<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
System Log Queries for Attempted Account Takeover
Jun 9, 2025
Administration
Okta Identity Engine

Overview

System Log provides Okta administrators with a detailed view of logged events in their org that can be browsed, searched or filtered in the admin console.

Events in the System Log can also be queried and filtered programmatically via the System Log API and can be exported or streamed to third-party security monitoring tools. Okta retains events for 90 days, so third-party monitoring tools are useful where a longer retention duration is desired.

Okta maintains a comprehensive list of event types for use for detection or audit purposes.

The first table below is constrained to some of the more common events security professionals use when detecting attempted account takeover, often in conjunction with events from other (non-Okta) sources.

The second table is constrained to events initiated by an administrator or customer support personnel that are useful for audit purposes.

 

USER ACTIVITY

EventEventTypeFurther context
Suspicious Activity reported by user.eventType eq "user.account.report_suspicious_activity_by_enduser"A user reports suspicious activity in response to an end user security notification.
ThreatInsight detection: access requests from IPs associated with malicious behavioreventType eq "security.threat.detected"More info here.
ThreatInsight detection: access requests from known malicious IPs targeting a specific orgeventType eq "security.attack.start"More info here.
User rejected an MFA push requesteventType eq "user.mfa.okta_verify.deny_push"This event is logged when a user is prompted to accept a Push request but selects “No, it’s not me”.
User authentication via MFAeventType eq "user.authentication.auth_via_mfa" AND outcome.result eq "FAILURE"Relevant in the context of repeated failures. In Okta Identity Engine, a password is considered a “factor”, so failed events will include incorrect passwords.
User Behavior Detections (Adaptive MFA)^eventType eq "user.session.start" AND debugContext.debugData.behaviors co "POSITIVE" OR eventType eq "policy.evaluate.sign_on" AND debugContext.debugData.behaviors co "POSITIVE"While typically used in policy enforcement, indications of a new device, network location or impossible travel can also provide context during investigations. More info here.
Risk Scoring Events (Adaptive MFA)^^eventType eq "user.session.start" AND debugContext.debugData.risk co "HIGH" OR eventType eq "policy.evaluate_sign_on" AND debugContext.debugData.logOnlySecurityData co "HIGH"While typically used in policy enforcement, security admins can also filter on events with a High Risk score. More info here.
Self-service Password Reset attempted for a suspended usereventType eq "user.account.reset_password" AND outcome.result eq "FAILURE" AND outcome.reason eq "User suspended"Only relevant in the context of known malicious activity.
User fails challenge during Self-Service Password Reset

eventType eq "user.account.reset_password" AND outcome.result eq "FAILURE" and outcome.reason eq "User answered recovery question invalid"

Only relevant in the context of known malicious activity.
User account lockouteventType eq "user.account.lock.limit"Only relevant in the context of known malicious activity.
User password reset (by an unauthenticated user)eventType eq "user.account.reset_password"Only relevant in the context of known malicious activity.
Single Sign-On to applicationeventType eq "user.authentication.sso"Useful for auditing what apps an actor gained access to. The target.alternateId field contains the name of the target app.

* This requires admins of orgs with Adaptive MFA to have first configured Behavior Detections.

** This requires admins of organizations with Adaptive MFA to have first-set risk scoring as a condition in an application or Okta sign-on policy rule.

 

 

ADMINISTRATOR ACTIVITY

EventEventType
User grants access to support for impersonationeventType eq "user.session.impersonation.grant"
Impersonation (support) session initiatedeventType eq "user.session.impersonation.initiate"
User password reset sent to the user email account from SuperUsereventType eq "user.account.reset_password" AND actor.alternateId eq "system@okta.com" and transaction.id eq "unknown"
Temporary password sent to user email account from SuperUsereventType eq "user.account.update_password" AND actor.alternateId eq "system@okta.com"
New (access) API created by admineventType eq "system.api_token.create"
Assignment of admin privileges to a new user or groupeventType eq "user.account.privilege.grant" OR eventType eq "group.privilege.grant"
New Custom Admin role createdeventType eq "iam.role.create"
Permissions added to a Custom Admin roleeventType eq "iam.role.permissions.add"
Access to Okta Admin ConsoleeventType eq "user.session.access_admin_app"
Reset all factors for a usereventType eq "user.mfa.factor.reset_all"
Factor activated or deactivatedeventType eq "user.mfa.factor.deactivate" OR eventType eq "user.mfa.factor.activate"
A user’s factor is suspended (or unsuspended)eventType eq "user.mfa.factor.suspend" OR eventType eq "user.mfa.factor.unsuspend"

Recommended content

Still looking for help?
Loading
System Log Queries for Attempted Account Takeover