via_LDAP_agent

Namespace: Okta-user

Description

Authenticate user via LDAP agent.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.auth_via_LDAP_agent https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth_via_LDAP_agent
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_via_inbound_SAML

Namespace: Okta-user

Description

Authenticate user via inbound SAML.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::outcome.result`	eq	`FAILURE`	1 rule	elastic, kusto

Detection Rules #

View all rules referencing this event →

Elastic #

Okta Sign-In Events via Third-Party IdP source medium: Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP) that has not been seen before. Adversaries may add an unauthorized IdP to an Okta tenant to gain persistent access. This rule uses New Terms detection to only alert when a previously unseen IdP is used for authentication, reducing noise from legitimate federated identity providers while highlighting potentially rogue IdP additions.↳ also matches user.authentication.auth_via_IDP, user.authentication.auth_via_social

References #

Okta Event Types Catalog: user.authentication.auth_via_inbound_SAML https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth_via_inbound_SAML
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_via_inbound_delauth

Namespace: Okta-user

Description

Authenticate user via inbound delauth.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.auth_via_inbound_delauth https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth_via_inbound_delauth
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_via_iwa

Namespace: Okta-user

Description

Authenticate user via IWA.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.auth_via_iwa https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth_via_iwa
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_via_mfa

Namespace: Okta-user

Description

Authentication of user via MFA. For Okta Classic orgs, this event will only fire for second factor verifications, whereas for Identity Engine orgs, this event will fire for both primary and second factor verifications.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	eq	`user.authentication.auth_via_mfa`	5 rules	elastic, kusto
`okta::eventType`	eq	`user.mfa.okta_verify.deny_push`	3 rules	elastic, kusto
`okta::eventType`	in	`user.authentication.auth_via_mfa`	2 rules	elastic
`okta::eventType`	in	`user.authentication.sso`	2 rules	elastic
`okta::eventType`	in	`user.authentication.verify`	2 rules	elastic
`okta::eventType`	in	`user.session.start`	2 rules	elastic, kusto
`security_result.action`	eq	`BLOCK`	3 rules	chronicle
`okta::debugContext.debugData.factor`	eq	`OKTA_VERIFY_PUSH`	2 rules	elastic
`okta::outcome.reason`	eq	`FastPass declined phishing attempt`	2 rules	elastic, kusto
`okta::outcome.reason`	eq	`INVALID_CREDENTIALS`	2 rules	elastic
`security_result.detection_fields["factor"]`	eq	`OKTA_VERIFY_PUSH`	2 rules	chronicle
`event.outcome`	eq	`failure`	1 rule	elastic
`eventType`	eq	`user.authentication.auth_via_mfa`	1 rule	panther, sigma, splunk
`okta::outcome.result`	eq	`FAILURE`	1 rule	elastic, kusto
`okta::outcome.result`	eq	`SUCCESS`	1 rule	elastic, kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Okta FastPass Phishing Detection source high: Detects when Okta FastPass prevents a known phishing site.

Elastic #

Okta Multiple OS Names Detected for a Single DT Hash source high: Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token and is using it to impersonate a legitimate user from a different machine.↳ also matches user.authentication.verify
Potential Okta MFA Bombing via Push Notifications source high: Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.↳ also matches user.mfa.okta_verify.deny_push
Potentially Successful Okta MFA Bombing via Push Notifications source high: Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.↳ also matches user.authentication.sso, user.authentication.verify, user.mfa.okta_verify.deny_push, user.session.start

Show 1 more (4 total)

First Occurrence of Okta User Session Started via Proxy source medium: Identifies the first occurrence of an Okta user session started via a proxy.↳ also matches user.authentication.sso, user.authentication.verify, user.session.start

Kusto #

Okta Fast Pass phishing Detection source medium: This query detects cases in which Okta FastPass effectively prevented access to a known phishing website.
MFA Fatigue (OKTA) source medium: MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. Ref: https://www.okta.com/blog/identity-security/mfa-fatigue-growing-security-concern/.↳ also matches user.mfa.okta_verify.deny_push

YARA-L #

Okta Phishing Detection With Fastpass Origin Check source: Okta provides a platform detection for when a user enrolled in FastPass fails to authenticate via a real-time AiTM phishing proxy.
Okta User Failed Number Challenge During Push Notification source: Detects when an Okta user failed a number challenge during push notification.
Okta User Rejected Multiple Push Notifications source: Detects when an Okta user rejects more than 2 Push notifications in a 10 minute window.↳ also matches user.mfa.okta_verify.deny_push

