Okta System Log telemetry sources
Okta records identity and administrative activity in the System Log, which identifies each observable action by an The 36 prefixes and 1,132 eventTypes are enumerated from the Okta Event Types CSV. See the cross-vendor Okta coverage matrix for which rules cover which eventTypes. Each System Log Source: Okta: System Log API reference. Okta does not expose the namespace prefix as a distinct field: the LogEvent schema, the filter API, and the ingestion connectors all carry the full Source: Okta: Event Types catalog. Some eventTypes are only generated by Okta Identity Engine (OIE) orgs and never by Classic Engine orgs (tagged Source: Okta: Event Types catalog.eventType dotted string (e.g. user.session.start, policy.rule.update) rather than a numbered event log. The catalog groups eventTypes by their top-level namespace prefix (the first dotted segment, e.g. user, policy, system) into one synthetic Okta-<prefix> provider each, with every eventType as an event. These pages are kept separate from the Windows event catalog.Namespace prefixes
Namespace Description Event types Okta-access Identity Governance access requests, conditions, and approvals 22 Okta-account Org account lifecycle and provisioning-template changes 15 Okta-analytics Reporting exports and product feedback 4 Okta-app Application sign-on, assignment, and access-request activity 225 Okta-application Application object configuration and integration administration 84 Okta-certification Identity Governance access-certification campaigns 9 Okta-core Core platform internals (expression language, concurrency limits) 3 Okta-credential Credential enrollment and revocation 2 Okta-device Device registration, assurance policy, and desktop MFA 40 Okta-directory Directory integration and AD/LDAP profile sync 10 Okta-event-hook Event hook lifecycle and delivery 7 Okta-group Group lifecycle and application/membership assignment 17 Okta-iam Custom admin roles and resource-set bindings 18 Okta-inline-hook Inline hook lifecycle and execution 8 Okta-integration API-service integration authorization 2 Okta-master-application Master (HR-source) application user membership 1 Okta-mim Mobile device management (MDM) commands 17 Okta-network-zone Network zone rule changes 1 Okta-oauth2 OAuth2 authorization servers, claims, and scopes 11 Okta-org Org-level configuration signals 1 Okta-pam Privileged Access Management: AD connections, secrets, sessions 139 Okta-personal Personal (end-user) app settings and migration 2 Okta-pki PKI certificate authorities and certificate binding 14 Okta-plugin Browser plugin download and status 2 Okta-policy Authentication and access policy evaluation and enforcement 24 Okta-resource-servers Custom API authorization servers 19 Okta-scheduled-action Scheduled user actions (deferred suspension) 4 Okta-security Threat protection, attack detection, and authenticator security 39 Okta-self-service Self-service feature enablement 2 Okta-support Okta Support org access and changes 2 Okta-system Org agents, connectors, and platform administration 232 Okta-task Background task lifecycle 5 Okta-user User account lifecycle, sessions, MFA, and authentication 80 Okta-workflows Okta Workflows automation runs and connections 48 Okta-workload-principal Workload and AI-agent service principals and credentials 16 Okta-zone Network zone lifecycle and allow/block lists 7 The System Log event model
LogEvent carries a common envelope: eventType (the action), actor (who performed it: User, Client, or System), target[] (the objects acted on), outcome.result (SUCCESS, FAILURE, DENY, ...), client (IP, user agent, geo), and authenticationContext / transaction (session and transaction IDs for correlation). A detection keys on the eventType to identify the action, then on the envelope and outcome to score it.The namespace prefix is derived, not native
eventType string only. The prefix split is derived by the catalog (the first dotted segment), purely for navigability. Every detection rule in every corpus matches on the full eventType string; no rule filters on a prefix alone.Identity Engine vs Classic Engine
oie-only in the Event Types CSV). Their event pages note this so a Classic Engine deployment does not expect telemetry it will never emit. A single user action can also produce several LogEvents with different eventTypes correlated by authenticationContext.externalSessionId or transaction.id.