This article provides Security Operations Center (SOC) analysts and Okta admins with queries that quickly deliver critical information during troubleshooting or security incidents. These events are found in both Okta Classic Engine (OCE) and Okta Identity Engine (OIE).
- System logs
- Sign-on
- Multi-Factor Authentication (MFA)
- Okta Identity Engine (OIE)
- Okta Classic Engine
Work with the System Log
Access the System Log
To access the System Log in both OCE and OIE, go to Reports > System Log.
View Events in the System Log
To view events in the System Log, type or paste a query into the Search field on the System Log page, and press Enter.
To view sign-in events for a specific user, use the following query as an example. Replace the <enter user id> in this example with a user ID.
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)
To learn more about each event in this query, refer to the Definitions table below for more information.
Search for events by IP address
To view user sign-in events associated with a particular IP address, replace <enter IP address here> with an IP address.
(client.ipAddress eq "<enter ip address here>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)
Search for user sign-in events by external session ID
To view user sign-in events associated with a particular user session, replace <enter external session id here> with an external session ID.
(authenticationContext.externalSessionId eq "<enter external session id here>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)
Search for All Events Associated with an External Session ID
To view all events associated with a particular user session, replace <enter external session id here> with an external session ID.
(authenticationContext.externalSessionId eq "<enter external session id here>")
View Logout Events for a User
To view user sign-out events associated with a particular user, replace <enter user id> with a user ID.
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.session.end") or
(eventType eq "user.authentication.slo")
)
View Events for Account Management
To identify any changes to authenticators associated with a particular user, replace <enter user id> with a user ID.
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.mfa.factor.activate") or
(eventType eq "user.mfa.factor.deactivate") or
(eventType eq "user.mfa.factor.reset_all") or
(eventType eq "user.mfa.factor.suspend") or
(eventType eq "user.mfa.factor.unsuspend") or
(eventType eq "user.mfa.factor.update")
)
Share a Link to System Log Reports
A link to a System Log query can be shared with team members for them to view the events in the System Log.
After running a query and viewing the events in the System Log, the link from the URL field of the browser can be copied and pasted into a message for team members. Here is an example of a link to the System Log. Replace the <Okta org URL> text with the organization's URL, and <userID> with the ID of the user being queried.
https://<Okta org URL>/report/system_log_2?search=(actor.id+eq+"<userID>")+and+(+
(eventType+eq+"user.session.start")+or+(eventType+eq+"policy.evaluate_sign_on")+or+ (eventType+eq+"user.authentication.verify")+or+ (eventType+eq+"application.policy.sign_on.deny_access")+or+ (eventType+eq+"user.authentication.sso")+or+ (eventType+eq+"user.authentication.auth_via_mfa")+or+ (eventType+eq+"user.mfa.factor.activate")+or+ (eventType+eq+"system.push.send_factor_verify_push")+or+ (eventType+eq+"system.email.send_factor_verify_message")+or+ (eventType+eq+"system.sms.send_factor_verify_message")+or+ (eventType+eq+"system.sms.send_phone_verification_message")+or+ (eventType+eq+"system.voice.send_mfa_challenge_call")+or+ (eventType+eq+"system.voice.send_phone_verification_call")+or+ (eventType+eq+"system.email.password_reset.sent_message")+or+ (eventType+eq+"system.sms.send_password_reset_message")+or+ (eventType+eq+"system.voice.send_password_reset_call")+or+ (eventType+eq+"user.account.reset_password")+or+ (eventType+eq+"user.account.update_password")+or+ (eventType+eq+"system.email.account_unlock.sent_message")+or+ (eventType+eq+"system.sms.send_account_unlock_message")+or+ (eventType+eq+"system.voice.send_account_unlock_call")+or+ (eventType+eq+"user.account.unlock_token")+or+ (eventType+eq+"user.account.unlock")+)&fromTime=2022-08-02T00%3A00%3A00Z&toTime=2022-08-09T23%3A59%3A59Z&locale=America%2FToronto&limit=20&view=list&topLeftLongitude=-174.375&topLeftLatitude=77.23507365492469&bottomRightLongitude=177.18749999999997&bottomRightLatitude=-44.84029065139799&mapZoom=2
Event Scenarios
Troubleshoot Sign-ons
Sign in to Okta
Use this query to uncover issues with user sign-in attempts to Okta.