Show 2 more (5 total)

Okta MFA Bruteforce Attack source: Detects a successful login after multiple failed MFA pushes
Okta Mismatch Between Source And Response For Verify Push Request source: Okta Mismatch Between Source and Response for Verify Push Request

References #

Okta Event Types Catalog: user.authentication.auth_via_mfa https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth_via_mfa
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_via_radius

Namespace: Okta-user

Description

Authentication of user via Radius.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.auth_via_radius https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth_via_radius
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_via_richclient

Namespace: Okta-user

Description

Authentication of a user via Rich Client.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.auth_via_richclient https://developer.okta.com/docs/reference/api/event-types/#user-authentication-auth_via_richclient
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.auth_via_social

Namespace: Okta-user

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::outcome.result`	eq	`FAILURE`	1 rule	elastic, kusto

user.authentication.authenticate

Namespace: Okta-user

Description

Authentication via device trust certificate.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.authenticate https://developer.okta.com/docs/reference/api/event-types/#user-authentication-authenticate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.dsso_via_non_priority_source

Namespace: Okta-user

Description

Desktop Single Sign On (DSSO) authentication has been attempted using a profile source that is not the highest priority profile source for the given Okta user. This event may indicate a potential security risk as the highest priority profile source is often expected to be used in this flow. The presence of this event may be benign, or it may indicate an attempt to authenticate the user from a compromised Active Directory domain. The debugContext object in this event contains useful information regarding the Okta user, the prioritized profile source, and the profile source that was used in the DSSO attempt.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.dsso_via_non_priority_source https://developer.okta.com/docs/reference/api/event-types/#user-authentication-dsso_via_non_priority_source
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.slo

Namespace: Okta-user

Description

User single logout out (SLO) from app.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.slo https://developer.okta.com/docs/reference/api/event-types/#user-authentication-slo
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.sso

Namespace: Okta-user

Description

Fired when a user performs a single sign-on (SSO) to an app instance and contains the client details of the user. Can be used to identify when a user attempted to sign into an application for audit or debugging purposes. Note that the event is fired even when the sign-on is unsuccessful.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	eq	`user.authentication.auth_via_mfa`	1 rule	elastic, kusto
`okta::eventType`	eq	`user.mfa.okta_verify.deny_push`	1 rule	elastic, kusto
`okta::eventType`	in	`user.authentication.sso`	3 rules	elastic
`okta::eventType`	in	`user.session.start`	3 rules	elastic, kusto
`okta::eventType`	in	`user.authentication.auth_via_mfa`	2 rules	elastic
`okta::eventType`	in	`user.authentication.verify`	2 rules	elastic
`okta::eventType`	in	`policy.evaluate_sign_on`	1 rule	elastic, kusto
`okta::actor.alternateId`	ne	`system@okta.com`	1 rule	elastic
`okta::debugContext.debugData.factor`	eq	`OKTA_VERIFY_PUSH`	1 rule	elastic
`okta::outcome.reason`	eq	`INVALID_CREDENTIALS`	1 rule	elastic
`okta::outcome.result`	eq	`SUCCESS`	1 rule	elastic, kusto
`okta::securityContext.isProxy`	eq	`true`	1 rule	elastic
`security_result.action`	eq	`CHALLENGE`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Elastic #

Successful Application SSO from Rare Unknown Client Device source medium: Detects successful single sign-on (SSO) events to Okta applications from an unrecognized or "unknown" client device, as identified by the user-agent string. This activity may be indicative of exploitation of a vulnerability in Okta's Classic Engine, which could allow an attacker to bypass application-specific sign-on policies, such as device or network restrictions. The vulnerability potentially enables unauthorized access to applications using only valid, stolen credentials, without requiring additional authentication factors.
Okta AiTM Session Cookie Replay source high: Detects potential Adversary-in-the-Middle (AiTM) session cookie replay attacks against Okta. This rule identifies when an Okta session is used from multiple IP addresses or with suspicious non-browser user agents after initial authentication. AiTM attacks capture session cookies via phishing proxies (e.g., Evilginx, Modlishka) and replay them from attacker infrastructure, bypassing MFA. The detection correlates session start events with subsequent policy evaluations or SSO attempts that occur from different IPs or programmatic user agents.↳ also matches user.session.start
Potentially Successful Okta MFA Bombing via Push Notifications source high: Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.↳ also matches user.authentication.auth_via_mfa, user.authentication.verify, user.mfa.okta_verify.deny_push, user.session.start

