On this page
Identity Threat Protection Event Types
This resource contains detailed reference material on event types triggered with the Identity Threat Protection solution. Use the information from these properties to understand the users, threats, and risk environment for your org.
Note: Not every property is documented for the event types. Only those primarily used to assist in reviewing an identity threat interaction. Also, objects and properties may differ based on your implementation of the Identity Threat Protection solution.
analytics feedback provide
analytics.feedback.provide
Description: This event is triggered when an admin provides feedback on a user or session risk detection. It can be used to monitor feedback provided by admins in response to Okta-determined changes in risk.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| EventUuid | The ID of the user.risk.change or session.context.change event that prompted the Admin feedback. | String | 721b1961-f0a6-11ee-bfa6-c1c3bad801v3 |
| Label | The type of feedback from the admin, either true_positive or false_positive | Enum | true_positive |
| target (User) | The user that the feedback is about | Object | |
| type | The type of target object | String | User |
| actor | The user or admin that is providing the feedback | Object | |
| type | The type of actor object |
device signals status timeout
device.signals.status.timeout
Description: This event is triggered when a registered device that is associated with at least one user session hasn't communicated with Okta within the required time interval. Use this event to investigate a potentially insecure device and compromised user session. The event contains the device unique identifier in the System Log actor object. You can use this information to find other related events.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| deviceSignalsLastReceived | The date and time of the last receipt of a device signal | String | "2024-03-13T19:26:53" |
| target (User) | The user who still has an active session on that device | Object | |
| type | The type of target object | String | User |
| actor | The registered device associated with the user sessions | Object | |
| id | The ID of the registered device | string | guv1ibaeaz4lr8Eo70a9 |
policy auth_reevaluate fail
policy.auth_reevaluate.fail
Description: This event is triggered when your org’s authentication or global session policy is reevaluated, and a violation is identified. The violation occurs if the request doesn't meet the assurances defined in the policy, or if the request has an action set to DENY based on environment conditions.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| Behaviors | List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). | key-value pairs | { New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE } |
| CaeEnforceMode | The Post auth session evaluation UI setting that determines whether the policy is enforceable. If this is false, Okta logs these events but doesn't take any further action. | Boolean | true |
| Risk | Contains the level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. | key-value pairs | {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH} |
| ServerStatus | Describes the current state of the Okta servers. Other values can be READ_ONLY and SAFE_MODE. | Enum | ACTIVE |
| ThreatSuspected | If ThreatInsight is running and detects a request as suspicious, the value for this property is true. | Boolean | false |
| TraceId | A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query | String | 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50 |
| target (User) | The user session associated with the failed policy evaluations | Object | |
| type | The type of target object | String | User |
| target (Policy Evaluation) | The reevaluated policy | Object | |
| type | The type of target object | String | Policy Evaluation |
| target.DetailEntry (Policy Evaluation) | |||
| AppInstanceIds | The apps affected by a Post auth session evaluation violation event | Array | ["0oa4mczwb7SfcTQ9N0g7", "0oa4yvb15qhL8RKA30g7"] |
| MatchedRuleAction | The action of the rule that matched the evaluation. Values can be ALLOW or DENY. | Enum | ALLOW |
| MatchedRuleAssuranceMet | Whether the matched rule evaluated to passing all authenticator assurances. This value is null if the MatchedRuleAction is DENY. | Boolean | false |
| MatchedRuleDisplayName | The matched rule's display name | String | |
| MatchedRuleId | The unique identifier of the matched rule | String | 0pr4yyl6a8D97WIRC0a7 |
| PolicyType | The evaluated policy type | ENUM | OKTA_SIGN_ON |
| DisplayName | Displays the name of the evaluated policy | String | |
| ID | Unique identifier of the target | String | 00u8xst93qEWYx65sx1d7 |
| actor | The target user if synchronous and the system principal if asynchronous | Object | |
| type | The type of actor object | ||
| client | The client of the actor | Object | |
| IPAddress | IP address |
policy auth_reevaluate action
policy.auth_reevaluate.action
Description: This event is triggered when Okta logs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| Behaviors | List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). | key-value pairs | {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE} |