When a user signs in to Okta, the following sequence of events is observed:
| Order | Event | Description |
|---|---|---|
| 1 | user.session.start | This event is fired after the first authentication method is verified. |
| 2 | policy.evaluate_sign_on | This event is fired after the Okta Sign-On Policy/Global Session Policy is evaluated and contains the result of the policy evaluation. |
| 3 | MFA events | Optional. If a policy requires Multi-Factor Authentication (MFA), various MFA enrollment or verification-related events will be observed. See the Multi-Factor Authentication section for details on those events. |
| 4 | user.authentication.verify | This event is fired after the user has successfully completed the sign-in flow. At this point, a valid session should have been established for the user. |
Sample query
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "user.authentication.verify")
)
Results
Here is a screenshot of the sample query results. The first event is at the bottom, and the last event is at the top.
Sign in to an app
Use this query to uncover issues with user sign-in attempts to apps.
There is no System Log event for when a user clicks an app tile to start the sign-in to that app. Instead, two sequences of events fire based on whether the sign-in to the app was successful or not.
Success
In successful app sign-in attempts, the following events are triggered.
| Order | Event | Description |
|---|---|---|
| 1 | All events in Multifactor authentication | Optional. If a policy requires MFA, various MFA enrollment or verification-related events will be observed. See the Multifactor authentication section for details on those events. |
| 2 | user.authentication.sso | This event is fired after the user meets all the requirements to access the app. |
Deny
In unsuccessful app sign-in attempts, the following event is triggered.
| Order | Event | Description |
|---|---|---|
| 1 | application.policy.sign_on.deny_access | This event is fired if the user does not meet the requirements to access the app. |
Sample query
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "user.authentication.sso")
)
Results
Here is a screenshot of the sample query's results. The first event is at the bottom, and the last event is at the top.
Review Multi-Factor Authentication Usage
Multi-Factor Authentication
Review these events to uncover issues with multi-factor authentication.
When the Sign-On Policy/Global Session Policy or app sign-on policy requires MFA, various MFA enrollment or verification-related events will be observed. All MFA factors/authenticators fire these events:
| Order | Event | Description |
|---|---|---|
| 1 | user.authentication.auth_via_mfa | This event is fired after the user verifies themselves using an MFA factor/authenticator. |
| 2 | user.mfa.factor.activate | If a user does not have any MFA factors/authenticators enrolled, or is missing a required MFA factor/authenticator, the sign-in flow will force the user to enroll them. This event is fired after the user successfully enrolls an MFA factor/authenticator. |
Additionally, some MFA factors/authenticators fire additional events to indicate where they are in the verification flow:
| Event | Description |
|---|---|
| system.push.send_factor_verify_push | When using the Okta Verify Push MFA factor/authenticator, this event is fired after Okta sends the push notification to the user’s device. |
| system.email.send_factor_verify_message | When using the Email MFA factor/authenticator, this event is fired after Okta sends the message with the one-time password (OTP) code by email. |
| system.sms.send_factor_verify_message | When authenticating with the Phone MFA factor/authenticator in SMS mode, this event is fired after Okta sends the message containing the OTP code by SMS. |
| system.sms.send_phone_verification_message | When enrolling the Phone MFA factor/authenticator in SMS mode, this event is fired after Okta sends the message containing the OTP code by SMS. |
| system.voice.send_mfa_challenge_call | When authenticating with the Phone MFA factor/authenticator in Voice Call mode, this event is fired after Okta sends the message containing the OTP code in a voice call. |
| system.voice.send_phone_verification_call | When enrolling Phone MFA factor/authenticator in Voice Call mode, this event is fired after Okta sends the message containing the OTP code in a voice call. |
Review Account Changes
Self-service Password Reset
Review these events to uncover issues with user-initiated password resets.