Show 1 more (4 total)

First Occurrence of Okta User Session Started via Proxy source medium: Identifies the first occurrence of an Okta user session started via a proxy.↳ also matches user.authentication.auth_via_mfa, user.authentication.verify, user.session.start

YARA-L #

Okta Multiple Failed Requests To Access Applications source: Detects multiple failed requests to access applications

References #

Okta Event Types Catalog: user.authentication.sso https://developer.okta.com/docs/reference/api/event-types/#user-authentication-sso
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.universal_logout

Namespace: Okta-user

Description

This event is fired when an admin or system account triggers Universal Logout against an app instance. It contains the app instance details for which the Universal Logout API was fired. This event identifies when applications have had Universal Logout triggered for audit or debugging purposes. This event is only fired once. It's only fired for applications that have been configured for Universal Logout. You can configure it under Risk policy, Post Auth Session policy, or in an admin-initiated Clear User Session.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.universal_logout https://developer.okta.com/docs/reference/api/event-types/#user-authentication-universal_logout
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.universal_logout.scheduled

Namespace: Okta-user

Description

This event is fired when an admin manually triggers Universal Logout for a user. It contains context about the initiating request, such as where the request originated and how the Universal Logout endpoint was invoked. After Universal Logout is complete, the user.authentication.universal_logout event is fired, and you can correlate both events using the traceID. This event identifies the geolocation, IP address, and IP chain of the requesting entity. This event is only fired once. You can correlate this event with the user.authentication.universal_logout event using traceID.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.authentication.universal_logout.scheduled https://developer.okta.com/docs/reference/api/event-types/#user-authentication-universal_logout-scheduled
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.authentication.verify

Namespace: Okta-user

Description

Verify user identity.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	eq	`user.authentication.auth_via_mfa`	1 rule	elastic, kusto
`okta::eventType`	eq	`user.mfa.okta_verify.deny_push`	1 rule	elastic, kusto
`okta::eventType`	in	`user.authentication.auth_via_mfa`	2 rules	elastic
`okta::eventType`	in	`user.authentication.sso`	2 rules	elastic
`okta::eventType`	in	`user.authentication.verify`	2 rules	elastic
`okta::eventType`	in	`user.session.start`	2 rules	elastic, kusto
`okta::debugContext.debugData.factor`	eq	`OKTA_VERIFY_PUSH`	1 rule	elastic
`okta::outcome.reason`	eq	`INVALID_CREDENTIALS`	1 rule	elastic
`okta::outcome.result`	eq	`SUCCESS`	1 rule	elastic, kusto
`okta::securityContext.isProxy`	eq	`true`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Okta Multiple OS Names Detected for a Single DT Hash source high: Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token and is using it to impersonate a legitimate user from a different machine.↳ also matches user.authentication.auth_via_mfa
Potentially Successful Okta MFA Bombing via Push Notifications source high: Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.↳ also matches user.authentication.auth_via_mfa, user.authentication.sso, user.mfa.okta_verify.deny_push, user.session.start
First Occurrence of Okta User Session Started via Proxy source medium: Identifies the first occurrence of an Okta user session started via a proxy.↳ also matches user.authentication.auth_via_mfa, user.authentication.sso, user.session.start

References #

Okta Event Types Catalog: user.authentication.verify https://developer.okta.com/docs/reference/api/event-types/#user-authentication-verify
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.behavior.profile.reset

Namespace: Okta-user

Description

User behavior profile reset. This event can be used to identify resets to a user behavior profiles, which may be helpful when troubleshooting unexpected behavior detection evaluations. This event is triggered when an administrator manually resets a user's behavior profile in the Admin Console.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.behavior.profile.reset https://developer.okta.com/docs/reference/api/event-types/#user-behavior-profile-reset
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.credential.enroll

Namespace: Okta-user

Description

Device Trust certificate enrollment.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.credential.enroll https://developer.okta.com/docs/reference/api/event-types/#user-credential-enroll
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.device_session.end

Namespace: Okta-user

Description

User ended a device session. This event is fired when a user logs out or locks their desktop. This may be useful to audit when the lifecycle of a given device session has ended.

Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.device_session.end https://developer.okta.com/docs/reference/api/event-types/#user-device_session-end
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.device_session.start

Namespace: Okta-user

Description

User established a device session. This event may be used to identify users which are using Device-Bound SSO. This may be useful to audit when a user established their device session, either at desktop logon or after a successful authentication in the browser. After the device session is established, the resultant deviceSessionId will appear in the authenticationContext of events fired where the device session was used.

Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.device_session.start https://developer.okta.com/docs/reference/api/event-types/#user-device_session-start
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.identity_snapshot.attestation.create

Namespace: Okta-user

Description

Create identity snapshot attestation for a user. This event can be used by administrators to audit identity snapshot attestations minted for a user. The user and the application are in the event, signifying which user the attestation token is being minted for, and which application is requesting it.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.identity_snapshot.attestation.create https://developer.okta.com/docs/reference/api/event-types/#user-identity_snapshot-attestation-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.identity_verification

Namespace: Okta-user

Description

This event is fired when a user is directed to complete an Identity Verification as a result of an Okta Account Management (OAMP) Policy evaluation. This event indicates an identity verification request has occurred and will contain the results of the id verification. Completion of an id verification will determine whether the trigger OAMP operation can be completed; start is recorded by user.identity_verification.start.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.identity_verification https://developer.okta.com/docs/reference/api/event-types/#user-identity_verification
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.identity_verification.start

Namespace: Okta-user

Description

An Okta account management policy (OAMP) prompted the user to verify their identity with an identity verification service. Helps admins audit identity-verification prompts and troubleshoot IDV-flow issues. Initiates the prompt for identity-verification flow; completion is recorded by user.identity_verification event.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.identity_verification.start https://developer.okta.com/docs/reference/api/event-types/#user-identity_verification-start
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.import.password

Namespace: Okta-user

Description

Imported user password from external system during login. This can be used to understand if a user password import attempt was successful or if it failed. If the attempt failed, the password import will be tried again on a subsequent successful login. When fired, this event contains information about the import type, and whether or not the password import was successful. If the import is successful, it is safe to "clean up" that user from an external system. If the import failed, Okta will continue retrying the import during every successful authentication attempt until the password is successfully imported. Check the failure reason for details about whether any action is needed for the import to succeed.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.import.password https://developer.okta.com/docs/reference/api/event-types/#user-import-password
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.lifecycle.activate

Namespace: Okta-user

Description

Activate Okta user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`eventType`	eq	`user.lifecycle.create`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Okta 2023 Breach Indicator Of Compromise source medium: Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.↳ also matches user.lifecycle.create

References #

Okta Event Types Catalog: user.lifecycle.activate https://developer.okta.com/docs/reference/api/event-types/#user-lifecycle-activate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.lifecycle.create

Namespace: Okta-user

Description

Create Okta user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`eventType`	eq	`user.lifecycle.create`	2 rules	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

New Okta User Created source informational: Detects new user account creation
Okta 2023 Breach Indicator Of Compromise source medium: Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.↳ also matches user.lifecycle.activate

References #

Okta Event Types Catalog: user.lifecycle.create https://developer.okta.com/docs/reference/api/event-types/#user-lifecycle-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.lifecycle.deactivate

Namespace: Okta-user

Description

Deactivate Okta user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.lifecycle.deactivate https://developer.okta.com/docs/reference/api/event-types/#user-lifecycle-deactivate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.lifecycle.delete.completed

Namespace: Okta-user

Description

Delete Okta user completed.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.lifecycle.delete.completed https://developer.okta.com/docs/reference/api/event-types/#user-lifecycle-delete-completed
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.lifecycle.delete.initiated

Namespace: Okta-user

Description

Delete Okta user initiated.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.lifecycle.delete.initiated https://developer.okta.com/docs/reference/api/event-types/#user-lifecycle-delete-initiated
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.lifecycle.jit.error.read_only

Namespace: Okta-user

Description

Failed to JIT create user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.lifecycle.jit.error.read_only https://developer.okta.com/docs/reference/api/event-types/#user-lifecycle-jit-error-read_only
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.lifecycle.password_mass_expiry

Namespace: Okta-user

Description

Mass expire all users' passwords initiated.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.lifecycle.password_mass_expiry https://developer.okta.com/docs/reference/api/event-types/#user-lifecycle-password_mass_expiry
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.lifecycle.reactivate