| Risk | The level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. | key-value pairs | {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH} |
| ThreatSuspected | If ThreatInsight is running and detects a suspicious request, the value for this property is true. | Boolean | false |
| TraceId | A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query | String | 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50 |
| target (User) | The user associated with the risk change | Object | |
| type | The type of target object | String | User |
| target (Rule) | The rule associated with the Post auth session evaluation | Object | |
| type | The type of target object | String | Rule |
| target.DetailEntry (Rule) | |||
| RuleAction | The configured action to respond to the risk. Values include TERMINATE_SESSION or RUN_WORKFLOW. | Enum | TERMINATE_SESSION |
| SingleLogOutEnabled | For a RuleAction of TERMINATE_SESSION, and if true, a Post auth session evaluation violation enforces application logout | Boolean | true |
| SingleLogOutSelectionMode | For a RuleAction of TERMINATE_SESSION, the options of the application logout, either all applications, specific applications, or none. Values can be: NONE, ALL, or SPECIFIED. | Enum | ALL |
| WorkflowId | The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. | String | 572749 |
| DisplayName | The name of the rule | String | Entity Risk Policy |
| ID | Unique identifier of the rule | String | 00u8xst93qEWYx65sx1d7 |
| target (Policy) | The Post auth session evaluation policy | Object | |
| type | The type of target object | String | Policy |
| target (PolicyAction) | The action associated with the Post auth session evaluation | Object | |
| type | The type of target object | String | PolicyAction |
| target.DetailEntry (PolicyAction) | |||
| PolicyAction | The configured action to respond to the risk. Values include TERMINATE_SESSION orRUN_WORKFLOW. | Enum | TERMINATE_SESSION |
| PolicySingleLogOutEnabled | For a PolicyAction of TERMINATE_SESSION, and if true, a post auth session evaluation violation enforces application logout | Boolean | true |
| PolicySingleLogOutSelectionMode | For a PolicyAction of TERMINATE_SESSION, the options of the application logout, either all applications, specific applications, or none. Values can be: NONE, ALL, or SPECIFIED. | Enum | ALL |
| PolicySingleLogoutAppInstanceIds | A list of apps that will that will be logged out if the PolicySingleLogOutMode mode is SPECIFIED. | Array | [ "0oa1gkh63g214r0Hq0g4", "0oa1gjh63g214q0Iq3g3" ] |
| WorkflowId | The unique identifier of the workflow if the PolicyAction is RUN_WORKFLOW. | String | 572749 |
| DisplayName | The name of the action | String | TERMINATE_SESSION |
| ID | Unique identifier of the Post auth session evaluation policy | String | 00u8xst93qEWYx65sx1d7 |
| actor | The target user if synchronous and the system principal if asynchronous | Object | |
| type | The type of actor object | ||
| client | The client of the actor | ||
| IPAddress | IP address of the client |
policy continuous_access action
policy.continuous_access.action Deprecated
Description: This event is deprecated. The new event type name is policy auth_reevaluate action This event is triggered when Okta logs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| Behaviors | List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). | key-value pairs | {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE} |
| Risk | Contains the level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. | key-value pairs | {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH} |
| ThreatSuspected | If ThreatInsight is running and detects a request as suspicious, the value for this property is true. | Boolean | false |
| TraceId | A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query | String | 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50 |
| target (User) | The user associated with the risk change | Object | |
| type | The type of target object | String | User |
| target (Rule) | The rule associated with the Post auth session evaluation | Object | |
| type | The type of target object | String | Rule |
| target.DetailEntry (Rule) | |||
| RuleAction | The configured action to respond to the risk. Values include TERMINATE_SESSION or RUN_WORKFLOW. | Enum | TERMINATE_SESSION |
| SingleLogOutEnabled | For a RuleAction of TERMINATE_SESSION, and if true, a Post auth session evaluation violation enforces application logout | Boolean | true |
| SingleLogOutSelectionMode | For a RuleAction of TERMINATE_SESSION, the options of the application logout, either all applications, specific applications, or none. Values can be: NONE, ALL, or SPECIFIED. | Enum | ALL |
| WorkflowId | The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. | String | 572749 |
| DisplayName | Displays the name of the rule | String | Entity Risk Policy |
| ID | Unique identifier of the rule | String | 00u8xst93qEWYx65sx1d7 |
| target (Policy) | The Continuous access evaluation policy | Object | |
| type | The type of target object | String | Policy |
