<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Search the System Log for Changes to Sensitive Attributes
Dec 23, 2025
Okta Integration Network
Okta Classic Engine
Okta Identity Engine
Overview

How to determine if someone has changed sensitive data (for example, an immutableID, email address, etc.).

Applies To
  • Okta System logs
  • Microsoft Office 365 (O365) Integration
  • Attributes
Solution

Build 2023.11.1 (released into production 5 Dec 2023) added additional tracking to the user-updated Syslog events to track changes to attributes. With the inclusion of this additional data, monitoring for changes to sensitive attributes becomes possible, enabling the flagging of such changes and facilitating further analysis.

System logs 
 
In the screenshot above, see the addition of ChangedAttributes to the syslog event for a user where we changed their firstName, displayName, and testAttr. 

Run a syslog query like the one below to return entries where the user has had their attributes updated:
debugContext.debugData.ChangedAttributes co  <attribute>

For example:
debugContext.debugData.ChangedAttributes co  "firstName" 

Recommended content

Still looking for help?
Loading
How to Search the System Log for Changes to Sensitive Attributes