Namespace: Okta-user

Description

Reactivate Okta user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.lifecycle.reactivate https://developer.okta.com/docs/reference/api/event-types/#user-lifecycle-reactivate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.lifecycle.suspend

Namespace: Okta-user

Description

Suspend Okta user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.lifecycle.suspend https://developer.okta.com/docs/reference/api/event-types/#user-lifecycle-suspend
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.lifecycle.unsuspend

Namespace: Okta-user

Description

Unsuspend Okta user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.lifecycle.unsuspend https://developer.okta.com/docs/reference/api/event-types/#user-lifecycle-unsuspend
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.mfa.attempt_bypass

Namespace: Okta-user

Description

Attempt bypass of factor.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Elastic #

Attempted Bypass of Okta MFA source high: Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches user.mfa.factor.deactivate, user.mfa.factor.reset_all, user.session.start

References #

Okta Event Types Catalog: user.mfa.attempt_bypass https://developer.okta.com/docs/reference/api/event-types/#user-mfa-attempt_bypass
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.mfa.factor.activate

Namespace: Okta-user

Description

Activate factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for an MFA factor when it is activated. When fired, the event contains information about the MFA factor that has been activated, as well as the target user and the user activating the factor. For Identity Engine orgs, this event will fire when an authentication method is enrolled.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	in	`user.mfa.factor.deactivate`	1 rule	elastic, kusto
`okta::eventType`	in	`user.mfa.factor.reset_all`	1 rule	elastic, kusto

Detection Rules #

View all rules referencing this event →

Elastic #

MFA Deactivation with no Re-Activation for Okta User Account source low: Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.↳ also matches user.mfa.factor.deactivate, user.mfa.factor.reset_all

References #

Okta Event Types Catalog: user.mfa.factor.activate https://developer.okta.com/docs/reference/api/event-types/#user-mfa-factor-activate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.mfa.factor.deactivate

Namespace: Okta-user

Description

Reset factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle status when a specific factor is permanently deactivated. When fired, the event contains information about the MFA factor that has been deactivated, as well as the target user and the user deactivating the factor. For Identity Engine orgs, this event will fire when an authentication method is unenrolled.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	in	`user.mfa.factor.deactivate`	2 rules	elastic, kusto
`okta::eventType`	in	`user.mfa.factor.reset_all`	2 rules	elastic, kusto
`okta::outcome.result`	eq	`SUCCESS`	2 rules	elastic, kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Okta MFA Reset or Deactivated source medium: Detects when an attempt at deactivating or resetting MFA.↳ also matches user.mfa.factor.reset_all

Elastic #

MFA Deactivation with no Re-Activation for Okta User Account source low: Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.↳ also matches user.mfa.factor.activate, user.mfa.factor.reset_all

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches user.mfa.attempt_bypass, user.mfa.factor.reset_all, user.session.start

YARA-L #

Okta User Password and MFA Factor Reset or Deactivated source: Detects when an Okta user's password is reset and MFA factor(s) are deactivated or reset within a 30 minute time window. This activity may indicate that the user account has been compromised.↳ also matches user.account.reset_password, user.mfa.factor.reset_all

References #

Okta Event Types Catalog: user.mfa.factor.deactivate https://developer.okta.com/docs/reference/api/event-types/#user-mfa-factor-deactivate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.mfa.factor.reset_all

Namespace: Okta-user

Description

Reset all factors or authenticator enrollments for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle statuses when all MFA factors for a user are permanently deactivated. When fired, the event contains information about the target user for whom all factors have been deactivated, as well as the user resetting the factors. For Identity Engine orgs, this event contains information about a target user for whom all authenticator enrollments have been reset.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	in	`user.mfa.factor.deactivate`	2 rules	elastic, kusto
`okta::eventType`	in	`user.mfa.factor.reset_all`	2 rules	elastic, kusto
`okta::outcome.result`	eq	`SUCCESS`	2 rules	elastic, kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Okta MFA Reset or Deactivated source medium: Detects when an attempt at deactivating or resetting MFA.↳ also matches user.mfa.factor.deactivate

Elastic #

Attempt to Reset MFA Factors for an Okta User Account source low: Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.
MFA Deactivation with no Re-Activation for Okta User Account source low: Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.↳ also matches user.mfa.factor.activate, user.mfa.factor.deactivate

Kusto #

New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches user.mfa.attempt_bypass, user.mfa.factor.deactivate, user.session.start

