This article identifies the specific system log queries used to audit Super Admin activity.
NOTE: An audit for Super Admin activity is currently performed by searching the system logs.
- System logs
- Super Admin activity
Use the following system log queries to generate a Super Admin activity report:
-
For creating, updating, or revoking an API access token:
eventType sw "system.api" -
For creating, updating, or deleting a network zone, or adding or removing it from a denylist:
eventType co "zone" -
For updating, disabling, or changing the network zones evaluated by ThreatInsight:
eventType eq "security.threat.configuration.update" -
For a user’s Okta attributes or password pushed or synchronized to an external application via System for Cross-domain Identity Management (SCIM):
eventType sw "application.provision.user*" -
For creating a new Secure Web Authentication (SWA) application:
eventType eq "application.lifecycle.create" AND debugContext.debugData.requestUri eq "/api/internal/orgadmin/apps/swa" -
For when an Okta Sign-In Policy, or a rule within it, is created, updated, or deleted by an administrator:
eventType sw "policy.lifecycle" OR eventType sw "policy.rule" OR eventType sw "app.policy" -
For when a new administrator creates or grants a new role or resource to an existing administrator:
eventType co "user.account.privilege.grant"
