On this page

Identity Threat Protection Event Types

This resource contains detailed reference material on event types triggered with the Identity Threat Protection solution. Use the information from these properties to understand the users, threats, and risk environment for your org.

Note: Not every property is documented for the event types. Only those primarily used to assist in reviewing an identity threat interaction. Also, objects and properties may differ based on your implementation of the Identity Threat Protection solution.

analytics feedback provide

analytics.feedback.provide

Description: This event is triggered when an admin provides feedback on a user or session risk detection. It can be used to monitor feedback provided by admins in response to Okta-determined changes in risk.

Key event properties Description Data type Example values
event.system.debugContext.debugData
EventUuid The ID of the user.risk.change or session.context.change event that prompted the Admin feedback. String 721b1961-f0a6-11ee-bfa6-c1c3bad801v3
Label The type of feedback from the admin, either true_positive or false_positive Enum true_positive
target (User) The user that the feedback is about Object
type The type of target object String User
actor The user or admin that is providing the feedback Object
type The type of actor object

device signals status timeout

device.signals.status.timeout

Description: This event is triggered when a registered device that is associated with at least one user session hasn't communicated with Okta within the required time interval. Use this event to investigate a potentially insecure device and compromised user session. The event contains the device unique identifier in the System Log actor object. You can use this information to find other related events.

Key event properties Description Data type Example values
event.system.debugContext.debugData
deviceSignalsLastReceived The date and time of the last receipt of a device signal String "2024-03-13T19:26:53"
target (User) The user who still has an active session on that device Object
type The type of target object String User
actor The registered device associated with the user sessions Object
id The ID of the registered device string guv1ibaeaz4lr8Eo70a9

policy auth_reevaluate fail

policy.auth_reevaluate.fail

Description: This event is triggered when your org’s authentication or global session policy is reevaluated, and a violation is identified. The violation occurs if the request doesn't meet the assurances defined in the policy, or if the request has an action set to DENY based on environment conditions.

Key event properties Description Data type Example values
event.system.debugContext.debugData
Behaviors List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). key-value pairs { New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE }
CaeEnforceMode The Post auth session evaluation UI setting that determines whether the policy is enforceable. If this is false, Okta logs these events but doesn't take any further action. Boolean true
Risk Contains the level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. key-value pairs {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH}
ServerStatus Describes the current state of the Okta servers. Other values can be READ_ONLY and SAFE_MODE. Enum ACTIVE
ThreatSuspected If ThreatInsight is running and detects a request as suspicious, the value for this property is true. Boolean false
TraceId A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query String 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50
target (User) The user session associated with the failed policy evaluations Object
type The type of target object String User
target (Policy Evaluation) The reevaluated policy Object
type The type of target object String Policy Evaluation
target.DetailEntry (Policy Evaluation)
AppInstanceIds The apps affected by a Post auth session evaluation violation event Array ["0oa4mczwb7SfcTQ9N0g7", "0oa4yvb15qhL8RKA30g7"]
MatchedRuleAction The action of the rule that matched the evaluation. Values can be ALLOW or DENY. Enum ALLOW
MatchedRuleAssuranceMet Whether the matched rule evaluated to passing all authenticator assurances. This value is null if the MatchedRuleAction is DENY. Boolean false
MatchedRuleDisplayName The matched rule's display name String
MatchedRuleId The unique identifier of the matched rule String 0pr4yyl6a8D97WIRC0a7
PolicyType The evaluated policy type ENUM OKTA_SIGN_ON
DisplayName Displays the name of the evaluated policy String
ID Unique identifier of the target String 00u8xst93qEWYx65sx1d7
actor The target user if synchronous and the system principal if asynchronous Object
type The type of actor object
client The client of the actor Object
IPAddress IP address

policy auth_reevaluate action

policy.auth_reevaluate.action

Description: This event is triggered when Okta logs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation.