YARA-L #

Okta User Password and MFA Factor Reset or Deactivated source: Detects when an Okta user's password is reset and MFA factor(s) are deactivated or reset within a 30 minute time window. This activity may indicate that the user account has been compromised.↳ also matches user.account.reset_password, user.mfa.factor.deactivate

References #

Okta Event Types Catalog: user.mfa.factor.reset_all https://developer.okta.com/docs/reference/api/event-types/#user-mfa-factor-reset_all
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.mfa.factor.suspend

Namespace: Okta-user

Description

Suspend factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle status when a factor is suspended, usually as a result of suspected compromise. When fired, the event contains information about the MFA factor that has been suspended, as well as the target user and the user suspending the factor. When unsuspended, related event user.mfa.factor.unsuspend will be fired.

Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	in	`system.api_token.create`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

High-Risk Admin Activity source medium: The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles.↳ also matches user.account.privilege.grant, user.session.access_admin_app, user.session.impersonation.grant, user.session.start

References #

Okta Event Types Catalog: user.mfa.factor.suspend https://developer.okta.com/docs/reference/api/event-types/#user-mfa-factor-suspend
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.mfa.factor.unsuspend

Namespace: Okta-user

Description

Unsuspend factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle status when a factor is reactivated from a state of suspension, after it has been determined that the authenticator is secure. When fired, the event contains information about the MFA factor that has been unsuspended, as well as the target user and the user reactivating the suspended factor. Before suspension, related event user.mfa.factor.suspend would have been fired.

Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.mfa.factor.unsuspend https://developer.okta.com/docs/reference/api/event-types/#user-mfa-factor-unsuspend
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.mfa.factor.update

Namespace: Okta-user

Description

Update factor for user.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Elastic #

Stolen Credentials Used to Login to Okta Account After MFA Reset source high: Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.

References #

Okta Event Types Catalog: user.mfa.factor.update https://developer.okta.com/docs/reference/api/event-types/#user-mfa-factor-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.mfa.okta_verify

Namespace: Okta-user

Description

Verify user with Okta verify.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.mfa.okta_verify https://developer.okta.com/docs/reference/api/event-types/#user-mfa-okta_verify
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.mfa.okta_verify.deny_push

Namespace: Okta-user

Description

User rejected Okta push verify. This event is triggered in classic V1 API calls. In OIE we use a generic event for factor verification failure: user.authentication.auth_via_mfa with reason INVALID_CREDENTIALS.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`okta::eventType`	eq	`user.authentication.auth_via_mfa`	3 rules	elastic, kusto
`okta::eventType`	eq	`user.mfa.okta_verify.deny_push`	3 rules	elastic, kusto
`okta::eventType`	in	`user.authentication.auth_via_mfa`	1 rule	elastic
`okta::eventType`	in	`user.authentication.sso`	1 rule	elastic
`okta::eventType`	in	`user.authentication.verify`	1 rule	elastic
`okta::eventType`	in	`user.session.start`	1 rule	elastic, kusto
`okta::debugContext.debugData.factor`	eq	`OKTA_VERIFY_PUSH`	2 rules	elastic
`okta::outcome.reason`	eq	`INVALID_CREDENTIALS`	2 rules	elastic
`okta::outcome.result`	eq	`SUCCESS`	1 rule	elastic, kusto
`security_result.detection_fields["factor"]`	eq	`OKTA_VERIFY_PUSH`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Elastic #

Potential Okta MFA Bombing via Push Notifications source high: Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.↳ also matches user.authentication.auth_via_mfa
Potentially Successful Okta MFA Bombing via Push Notifications source high: Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.↳ also matches user.authentication.auth_via_mfa, user.authentication.sso, user.authentication.verify, user.session.start

Kusto #

MFA Fatigue (OKTA) source medium: MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. Ref: https://www.okta.com/blog/identity-security/mfa-fatigue-growing-security-concern/.↳ also matches user.authentication.auth_via_mfa

YARA-L #

Okta User Rejected Multiple Push Notifications source: Detects when an Okta user rejects more than 2 Push notifications in a 10 minute window.↳ also matches user.authentication.auth_via_mfa

References #

Okta Event Types Catalog: user.mfa.okta_verify.deny_push https://developer.okta.com/docs/reference/api/event-types/#user-mfa-okta_verify-deny_push
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.mfa.okta_verify.deny_push_upgrade_needed