| target (PolicyAction) | The action associated with the Continuous access evaluation | Object | |
| type | The type of target object | String | PolicyAction |
| target.DetailEntry (PolicyAction) | |||
| PolicyAction | The configured action to respond to the risk. Values include TERMINATE_SESSION orRUN_WORKFLOW. | Enum | TERMINATE_SESSION |
| PolicySingleLogOutEnabled | For a PolicyAction of TERMINATE_SESSION, and if true, a continuous access evaluation violation enforces application logout | Boolean | true |
| PolicySingleLogOutSelectionMode | For a PolicyAction of TERMINATE_SESSION, the options of the application logout, either all applications, specific applications, or none. Values can be: NONE, ALL, or SPECIFIED. | Enum | ALL |
| PolicySingleLogoutAppInstanceIds | A list of apps that will that will be logged out if the PolicySingleLogOutMode mode is SPECIFIED. | Array | [ "0oa1gkh63g214r0Hq0g4", "0oa1gjh63g214q0Iq3g3" ] |
| WorkflowId | The unique identifier of the workflow if the PolicyAction is RUN_WORKFLOW. | String | 572749 |
| DisplayName | Displays the name of the action | String | TERMINATE_SESSION |
| ID | Unique identifier of the Continuous access evaluation policy | String | 00u8xst93qEWYx65sx1d7 |
| actor | The target user if synchronous and the system principal if asynchronous | Object | |
| type | The type of actor object | ||
| client | The client of the actor | ||
| IPAddress | IP address of the client |
policy auth_reevaluate enforce
policy.auth_reevaluate.enforce
Description: This event is triggered when a Post auth session evaluation occurs.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| Behaviors | List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). | key-value pairs | {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE} |
| Risk | Contains the level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. | key-value pairs | {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH} |
| ThreatSuspected | If ThreatInsight is running and detects a request as suspicious, the value for this property is true. | Boolean | false |
| TraceId | A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query | String | 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50 |
| target (User) | The user associated with the risk change | Object | |
| type | The type of target object | String | User |
| target (Rule) | The rule associated with the Post auth session evaluation | Object | |
| type | The type of target object | String | Rule |
| target.DetailEntry (Rule) | |||
| RuleAction | The configured action to respond to the risk. Values include TERMINATE_SESSION or RUN_WORKFLOW. | Enum | TERMINATE_SESSION |
| SingleLogOutEnabled | For a RuleAction of TERMINATE_SESSION, and if true, a Post auth session evaluation violation enforces app logout. | Boolean | true |
| SingleLogOutSelectionMode | For a RuleAction of TERMINATE_SESSION, the options of the app logout, either all apps, specific apps, or none. Values can be: NONE, ALL, or SPECIFIED. | Enum | ALL |
| WorkflowId | The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. | String | 572749 |
| DisplayName | Display the name of the target rule | String | Test Rule |
| ID | Unique identifier of the target rule | String | 00u8xst93qEWYx65sx1d7 |
| target (Policy) | The Post auth session evaluation policy | Object | |
| type | The type of target object | String | Policy |
| actor | The target user if synchronous and the system principal if asynchronous | ||
| type | The type of actor object | Object | |
| client | The client of the actor | ||
| IPAddress | IP address of the client |
policy continuous_access evaluate
policy.continuous_access.evaluate Deprecated
Description: This event is deprecated. The new event type name is policy auth_evaluate enforce. This event is triggered when a post auth session evaluation occurs.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| Behaviors | List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). | key-value pairs | {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE} |
| Risk | The level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. | key-value pairs | {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH} |
| ThreatSuspected | If ThreatInsight is running and detects a suspicious request, the value for this property is true. | Boolean | false |
| TraceId | A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query | String | 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50 |
| target (User) | The user associated with the risk change | Object | |
| type | The type of target object | String | User |
| target (Rule) | The rule associated with the Continuous Access evaluation | Object | |
| type | The type of target object | String | Rule |
| target.DetailEntry (Rule) | |||
| RuleAction | The configured action to respond to the risk. Values include TERMINATE_SESSION or RUN_WORKFLOW. | Enum | TERMINATE_SESSION |
| SingleLogOutEnabled | For a RuleAction of TERMINATE_SESSION, and if true, a Continuous Access evaluation violation enforces app logout. | Boolean | true |
| SingleLogOutSelectionMode | For a RuleAction of TERMINATE_SESSION, the options of the app logout, either all apps, specific apps, or none. Values can be: NONE, ALL, or SPECIFIED. | Enum | ALL |