Key event properties Description Data type Example values
event.system.debugContext.debugData
Behaviors List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). key-value pairs {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE}
Risk The level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. key-value pairs {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH}
ThreatSuspected If ThreatInsight is running and detects a suspicious request, the value for this property is true. Boolean false
TraceId A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query String 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50
target (User) The user associated with the risk change Object
type The type of target object String User
target (Rule) The rule associated with the Post auth session evaluation Object
type The type of target object String Rule
target.DetailEntry (Rule)
RuleAction The configured action to respond to the risk. Values include TERMINATE_SESSION or RUN_WORKFLOW. Enum TERMINATE_SESSION
SingleLogOutEnabled For a RuleAction of TERMINATE_SESSION, and if true, a Post auth session evaluation violation enforces application logout Boolean true
SingleLogOutSelectionMode For a RuleAction of TERMINATE_SESSION, the options of the application logout, either all applications, specific applications, or none. Values can be: NONE, ALL, or SPECIFIED. Enum ALL
WorkflowId The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. String 572749
DisplayName The name of the rule String Entity Risk Policy
ID Unique identifier of the rule String 00u8xst93qEWYx65sx1d7
target (Policy) The Post auth session evaluation policy Object
type The type of target object String Policy
target (PolicyAction) The action associated with the Post auth session evaluation Object
type The type of target object String PolicyAction
target.DetailEntry (PolicyAction)
PolicyAction The configured action to respond to the risk. Values include TERMINATE_SESSION orRUN_WORKFLOW. Enum TERMINATE_SESSION
PolicySingleLogOutEnabled For a PolicyAction of TERMINATE_SESSION, and if true, a post auth session evaluation violation enforces application logout Boolean true
PolicySingleLogOutSelectionMode For a PolicyAction of TERMINATE_SESSION, the options of the application logout, either all applications, specific applications, or none. Values can be: NONE, ALL, or SPECIFIED. Enum ALL
PolicySingleLogoutAppInstanceIds A list of apps that will that will be logged out if the PolicySingleLogOutMode mode is SPECIFIED. Array [ "0oa1gkh63g214r0Hq0g4", "0oa1gjh63g214q0Iq3g3" ]
WorkflowId The unique identifier of the workflow if the PolicyAction is RUN_WORKFLOW. String 572749
DisplayName The name of the action String TERMINATE_SESSION
ID Unique identifier of the Post auth session evaluation policy String 00u8xst93qEWYx65sx1d7
actor The target user if synchronous and the system principal if asynchronous Object
type The type of actor object
client The client of the actor
IPAddress IP address of the client

policy continuous_access action

policy.continuous_access.action Deprecated

Description: This event is deprecated. The new event type name is policy auth_reevaluate action This event is triggered when Okta logs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation.

Key event properties Description Data type Example values
event.system.debugContext.debugData
Behaviors List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). key-value pairs {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE}
Risk Contains the level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. key-value pairs {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH}
ThreatSuspected If ThreatInsight is running and detects a request as suspicious, the value for this property is true. Boolean false
TraceId A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query String 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50
target (User) The user associated with the risk change Object
type The type of target object String User
target (Rule) The rule associated with the Post auth session evaluation Object
type The type of target object String Rule
target.DetailEntry (Rule)
RuleAction The configured action to respond to the risk. Values include TERMINATE_SESSION or RUN_WORKFLOW. Enum TERMINATE_SESSION
SingleLogOutEnabled For a RuleAction of TERMINATE_SESSION, and if true, a Post auth session evaluation violation enforces application logout Boolean true
SingleLogOutSelectionMode For a RuleAction of TERMINATE_SESSION, the options of the application logout, either all applications, specific applications, or none. Values can be: NONE, ALL, or SPECIFIED. Enum ALL
WorkflowId The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. String 572749
DisplayName Displays the name of the rule String Entity Risk Policy
ID Unique identifier of the rule String 00u8xst93qEWYx65sx1d7
target (Policy) The Continuous access evaluation policy Object
type The type of target object String Policy
target (PolicyAction) The action associated with the Continuous access evaluation Object
type The type of target object String PolicyAction
target.DetailEntry (PolicyAction)
PolicyAction The configured action to respond to the risk. Values include TERMINATE_SESSION orRUN_WORKFLOW. Enum TERMINATE_SESSION
PolicySingleLogOutEnabled For a PolicyAction of TERMINATE_SESSION, and if true, a continuous access evaluation violation enforces application logout Boolean true
PolicySingleLogOutSelectionMode For a PolicyAction of TERMINATE_SESSION, the options of the application logout, either all applications, specific applications, or none. Values can be: NONE, ALL, or SPECIFIED. Enum ALL
PolicySingleLogoutAppInstanceIds A list of apps that will that will be logged out if the PolicySingleLogOutMode mode is SPECIFIED. Array [ "0oa1gkh63g214r0Hq0g4", "0oa1gjh63g214q0Iq3g3" ]
WorkflowId The unique identifier of the workflow if the PolicyAction is RUN_WORKFLOW. String 572749
DisplayName Displays the name of the action String TERMINATE_SESSION
ID Unique identifier of the Continuous access evaluation policy String 00u8xst93qEWYx65sx1d7
actor The target user if synchronous and the system principal if asynchronous Object
type The type of actor object
client The client of the actor
IPAddress IP address of the client