Namespace: Okta-user

Description

Rejected Okta push verify as Upgrade Needed. This can be used to audit events where Okta push verify was rejected as the app needed upgrade. Note that the event is fired when Okta Verify push is rejected. It is possible that the user might have chosen another factor and made successful login as well.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.mfa.okta_verify.deny_push_upgrade_needed https://developer.okta.com/docs/reference/api/event-types/#user-mfa-okta_verify-deny_push_upgrade_needed
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.risk.change

Namespace: Okta-user

Description

Indicates a user's risk level has changed. This event can be used to monitor risk level changes for users. This event triggers when Okta determines that a user is associated with a change in risk activity or context.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.risk.change https://developer.okta.com/docs/reference/api/event-types/#user-risk-change
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.risk.detect

Namespace: Okta-user

Description

Indicates a user risk was detected. This event can be used to monitor risk level detections for users. This event triggers when Okta detects that a user is associated with risk activity or context.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.risk.detect https://developer.okta.com/docs/reference/api/event-types/#user-risk-detect
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.session.access_admin_app

Namespace: Okta-user

Description

User accessing Okta admin app.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Kusto #

High-Risk Admin Activity source medium: The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles.↳ also matches user.account.privilege.grant, user.mfa.factor.suspend, user.session.impersonation.grant, user.session.start

References #

Okta Event Types Catalog: user.session.access_admin_app https://developer.okta.com/docs/reference/api/event-types/#user-session-access_admin_app
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.session.clear

Namespace: Okta-user

Description

Clear user session.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.session.clear https://developer.okta.com/docs/reference/api/event-types/#user-session-clear
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.session.context.change

Namespace: Okta-user

Description

User session context changed. This event indicates that the context in which the session is being used has changed significantly enough from the context in which the event was created, that re-evaluation of policy may be required. Often this indicates a security issue related to the session.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.session.context.change https://developer.okta.com/docs/reference/api/event-types/#user-session-context-change
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.session.end

Namespace: Okta-user

Description

User logout from Okta.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.session.end https://developer.okta.com/docs/reference/api/event-types/#user-session-end
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.session.expire

Namespace: Okta-user

Description

Expire user session. This event does not appear in the system logs unless the user explicitly signs out or the user session is revoked by an admin.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.session.expire https://developer.okta.com/docs/reference/api/event-types/#user-session-expire
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.session.impersonation.end

Namespace: Okta-user

Description

End impersonation session.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.session.impersonation.end https://developer.okta.com/docs/reference/api/event-types/#user-session-impersonation-end
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.session.impersonation.extend

Namespace: Okta-user

Description

Extend impersonation session.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.session.impersonation.extend https://developer.okta.com/docs/reference/api/event-types/#user-session-impersonation-extend
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.session.impersonation.grant

Namespace: Okta-user

Description

Enable impersonation grant.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Kusto #

High-Risk Admin Activity source medium: The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles.↳ also matches user.account.privilege.grant, user.mfa.factor.suspend, user.session.access_admin_app, user.session.start

References #

Okta Event Types Catalog: user.session.impersonation.grant https://developer.okta.com/docs/reference/api/event-types/#user-session-impersonation-grant
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.session.impersonation.initiate

Namespace: Okta-user

Description

Initiate impersonation session.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Detection Rules #

View all rules referencing this event →

Elastic #

Okta User Session Impersonation source high: A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.

Kusto #

User Session Impersonation(Okta) source medium: A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.

References #

Okta Event Types Catalog: user.session.impersonation.initiate https://developer.okta.com/docs/reference/api/event-types/#user-session-impersonation-initiate
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.session.impersonation.revoke

Namespace: Okta-user

Description

Revoke impersonation grant.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: user.session.impersonation.revoke https://developer.okta.com/docs/reference/api/event-types/#user-session-impersonation-revoke
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

user.session.start

Namespace: Okta-user

Description

User login to Okta.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`user.session.start`	8 rules	elastic
`EventType`	starts_with	`user.authentication.`	8 rules	elastic
`okta::actor.alternateId`	is_not_null		6 rules	elastic
`okta::outcome.reason`	in	`INVALID_CREDENTIALS`	6 rules	elastic, kusto
`okta::outcome.reason`	in	`LOCKED_OUT`	5 rules	elastic
`okta::eventType`	eq	`user.session.start`	5 rules	elastic, kusto
`okta::eventType`	in	`user.session.start`	4 rules	elastic, kusto
`okta::eventType`	in	`user.authentication.sso`	3 rules	elastic
`okta::eventType`	in	`policy.evaluate_sign_on`	2 rules	elastic, kusto
`okta::eventType`	in	`system.api_token.create`	2 rules	kusto
`okta::eventType`	in	`user.authentication.auth_via_mfa`	2 rules	elastic
`okta::outcome.result`	eq	`SUCCESS`	5 rules	elastic, kusto
`Esql.total_attempts`	ge	`10`	2 rules	elastic
`Esql.total_attempts`	ge	`25`	2 rules	elastic
`Esql.unique_source_ips`	ge	`5`	2 rules	elastic