| WorkflowId | The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. | String | 572749 |
| DisplayName | The name of the target rule | String | Test Rule |
| ID | Unique identifier of the target rule | String | 00u8xst93qEWYx65sx1d7 |
| target (Policy) | The Continuous Access evaluation policy | Object | |
| type | The type of target object | String | Policy |
| actor | The target user if synchronous and the system principal if asynchronous | ||
| type | The type of actor object | Object | |
| client | The client of the actor | ||
| IPAddress | IP address of the client | ||
| ======= |
policy entity_risk action
policy.entity_risk.action
Description: This event is triggered from an Entity risk policy action invocation. It signals that an action associated with an evaluation of an entity risk policy has been invoked.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| Behaviors | List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). | key-value pairs | {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE} |
| Risk | Contains the level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. | key-value pairs | {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH} |
| ThreatSuspected | If ThreatInsight is running and detects a request as suspicious, the value for this property is true. | Boolean | false |
| TraceId | A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query | String | 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50 |
| target (User) | The user associated with the risk change | Object | |
| type | The type of target object | String | User |
| target (Policy) | The entity risk policy | Object | |
| type | The type of target object | String | Policy |
| target (Rule) | The rule of the entity risk policy | Object | |
| type | The type of target object | String | Rule |
| target.DetailEntry | |||
| RuleAction | The configured action to respond to the risk. Values include TERMINATE_ALL_SESSIONS or RUN_WORKFLOW. If the action is TERMINATE_ALL_SESSIONS, no further properties appear. If the action is RUN_WORKFLOW, the WorkflowId appears. | ENUM | RUN_WORKFLOW |
| WorkflowId | The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. | String | 572749 |
| DisplayName | Name of the rule | String | Test rule |
| ID | Unique identifier of the rule | String | 00u8xut93qEWYx5sx1d7 |
| type | The type of target object | String | Rule |
| target (PolicyAction) | |||
| type | The type of target object | String | PolicyAction |
| target.DetailEntry | Object | ||
| PolicyAction | The configured action to respond to the risk. Values include NULL (Logging Mode), TERMINATE_ALL_SESSIONS, and RUN_WORKFLOW. | ENUM | TERMINATE_ALL_SESSIONS |
| PolicySingleLogOutEnabled | Identifies if single logout is enabled. This property appears if PolicyAction is TERMINATE_SESSION. | Boolean | true |
| PolicySingleLogOutSelectionMode | The mode of logout. Values can be NONE, ALL, or SPECIFIED. This property appears if PolicyAction is TERMINATE_SESSION. | ENUM | ALL |
| PolicySingleLogoutAppInstanceIds | A list of apps that will that will be logged out if the PolicySingleLogOutMode mode is SPECIFIED. | Array | [ "0oa1gkh63g214r0Hq0g4", "0oa1gjh63g214q0Iq3g3" ] |
| PolicyWorkflowId | The unique identifier of the workflow if the PolicyAction is RUN_WORKFLOW. | String | 572749 |
| DisplayName | Name of the policy action | String | TERMINATE_ALL_SESSIONS |
| ID | Unique identifier of the entity risk policy | String | 00u8xut93qEWYx5sx1d7 |
| type | The type of target object | string | PolicyAction |
| actor | The target user if synchronous and the system principal if asynchronous | Object | |
| type | The type of actor object | ||
| client | The client of the actor | ||
| IPAddress | IP address |
policy entity_risk evaluate
policy.entity_risk.evaluate
Description: This event is triggered when Okta receives a risk event and then evaluates the entity risk policy.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| Behaviors | List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). | key-value pairs | {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE} |
| Risk | Contains the level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. | key-value pairs | {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH} |
| ThreatSuspected | If ThreatInsight is running and detects a request as suspicious, the value for this property is true. | Boolean | false |
| TraceId | A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query | String | 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50 |
| target (User) | The user associated with the risk change | Object | |
| type | The type of target object | String | User |
| target (Policy) | The entity risk policy | Object | |
| type | The type of target object | String | Policy |
| target (Rule) | The rule of the entity risk policy | ||
| type | The type of target object | String | Rule |
| target.DetailEntry | |||
| RuleAction | The configured action to respond to the risk. Values include TERMINATE_ALL_SESSIONS or RUN_WORKFLOW. If the action is TERMINATE_ALL_SESSIONS, no further properties appear. If the action is RUN_WORKFLOW, the WorkflowId appears. | ENUM | RUN_WORKFLOW |