policy auth_reevaluate enforce

policy.auth_reevaluate.enforce

Description: This event is triggered when a Post auth session evaluation occurs.

Key event properties Description Data type Example values
event.system.debugContext.debugData
Behaviors List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). key-value pairs {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE}
Risk Contains the level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. key-value pairs {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH}
ThreatSuspected If ThreatInsight is running and detects a request as suspicious, the value for this property is true. Boolean false
TraceId A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query String 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50
target (User) The user associated with the risk change Object
type The type of target object String User
target (Rule) The rule associated with the Post auth session evaluation Object
type The type of target object String Rule
target.DetailEntry (Rule)
RuleAction The configured action to respond to the risk. Values include TERMINATE_SESSION or RUN_WORKFLOW. Enum TERMINATE_SESSION
SingleLogOutEnabled For a RuleAction of TERMINATE_SESSION, and if true, a Post auth session evaluation violation enforces app logout. Boolean true
SingleLogOutSelectionMode For a RuleAction of TERMINATE_SESSION, the options of the app logout, either all apps, specific apps, or none. Values can be: NONE, ALL, or SPECIFIED. Enum ALL
WorkflowId The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. String 572749
DisplayName Display the name of the target rule String Test Rule
ID Unique identifier of the target rule String 00u8xst93qEWYx65sx1d7
target (Policy) The Post auth session evaluation policy Object
type The type of target object String Policy
actor The target user if synchronous and the system principal if asynchronous
type The type of actor object Object
client The client of the actor
IPAddress IP address of the client

policy continuous_access evaluate

policy.continuous_access.evaluate Deprecated

Description: This event is deprecated. The new event type name is policy auth_evaluate enforce. This event is triggered when a post auth session evaluation occurs.

Key event properties Description Data type Example values
event.system.debugContext.debugData
Behaviors List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). key-value pairs {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE}
Risk The level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. key-value pairs {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH}
ThreatSuspected If ThreatInsight is running and detects a suspicious request, the value for this property is true. Boolean false
TraceId A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query String 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50
target (User) The user associated with the risk change Object
type The type of target object String User
target (Rule) The rule associated with the Continuous Access evaluation Object
type The type of target object String Rule
target.DetailEntry (Rule)
RuleAction The configured action to respond to the risk. Values include TERMINATE_SESSION or RUN_WORKFLOW. Enum TERMINATE_SESSION
SingleLogOutEnabled For a RuleAction of TERMINATE_SESSION, and if true, a Continuous Access evaluation violation enforces app logout. Boolean true
SingleLogOutSelectionMode For a RuleAction of TERMINATE_SESSION, the options of the app logout, either all apps, specific apps, or none. Values can be: NONE, ALL, or SPECIFIED. Enum ALL
WorkflowId The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. String 572749
DisplayName The name of the target rule String Test Rule
ID Unique identifier of the target rule String 00u8xst93qEWYx65sx1d7
target (Policy) The Continuous Access evaluation policy Object
type The type of target object String Policy
actor The target user if synchronous and the system principal if asynchronous
type The type of actor object Object
client The client of the actor
IPAddress IP address of the client
=======

policy entity_risk action

policy.entity_risk.action

Description: This event is triggered from an Entity risk policy action invocation. It signals that an action associated with an evaluation of an entity risk policy has been invoked.

Key event properties Description Data type Example values
event.system.debugContext.debugData
Behaviors List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). key-value pairs {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE}
Risk Contains the level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. key-value pairs {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH}
ThreatSuspected If ThreatInsight is running and detects a request as suspicious, the value for this property is true. Boolean false
TraceId A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query String 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50
target (User) The user associated with the risk change Object
type The type of target object String User
target (Policy) The entity risk policy Object
type The type of target object String Policy
target (Rule) The rule of the entity risk policy Object
type The type of target object String Rule
target.DetailEntry
RuleAction The configured action to respond to the risk. Values include TERMINATE_ALL_SESSIONS or RUN_WORKFLOW. If the action is TERMINATE_ALL_SESSIONS, no further properties appear. If the action is RUN_WORKFLOW, the WorkflowId appears. ENUM RUN_WORKFLOW
WorkflowId The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. String 572749
DisplayName Name of the rule String Test rule
ID Unique identifier of the rule String 00u8xut93qEWYx5sx1d7
type The type of target object String Rule
target (PolicyAction)
type The type of target object String PolicyAction
target.DetailEntry Object
PolicyAction The configured action to respond to the risk. Values include NULL (Logging Mode), TERMINATE_ALL_SESSIONS, and RUN_WORKFLOW. ENUM TERMINATE_ALL_SESSIONS
PolicySingleLogOutEnabled Identifies if single logout is enabled. This property appears if PolicyAction is TERMINATE_SESSION. Boolean true
PolicySingleLogOutSelectionMode The mode of logout. Values can be NONE, ALL, or SPECIFIED. This property appears if PolicyAction is TERMINATE_SESSION. ENUM ALL
PolicySingleLogoutAppInstanceIds A list of apps that will that will be logged out if the PolicySingleLogOutMode mode is SPECIFIED. Array [ "0oa1gkh63g214r0Hq0g4", "0oa1gjh63g214q0Iq3g3" ]
PolicyWorkflowId The unique identifier of the workflow if the PolicyAction is RUN_WORKFLOW. String 572749
DisplayName Name of the policy action String TERMINATE_ALL_SESSIONS
ID Unique identifier of the entity risk policy String 00u8xut93qEWYx5sx1d7
type The type of target object string PolicyAction
actor The target user if synchronous and the system principal if asynchronous Object
type The type of actor object
client The client of the actor
IPAddress IP address

policy entity_risk evaluate

policy.entity_risk.evaluate

Description: This event is triggered when Okta receives a risk event and then evaluates the entity risk policy.

Key event properties Description Data type Example values
event.system.debugContext.debugData
Behaviors List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). key-value pairs {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE}
Risk Contains the level of risk for a particular request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. key-value pairs {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH}
ThreatSuspected If ThreatInsight is running and detects a request as suspicious, the value for this property is true. Boolean false
TraceId A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query String 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50
target (User) The user associated with the risk change Object
type The type of target object String User
target (Policy) The entity risk policy Object
type The type of target object String Policy
target (Rule) The rule of the entity risk policy
type The type of target object String Rule
target.DetailEntry
RuleAction The configured action to respond to the risk. Values include TERMINATE_ALL_SESSIONS or RUN_WORKFLOW. If the action is TERMINATE_ALL_SESSIONS, no further properties appear. If the action is RUN_WORKFLOW, the WorkflowId appears. ENUM RUN_WORKFLOW
WorkflowId The unique identifier of the workflow if the RuleAction is RUN_WORKFLOW. String 572749
DisplayName The name of the rule String Test rule
ID Unique identifier of the rule String 00u8xut93qEWYx5sx1d7
Type The target type String Rule
actor The target user if synchronous and the system principal if asynchronous Object
type The type of actor object
client The client of the actor Object
IPAddress IP address

security events provider receive_event

security.events.provider.receive_event

Description: This event is triggered when an event provider submits a valid Shared Signals Framework (SSF) security event. It can help org admins debug/monitor partner SSF submissions. The event contains debug context data about the event provider's risk report.

Key event properties Description Data type Example values
event.system.debugContext.debugData
partnerRiskReportData The SSF submission from an event provider. It includes the issuer of the security event, the security event URL, and the security event definition. key-value pairs "{ "issuer" : "https://example.eventprovider.com", "https://schemas.openid.net/secevent/caep/event-type/session-revoked" : { "subject" : { "user" : { "format" : "email", "email\" : "joe.alex@example.com" }, "device" : { "format" : "opaque", "sub" : "1234ABCD-123A-123B-123C-12345ABCDEFG" }}, "event_timestamp" : 1709484521, "reason_admin" : {"en" : "Malware detected" } }}"
target (User) The user affected by the event Object
type The type of target object String
actor The security events provider Object
type The type of actor object String SecurityEventProvider

user authentication universal_logout

user.authentication.universal_logout

Description: This event is triggered when Okta or an admin invokes Universal Logout against an app instance. It contains the app instance details for which the Universal Logout API was triggered. The event indicates when apps have had Universal Logout triggered for audit or debugging purposes. This event is only triggered once. It's only triggered for apps that have been configured for Universal Logout. You can configure it in an Entity risk policy or with Post auth session evaluation, or invoke it manually from the user profile.

Key event properties Description Data type Example values
event.system.debugContext.debugData
AppInstanceIds A list of app IDs that Okta triggered for Universal Logout Array of IDs ["0oa1ysra5y0ESChAr0h8"]
TraceId The TraceId is used in Post auth session evaluation use cases. A request that triggers a Post auth session evaluation can ultimately trigger things like Post auth session evaluation action events - and those are executed from the async jobs. TraceId connects together events triggered both by the original request handler and from the async jobs triggered by this handler. String 94384405-51e3-4e13-b8b0-ba857b585a63
target (User) The user impacted by the universal logout Object
type The type of target object String User
actor The admin or system principal that triggers universal logout Object
type The type of actor object
client The client of the system principal actor for Post auth session evaluation and entity risk policy actions, or the client of the admin triggering the clear user sessions action. Object
IPAddress IP address

user authentication universal_logout scheduled

user.authentication.universal_logout.scheduled

Description: This event is triggered only when an admin manually triggers the Universal Logout against an app instance. It contains the location of the admin and the context of the Universal Logout, that is, from where and how the Universal Logout API was triggered. This event is only triggered once. You can correlate this event with the user.authentication.universal_logout event using the traceID found under DebugData for both events.

Key event properties Description Data type Example values
event.system.debugContext.debugData
TraceId The TraceId is used in Post auth session evaluation use cases. A request that triggers a Post auth session evaluation can ultimately trigger things like Post auth session evaluation action events - and those are executed from the async jobs. TraceId connects together events triggered both by the original request handler and from the async jobs triggered by this handler. String 94384405-51e3-4e13-b8b0-ba857b585a63
target (User) The user impacted by the Universal Logout Object
type The type of target object String User
actor The admin or system principal that triggers Universal Logout Object
type The type of actor object
client The client of the system principal actor for Post auth session evaluation and entity risk policy actions, or the client of the admin triggering the clear user sessions action. Object
Device This property contains information about what type of device the admin was using when the Universal Logout event was triggered. String Computer
GeographicalContext.City This property contains information about the city where the Universal Logout event was triggered. String San Francisco
GeographicalContext.Country/region This property contains information about the country/region where the Universal Logout event was triggered. String United States
GeographicalContext.Geolocation.Lat This property contains the latitude where the Universal Logout event was triggered. Numeric 37.7852
GeographicalContext.Geolocation.Lon This property contains the longitude where the Universal Logout event was triggered. Numeric 122.3874
GeographicalContext.PostalCode This property contains information about the postal code where the Universal Logout event was triggered. String 94105
GeographicalContext.State This property contains information about the state where the Universal Logout event was triggered. String California
IPAddress This property contains information about the IP address of the admin when the Universal Logout event was triggered. Numeric 8.35.185.250
UserAgent.Browser This property contains information about the type of browser the admin was using when the Universal Logout event was triggered. String Chrome
UserAgent.OS This property contains information about the type of OS the admin was using when the Universal Logout event was triggered. String Mac OS 14.3.0 (Sonoma)

user risk change

user.risk.change

Description: This event is triggered when a user's risk level has changed. It can be used to monitor risk level changes for users. The event is triggered when Okta determines that a user is associated with a risk context or activity.

Key event properties Description Data type Example values
event.system.debugContext.debugData
Risk Contains the level of risk for a user entity (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. The detectionName key defines the risks monitored by Okta. The level key defines the current risk. The previousLevel key defines the previous risk level of the user entity. The issuer defines the source of the risk detection. See Detections (opens new window). key-value pair {previousLevel=LOW, level=MEDIUM, detectionName=Session Influenced User Risk, reasons=Associated sessionId is suspected to be hijacked, issuer=OKTA}
TraceId A unique identifier to track all events associated with the risk String 65d65fa6-b5a9-50e9-b6f1-637b9fb71c50
target (User) The user associated with a risk change Object
type The type of target object String User
actor The entity reporting the user risk change (can be a system principal, end user, or org administrator) Object
type The type of actor object String User

user risk detect

user.risk.detect

Description: This event is triggered when Okta detects that a user is associated with risk activity or context. It can be used to monitor risk level detections for users.

Key event properties Description Data type Example values
event.system.debugContext.debugData
Risk Contains the level of risk for a user entity (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. The detectionName key defines the risks monitored by Okta. The level key defines the current risk. The previousLevel key defines the previous risk level of the user entity. The issuer defines the source of the risk detection. See Detections (opens new window). key-value pair {previousLevel=LOW, level=MEDIUM, detectionName=Session Influenced User Risk, reasons=Associated sessionId is suspected to be hijacked, issuer=OKTA}
TraceId A unique identifier to track all events associated with the risk String 65d65fa6-b5a9-50e9-b6f1-637b9fb71c50
target (User) The user associated with a risk change Object
type The type of target object String User
actor The entity reporting the user risk change (can be a system principal, end user, or org administrator) Object
type The type of actor object String User

user session clear

user.session.clear

Description: This event is triggered when an admin invokes clear sessions from the user profile. This event appears only one time and contains externalSessionId and System.Transaction.ID.

Key event properties Description Data type Example values
event.System.Transaction
ID This ID correlates with all associated user.session.end events String c579b0f27865c4b93be9ceb6f00e5373
event.AuthenticationContext
ExternalSessionId The ID of the admin invoking the clear session action String 102Oxl7hHhjTMvV2L8MGc_SYR
target (User) The user who had their session cleared by the admin Object
type The type of target object String User
actor The admin user invoking the clear session action Object
type The type of actor object String User
client The client of the admin actor Object
IPAddress IP address

user session context change

user.session.context.change

Description: This event is triggered when the current session context has changed from the session context when the event was created, and that a reevaluation of policy may be required. This can indicate a security issue related to the session.

Key event properties Description Data type Example values
event.system.debugContext.debugData
Behaviors List of behaviors identified for the current event. POSITIVE - the specific behavior is identified. NEGATIVE - the specific behavior wasn't identified. See About Behavior Detection (opens new window). key-value pairs {New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, New City=POSITIVE}
Causes The cause of the change in session context. The values can be an ipAddress.change or deviceContext.change. Array ["ipAddress.change"]
ExternalSessionId The ID of the session that had the context change String idxncn50DUmRpqWcz3doJX18g
NewIpAddress The new IP address for an ipAddress.change cause or the new IP address for a device context change. String 145.126.159.223
PreviousIpAddress The previous IP address for an ipAddress.change cause or the new IP address for a device context change. String 67.46.211.18
changedDeviceSignals The change in device signals for the session. key-value pairs { "device.profile.managed":{ "oldValue":true, "newValue":false},"device.provider.wsc.fireWall":{"oldValue":"GOOD", "newValue":"NONE"}}
Risk Contains the level of risk for the current request (LOW, MEDIUM, or HIGH) and the reasons that contributed to the risk level. The detectionName key defines the risks monitored by Okta. The level key defines the current risk. The issuer defines the source of the risk detection. See Detections (opens new window). key-value pairs {reasons=Anomalous Geo-Distance, New Device, New ASN, New IP, New State, New Country, New City, level=HIGH}
Source The source of the session context change String OKTA
ThreatSuspected If ThreatInsight is running and detects a request as suspicious, the value for this property is true. Boolean false
TraceId A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query String 65d55fa6-b5a9-40f9-a6f1-627b9fa71b50
target (User) The user session with a change in context Object
type The type of target object String User
target (Session) The session of the user with a change in context Object
type The type of target object String Session
target (Device) For deviceContext.change in an asynchronous flow, the device with a change in context Object
type The type of target object String Session
actor For ipAddress.change and deviceContext.change in a synchronous flow, the user. For deviceContext.change in an asynchronous flow, the system principal Object
type The type of actor object
client The user client with the context change, except in the case of a device context change when a user isn't interacting with Okta. In that scenario, the client is Okta Verify. Object
IPAddress IP address

user session end

user.session.end

Description: This event is triggered when Okta terminates all IDX sessions for a user. A separate event is logged for each of the user's active sessions. Each event contains externalSessionId and System.Transaction.ID values that correlate with the System.Transaction.ID for the user.session.clear event.

Key event properties Description Data type Example values
event.system.debugContext.debugData
EndedSessionId The session ID that is ended for the target user String idxffK-esRDSrC5m0ly-Kma9A
TraceId A unique ID that is used across a single flow of ITP events to easily correlate them all into one System Log query String e1214f29-e6b3-4698-b3be-4bccaadf1937
ThreatSuspected If ThreatInsight is running and detects a request as suspicious, the value for this property is true. Boolean
Url The logout URL from the end user or admin actor String
event.System.Transaction
ID For an admin actor, this ID correlates with user.session.clear or user.authentication.universal_logout events. For a system principal actor, this ID correlates to the user.authentication.universal_logout event. String c579b0f27865c4b93be9ceb6f00e5373
target (User) The user associated with a risk activity Object
type The type of target object String User
actor The end user, the admin (in the case of an explicit admin action), or the system principal (in the case of a Post auth session evaluation) Object
type The type of actor object
client The client of the system principal actor Object
IPAddress IP address

workflows user delegatedflow run

workflows.user.delegatedflow.run

Description: This event can be used by admins or security team members to monitor the execution of delegated flows in the Workflows platform from the Admin Console. The actor field provides the Okta User ID of the user that ran the flow. The target fields provide context on the Workflows instance and the name and flow ID of the executed flow. The event only indicates if the flow was successfully triggered and doesn't provide information about whether the flow encountered an error.

Key event properties Description Data type Example values
event.system.debugContext.debugData
SessionId Session ID String ad995fe6-e721-4a8a-86ac-d942bc59ea41
target (AppInstance) The Okta Workflows app Object
id Unique identifier of the Okta Workflows app String 00u8xut93qEWYx5sx1d7
type The type of target object String AppInstance
target (Flow) The workflow instance of the executed flow Object
id Unique identifier of the target instance String 00u8xut93qEWYx5sx1d7
type The type of target object String Flow
actor The user that runs the flow Object
id Unique identifier of the user that runs the flow
type The type of actor object String User