Detection Rules #

View all rules referencing this event →

Sigma #

Okta User Session Start Via An Anonymising Proxy Service source high: Detects when an Okta user session starts where the user is behind an anonymising proxy service.

Elastic #

Multiple Okta User Authentication Events with Same Device Token Hash source low: Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.
Potential Okta Brute Force (Device Token Rotation) source low: Detects potential brute force attacks against a single Okta user account where excessive unique device token hashes are generated, indicating automated tooling that fails to persist browser cookies between attempts.
Potential Okta Brute Force (Multi-Source) source medium: Detects potential brute force attacks against a single Okta user account from multiple source IPs, indicating attackers rotating through proxy infrastructure to evade IP-based detection.

Show 9 more (12 total)

Potential Okta Credential Stuffing (Single Source) source medium: Detects potential credential stuffing attacks where a single source IP attempts authentication against many Okta user accounts with minimal attempts per user, indicating the use of breached credential lists.
Potential Okta Password Spray (Multi-Source) source medium: Detects potential password spray attacks where multiple source IPs target multiple Okta user accounts within a time window, indicating coordinated attacks using IP rotation to evade single-source detection.
Potential Okta Password Spray (Single Source) source medium: Detects potential password spray attacks where a single source IP attempts authentication against multiple Okta user accounts with repeated attempts per user, indicating common password guessing paced to avoid lockouts.
Okta Successful Login After Credential Attack source high: Correlates Okta credential attack alerts with subsequent successful authentication for the same user account, identifying potential compromise following brute force, password spray, or credential stuffing attempts.
Okta User Sessions Started from Different Geolocations source medium: Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.
Multiple Okta Sessions Detected for a Single User source medium: Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.
Okta AiTM Session Cookie Replay source high: Detects potential Adversary-in-the-Middle (AiTM) session cookie replay attacks against Okta. This rule identifies when an Okta session is used from multiple IP addresses or with suspicious non-browser user agents after initial authentication. AiTM attacks capture session cookies via phishing proxies (e.g., Evilginx, Modlishka) and replay them from attacker infrastructure, bypassing MFA. The detection correlates session start events with subsequent policy evaluations or SSO attempts that occur from different IPs or programmatic user agents.↳ also matches user.authentication.sso
Potentially Successful Okta MFA Bombing via Push Notifications source high: Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.↳ also matches user.authentication.auth_via_mfa, user.authentication.sso, user.authentication.verify, user.mfa.okta_verify.deny_push
First Occurrence of Okta User Session Started via Proxy source medium: Identifies the first occurrence of an Okta user session started via a proxy.↳ also matches user.authentication.auth_via_mfa, user.authentication.sso, user.authentication.verify

Kusto #

Failed Logins from Unknown or Invalid User source medium: This query searches for numerous login attempts to the management console with an unknown or invalid user name.
User Login from Different Countries within 3 hours source high: This query searches for successful user logins to the Okta Console from different countries within 3 hours.
Potential Password Spray Attack source medium: This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack.

Show 2 more (5 total)

High-Risk Admin Activity source medium: The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles.↳ also matches user.account.privilege.grant, user.mfa.factor.suspend, user.session.access_admin_app, user.session.impersonation.grant
New Device/Location sign-in along with critical operation source medium: This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.↳ also matches user.mfa.attempt_bypass, user.mfa.factor.deactivate, user.mfa.factor.reset_all

YARA-L #

Okta Successful High Risk User Logins source: Detects successfully authenticated user logins based on Okta's Behavior Detection pattern analysis.
Okta User Logins From Multiple Cities source: Detects user logins for same user from different cities within 24 hours.

References #

Okta Event Types Catalog: user.session.start https://developer.okta.com/docs/reference/api/event-types/#user-session-start
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)