| WorkflowId | The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. | String | 572749 |
| DisplayName | The name of the rule | String | Test rule |
| ID | Unique identifier of the rule | String | 00u8xut93qEWYx5sx1d7 |
| Type | The target type | String | Rule |
| actor | The target user if synchronous and the system principal if asynchronous | Object | |
| type | The type of actor object | ||
| client | The client of the actor | Object | |
| IPAddress | IP address |
security events provider receive_event
security.events.provider.receive_event
Description: This event is triggered when an event provider submits a valid Shared Signals Framework (SSF) security event. It can help org admins debug/monitor partner SSF submissions. The event contains debug context data about the event provider's risk report.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| partnerRiskReportData | The SSF submission from an event provider. It includes the issuer of the security event, the security event URL, and the security event definition. | key-value pairs | "{ "issuer" : "https://example.eventprovider.com", "https://schemas.openid.net/secevent/caep/event-type/session-revoked" : { "subject" : { "user" : { "format" : "email", "email\" : "joe.alex@example.com" }, "device" : { "format" : "opaque", "sub" : "1234ABCD-123A-123B-123C-12345ABCDEFG" }}, "event_timestamp" : 1709484521, "reason_admin" : {"en" : "Malware detected" } }}" |
| target (User) | The user affected by the event | Object | |
| type | The type of target object | String | |
| actor | The security events provider | Object | |
| type | The type of actor object | String | SecurityEventProvider |
user authentication universal_logout
user.authentication.universal_logout
Description: This event is triggered when Okta or an admin invokes Universal Logout against an app instance. It contains the app instance details for which the Universal Logout API was triggered. The event indicates when apps have had Universal Logout triggered for audit or debugging purposes. This event is only triggered once. It's only triggered for apps that have been configured for Universal Logout. You can configure it in an Entity risk policy or with Post auth session evaluation, or invoke it manually from the user profile.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| AppInstanceIds | A list of app IDs that Okta triggered for Universal Logout | Array of IDs | ["0oa1ysra5y0ESChAr0h8"] |
| TraceId | The TraceId is used in Post auth session evaluation use cases. A request that triggers a Post auth session evaluation can ultimately trigger things like Post auth session evaluation action events - and those are executed from the async jobs. TraceId connects together events triggered both by the original request handler and from the async jobs triggered by this handler. | String | 94384405-51e3-4e13-b8b0-ba857b585a63 |
| target (User) | The user impacted by the universal logout | Object | |
| type | The type of target object | String | User |
| actor | The admin or system principal that triggers universal logout | Object | |
| type | The type of actor object | ||
| client | The client of the system principal actor for Post auth session evaluation and entity risk policy actions, or the client of the admin triggering the clear user sessions action. | Object | |
| IPAddress | IP address |
user authentication universal_logout scheduled
user.authentication.universal_logout.scheduled
Description: This event is triggered only when an admin manually triggers the Universal Logout against an app instance. It contains the location of the admin and the context of the Universal Logout, that is, from where and how the Universal Logout API was triggered. This event is only triggered once. You can correlate this event with the user.authentication.universal_logout event using the traceID found under DebugData for both events.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| TraceId | The TraceId is used in Post auth session evaluation use cases. A request that triggers a Post auth session evaluation can ultimately trigger things like Post auth session evaluation action events - and those are executed from the async jobs. TraceId connects together events triggered both by the original request handler and from the async jobs triggered by this handler. | String | 94384405-51e3-4e13-b8b0-ba857b585a63 |
| target (User) | The user impacted by the Universal Logout | Object | |
| type | The type of target object | String | User |
| actor | The admin or system principal that triggers Universal Logout | Object | |
| type | The type of actor object | ||
| client | The client of the system principal actor for Post auth session evaluation and entity risk policy actions, or the client of the admin triggering the clear user sessions action. | Object | |
| Device | This property contains information about what type of device the admin was using when the Universal Logout event was triggered. | String | Computer |
| GeographicalContext.City | This property contains information about the city where the Universal Logout event was triggered. | String | San Francisco |