When the user performs a self-service password reset (SSPR), the following sequence of events will be observed:
| Order | Event | Description |
|---|---|---|
| 1 | One of the following: | These events are fired after the email, SMS message, or voice call is sent to the user to initiate the SSPR flow. |
| 2 | user.account.reset_password | This event is fired after Okta resets the user's password, after the email, SMS message or voice call are verified. The user’s password is reset to allow the user to change it. |
| 3 | user.account.update_password | This event is fired after the user has successfully changed their password. |
When the user completes the SSPR, they start a normal Okta sign-on flow. See the Sign in to Okta section for information about those events.
Sample query
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password")
)
Results
Here is a screenshot of the sample query's results. The first event is at the bottom, and the last event is at the top.
Self-service unlock
Review these events to uncover issues with user-initiated account unlock attempts.
When the user performs self-service unlock (SSU), the following sequence of events will be observed:
| Order | Event | Description |
|---|---|---|
| 1 | One of the following: | These events are fired after the email, SMS message, or voice call is sent to the user to initiate the SSU flow. |
| 2 | user.account.unlock_token | This event is fired after Okta grants a recovery token to the user. The recovery token is used as part of the request that verifies the user’s security question. |
| 3 | user.account.unlock | This event is fired after the user has successfully unlocked their account. |
Sample query
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)
Results
Here is a screenshot of the sample query's results. The first event is at the bottom, and the last event is at the top.
Definitions
| Event | Description |
|---|---|
actor.id | Events that are published with a specific actor ID. |
application.policy.sign_on.deny_access | A user is denied access to an application. |
policy.evaluate_sign_on | Provides context on the values that are used and evaluated in the context of the Global Session Policy. |
system.email.account_unlock.sent_message | Okta sends a system-generated account unlock email to the user when they request account unlocking. |
system.email.password_reset.sent_message | Okta sends a system-generated password reset email to the user when they request a password reset. |
system.email.send_factor_verify_message | Okta sends a system-generated verification email to the user when they sign in. |
system.push.send_factor_verify_push | Okta sends a push notification to the user. |
system.sms.send_account_unlock_message | Okta sends a system-generated account unlock text message to the user when they request account unlocking. |
system.sms.send_factor_verify_message | Okta sends a system-generated verification text message to the user when they sign in. |
system.sms.send_password_reset_message | Okta sends a system-generated password reset text message to the user when they request a password reset. |
system.sms.send_phone_verification_message | Okta sends a system-generated one-time password text message to the user when they select the Phone authenticator and the SMS mode. |
system.voice.send_account_unlock_call | Okta triggers a phone call to the user containing a one-time password when they request account unlocking. |
system.voice.send_mfa_challenge_call | Okta triggers a phone call to the user containing a one-time password when they select the Phone authenticator and the Voice mode. |
system.voice.send_password_reset_call | Okta triggers a phone call to the user containing a one-time password when they request a password reset. |
system.voice.send_phone_verification_call | Okta triggers a phone call to the user containing a one-time password when they select the Phone authenticator and the Voice mode. |
user.account.reset_password | The user reset their password. |
user.account.unlock | The user’s account was unlocked. |
user.account.unlock_token | The token that was issued for unlocking the user’s account. |
user.account.update_password | The user updated their password. |
user.authentication.auth_via_mfa | The user performed authentication with a multifactor authentication method. |
user.authentication.sso | A user attempts a Single Sign-On (SSO) to an application managed in Okta. This event does not capture whether the SSO attempt is successful or has failed, because Okta cannot collect the subsequent authentication attempt status from the third-party service. |
user.authentication.verify | The user was successfully verified. |
user.mfa.factor.activate | An MFA factor/authenticator was activated. |
user.session.start | Okta issues a session to a user who is authenticating. |
Related References
For more information about the System Log, refer to the online help for the respective version of Okta:
