Application Access report
The Application Access queries the system log to see when users accessed any app integration in your Okta org.
You can use the filters to show detailed events and trends for application access over a period time.
The default query eventType eq "user.authentication.sso" shows all SSO attempts for the specified duration.
Prerequisites
-
Ensure that you are signed in to the Okta Admin Console.
-
This report can be run by anyone with one of the following permission levels:
-
Super Administrator
-
Org Administrator
-
Read-Only Administrator
-
Mobile Administrator
-
Report Administrator
-
Parameters
The report can be filtered using any of the following parameters:
-
Start date and start time
-
End date and end time
-
Timezone
-
Any Okta Expression Language search
Procedure
-
From the Admin Console, navigate to .
-
Under the System log panel, click Application access.
-
Specify a date range to filter the report. Events are retained by Okta for 90 days, so the earliest available date range is 3 months prior.
-
Specify a search filter. Click Advanced Filters to construct more complex filters.
-
Click the search icon to generate the report.
-
If you want a detailed comma separated file (CSV) file of the report, click Download CSV.
-
You can click the arrow icon to open the details for each event returned.
-
You can click on any of the actor, event info, or target results to create a more specific filter.
-
If you modify a search filter, you can click Save beside the search icon to store a record of this specific filter. After you give this new report a name, it is added to the Reports page, above the System log panel.
-
-
You can click on the blue geolocation icon to see a map showing where in the world the event occurred (based on IP geolocation). Click the grid icon to return to the original report UI.
Results
The generated report contains the following fields:
| Field name | Field description |
|---|---|
|
Time |
Timestamp of the event |
|
Actor |
App integration or user that caused the event or action |
|
Event Information |
Details about the event or action |
|
Target |
App integration or user that received the event or action |
The CSV report also includes:
| Field name | Field description |
|---|---|
|
Severity |
Severity of the event. Can be: DEBUG, INFO, WARN, ERROR |
|
Event type |
Type of event that occurred |
|
Display message |
Message displayed in the system log for the event |
|
UUID |
Unique identifier for an individual event |
|
Version |
Version indicator |
|
Timestamp |
Timestamp when the event occurred, in ISO 8601 format |
|
Outcome result |
Result of the event. Can be: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN |
|
Outcome reason |
Explanation of the outcome result |
|
Actor ID |
Identifier of the user, app, client or other entity that performed the action on the target |
|
Actor type |
Type of the actor |
|
Actor display name |
Display name of the actor |
|
Actor alternate ID |
Alternate identifier of the actor |
|
Authentication context - authentication step |
Zero-based step number in the authentication pipeline. Currently unused and always set to 0 |
|
Authentication context - authentication provider |
System that proves the identity of an actor using the credentials provided to it |
|
Authentication context - credential provider |
Credential provider is a software service that manages identities and their associated credentials. When authentication occurs through credentials provided by a credential provider, the credential provider is recorded here. |
|
Authentication context - credential type |
Underlying technology or scheme used in the credential |
|
Authentication context - issuer |
Specific software entity that creates and issues the credential |
|
Authentication context - external session ID |
Proxy for the actor's session ID |
|
Client - zone |
Name of the Zone that the client location is mapped to |
|
Client - IP address |
IP address where the client is making the request |
|
Client - device |
Type of device that the client operates from |
|
Client - user agent (raw) |
Representation of the user agent |
|
Client - user agent OS |
Operating system that the client runs on |
|
Client - user agent browser |
If the client is a web browser, this field identifies the type of web browser |
|
Client - geographical context - country |
Full name of the country that encompasses the area associated with the physical location of the client when it triggers the event |
|
Client - geographical context - city |
City that encompasses the area associated with the client's physical location, if available |
|
Client - geographical context - postal code |
Postal or zip code of the area associated with the client's physical location |
|
Client - geographical context - geolocation longitude |
Longitude associated with the client's physical location |
|
Client - geographical context - geolocation latitude |
Latitude associated with the client's physical location |
|
Transaction ID |
Unique identifier for the transaction event |
|
Transaction type |
Kind of transaction. Can be: WEB or JOB |
|
Debug context - debug data - request URI |
Dynamic field that contains miscellaneous information that is dependent on the event type |
|
Legacy event type |
Attribute value for the associated events API objectType |
|
Target 0 - ID |
Identifier for the first target entity that the actor performs the action on. A zero-based counter tracks the individual target entities. |
|
Target 0 - type |
Type of the first target |
|
Target 0 - alternate ID |
Alternative ID of the first target |
|
Target 0 - display name |
Display name of the first target |
|
Target 1 - ID |
Identifier for the second target entity |
|
Target 1 - type |
Type of the second target |
|
Target 1 - alternate ID |
Alternative ID of the second target |
|
Target 1 - display name |
Display name of the second target |
|
Request - IP chain - geographic context - postal code |
The Request object describes details that are related to the HTTP request that triggers this event. This field has the postal or zip code of the area associated with the IP chain's physical location. |
|
Request - IP chain - geographic context - geolocation longitude |
Longitude associated with the IP chain's physical location |
|
Request - IP chain - geographic context - geolocation latitude |
Latitude associated with the IP chain's physical location |
|
Request - IP chain - geographic context - geolocation state |
Full name of the state or province that encompasses the area that contains the geolocation coordinates for the IP chain |
|
Request - IP chain - IP address |
IP address used in the request |
|
Request - IP chain - source |
Details regarding the source of the IP chain |
|
Request - IP chain - version |
IP address version. Can be: V4 or V6 |