| GeographicalContext.Country/region | This property contains information about the country/region where the Universal Logout event was triggered. | String | United States |
| GeographicalContext.Geolocation.Lat | This property contains the latitude where the Universal Logout event was triggered. | Numeric | 37.7852 |
| GeographicalContext.Geolocation.Lon | This property contains the longitude where the Universal Logout event was triggered. | Numeric | 122.3874 |
| GeographicalContext.PostalCode | This property contains information about the postal code where the Universal Logout event was triggered. | String | 94105 |
| GeographicalContext.State | This property contains information about the state where the Universal Logout event was triggered. | String | California |
| IPAddress | This property contains information about the IP address of the admin when the Universal Logout event was triggered. | Numeric | 8.35.185.250 |
| UserAgent.Browser | This property contains information about the type of browser the admin was using when the Universal Logout event was triggered. | String | Chrome |
| UserAgent.OS | This property contains information about the type of OS the admin was using when the Universal Logout event was triggered. | String | Mac OS 14.3.0 (Sonoma) |
user risk change
user.risk.change
Description: This event is triggered when a user's risk level has changed. It can be used to monitor risk level changes for users. The event is triggered when Okta determines that a user is associated with a risk context or activity.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| Risk | Contains the level of risk for a user entity (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. The detectionName key defines the risks monitored by Okta. The level key defines the current risk. The previousLevel key defines the previous risk level of the user entity. The issuer defines the source of the risk detection. See Detections (opens new window). | key-value pair | {previousLevel=LOW, level=MEDIUM, detectionName=Session Influenced User Risk, reasons=Associated sessionId is suspected to be hijacked, issuer=OKTA} |
| TraceId | A unique identifier to track all events associated with the risk | String | 65d65fa6-b5a9-50e9-b6f1-637b9fb71c50 |
| target (User) | The user associated with a risk change | Object | |
| type | The type of target object | String | User |
| actor | The entity reporting the user risk change (can be a system principal, end user, or org administrator) | Object | |
| type | The type of actor object | String | User |
user risk detect
user.risk.detect
Description: This event is triggered when Okta detects that a user is associated with risk activity or context. It can be used to monitor risk level detections for users.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| Risk | Contains the level of risk for a user entity (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. The detectionName key defines the risks monitored by Okta. The level key defines the current risk. The previousLevel key defines the previous risk level of the user entity. The issuer defines the source of the risk detection. See Detections (opens new window). | key-value pair | {previousLevel=LOW, level=MEDIUM, detectionName=Session Influenced User Risk, reasons=Associated sessionId is suspected to be hijacked, issuer=OKTA} |
| TraceId | A unique identifier to track all events associated with the risk | String | 65d65fa6-b5a9-50e9-b6f1-637b9fb71c50 |
| target (User) | The user associated with a risk change | Object | |
| type | The type of target object | String | User |
| actor | The entity reporting the user risk change (can be a system principal, end user, or org administrator) | Object | |
| type | The type of actor object | String | User |
user session clear
user.session.clear
Description: This event is triggered when an admin invokes clear sessions from the user profile. This event appears only one time and contains externalSessionId and System.Transaction.ID.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.System.Transaction | |||
| ID | This ID correlates with all associated user.session.end events | String | c579b0f27865c4b93be9ceb6f00e5373 |
| event.AuthenticationContext | |||
| ExternalSessionId | The ID of the admin invoking the clear session action | String | 102Oxl7hHhjTMvV2L8MGc_SYR |
| target (User) | The user who had their session cleared by the admin | Object | |
| type | The type of target object | String | User |
| actor | The admin user invoking the clear session action | Object | |
| type | The type of actor object | String | User |
| client | The client of the admin actor | Object | |
| IPAddress | IP address |
user session context change
user.session.context.change
Description: This event is triggered when the current session context has changed from the session context when the event was created, and that a reevaluation of policy may be required. This can indicate a security issue related to the session.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| Behaviors | List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). | key-value pairs | {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE} |
| Causes | The cause of the change in session context. The values can be an ipAddress.change or deviceContext.change. | Array | ["ipAddress.change"] |
| ExternalSessionId | The ID of the session that had the context change | String | idxncn50DUmRpqWcz3doJX18g |
| NewIpAddress | The new IP address for an ipAddress.change cause or the new IP address for a device context change. | String | 145.126.159.223 |
| PreviousIpAddress | The previous IP address for an ipAddress.change cause or the new IP address for a device context change. | String | 67.46.211.18 |
| changedDeviceSignals | The change in device signals for the session. | key-value pairs | { "device.profile.managed":{ "oldValue":true, "newValue":false},"device.provider.wsc.fireWall":{"oldValue":"GOOD", "newValue":"NONE"}} |
| Risk | Contains the level of risk for the current request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. The detectionName key defines the risks monitored by Okta. The level key defines the current risk. The issuer defines the source of the risk detection. See Detections (opens new window). | key-value pairs | {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH} |
| Source | The source of the session context change | String | OKTA |
| ThreatSuspected | If ThreatInsight is running and detects a request as suspicious, the value for this property is true. | Boolean | false |
| TraceId | A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query | String | 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50 |
| target (User) | The user session with a change in context | Object | |
| type | The type of target object | String | User |
| target (Session) | The session of the user with a change in context | Object | |
| type | The type of target object | String | Session |
| target (Device) | For deviceContext.change in an asynchronous flow, the device with a change in context | Object | |
| type | The type of target object | String | Session |
| actor | For ipAddress.change and deviceContext.change in a synchronous flow, the user. For deviceContext.change in an asynchronous flow, the system principal | Object | |
| type | The type of actor object | ||
| client | The user client with the context change, except in the case of a device context change when a user isn't interacting with Okta. In that scenario, the client is Okta Verify. | Object | |
| IPAddress | IP address |
user session end
user.session.end
Description: This event is triggered when Okta terminates all IDX sessions for a user. A separate event is logged for each of the user's active sessions. Each event contains externalSessionId and System.Transaction.ID values that correlate with the System.Transaction.ID for the user.session.clear event.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| EndedSessionId | The session ID that is ended for the target user | String | idxffK-esRDSrC5m0ly-Kma9A |
| TraceId | A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query | String | e1214f29-e6b3-4698-b3be-4bccaadf1937 |
| ThreatSuspected | If ThreatInsight is running and detects a request as suspicious, the value for this property is true. | Boolean | |
| Url | The logout URL from the end user or admin actor | String | |
| event.System.Transaction | |||
| ID | For an admin actor, this ID correlates with user.session.clear or user.authentication.universal_logout events. For a system principal actor, this ID correlates to the user.authentication.universal_logout event. | String | c579b0f27865c4b93be9ceb6f00e5373 |
| target (User) | The user associated with a risk activity | Object | |
| type | The type of target object | String | User |
| actor | The end user, the admin (in the case of an explicit admin action), or the system principal (in the case of a Post auth session evaluation) | Object | |
| type | The type of actor object | ||
| client | The client of the system principal actor | Object | |
| IPAddress | IP address |
workflows user delegatedflow run
workflows.user.delegatedflow.run
Description: This event can be used by admins or security team members to monitor the execution of delegated flows in the Workflows platform from the Admin Console. The actor field provides the Okta User ID of the user that ran the flow. The target fields provide context on the Workflows instance and the name and flow ID of the executed flow. The event only indicates if the flow was successfully triggered and doesn't provide information about whether the flow encountered an error.
| Key event properties | Description | Data type | Example values |
|---|---|---|---|
| event.system.debugContext.debugData | |||
| SessionId | Session ID | String | ad995fe6-e721-4a8a-86ac-d942bc59ea41 |
| target (AppInstance) | The Okta Workflows app | Object | |
| id | Unique identifier of the Okta Workflows app | String | 00u8xut93qEWYx5sx1d7 |
| type | The type of target object | String | AppInstance |
| target (Flow) | The workflow instance of the executed flow | Object | |
| id | Unique identifier of the target instance | String | 00u8xut93qEWYx5sx1d7 |
| type | The type of target object | String | Flow |
| actor | The user that runs the flow | Object | |
| id | Unique identifier of the user that runs the flow | ||
| type | The type of actor object | String | User |