Application Access report

The Application Access queries the system log to see when users accessed any app integration in your Okta org.

You can use the filters to show detailed events and trends for application access over a period time.

The default query eventType eq "user.authentication.sso" shows all SSO attempts for the specified duration.

Prerequisites

  • Ensure that you are signed in to the Okta Admin Console.

  • This report can be run by anyone with one of the following permission levels:

    • Super Administrator

    • Org Administrator

    • Read-Only Administrator

    • Mobile Administrator

    • Report Administrator

Parameters

The report can be filtered using any of the following parameters:

  • Start date and start time

  • End date and end time

  • Timezone

  • Any Okta Expression Language search

Procedure

  1. From the Admin Console, navigate to ReportsReports.

  2. Under the System log panel, click Application access.

  3. Specify a date range to filter the report. Events are retained by Okta for 90 days, so the earliest available date range is 3 months prior.

  4. Specify a search filter. Click Advanced Filters to construct more complex filters.

  5. Click the search icon to generate the report.

  6. If you want a detailed comma separated file (CSV) file of the report, click Download CSV.

  7. You can click the arrow icon to open the details for each event returned.

  8. You can click on any of the actor, event info, or target results to create a more specific filter.

    • If you modify a search filter, you can click Save beside the search icon to store a record of this specific filter. After you give this new report a name, it is added to the Reports page, above the System log panel.

  9. You can click on the blue geolocation icon to see a map showing where in the world the event occurred (based on IP geolocation). Click the grid icon to return to the original report UI.

Results

The generated report contains the following fields:

Field name Field description

Time

Timestamp of the event

Actor

App integration or user that caused the event or action

Event Information

Details about the event or action

Target

App integration or user that received the event or action

The CSV report also includes:

Field name Field description

Severity

Severity of the event. Can be: DEBUG, INFO, WARN, ERROR

Event type

Type of event that occurred

Display message

Message displayed in the system log for the event

UUID

Unique identifier for an individual event

Version

Version indicator

Timestamp

Timestamp when the event occurred, in ISO 8601 format

Outcome result

Result of the event. Can be: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN

Outcome reason

Explanation of the outcome result

Actor ID

Identifier of the user, app, client or other entity that performed the action on the target

Actor type

Type of the actor

Actor display name

Display name of the actor

Actor alternate ID

Alternate identifier of the actor

Authentication context - authentication step

Zero-based step number in the authentication pipeline. Currently unused and always set to 0

Authentication context - authentication provider

System that proves the identity of an actor using the credentials provided to it

Authentication context - credential provider

Credential provider is a software service that manages identities and their associated credentials. When authentication occurs through credentials provided by a credential provider, the credential provider is recorded here.

Authentication context - credential type

Underlying technology or scheme used in the credential

Authentication context - issuer

Specific software entity that creates and issues the credential

Authentication context - external session ID

Proxy for the actor's session ID

Client - zone

Name of the Zone that the client location is mapped to

Client - IP address

IP address where the client is making the request

Client - device

Type of device that the client operates from

Client - user agent (raw)

Representation of the user agent

Client - user agent OS

Operating system that the client runs on

Client - user agent browser

If the client is a web browser, this field identifies the type of web browser

Client - geographical context - country

Full name of the country that encompasses the area associated with the physical location of the client when it triggers the event

Client - geographical context - city

City that encompasses the area associated with the client's physical location, if available

Client - geographical context - postal code

Postal or zip code of the area associated with the client's physical location

Client - geographical context - geolocation longitude

Longitude associated with the client's physical location

Client - geographical context - geolocation latitude

Latitude associated with the client's physical location

Transaction ID

Unique identifier for the transaction event

Transaction type

Kind of transaction. Can be: WEB or JOB

Debug context - debug data - request URI

Dynamic field that contains miscellaneous information that is dependent on the event type

Legacy event type

Attribute value for the associated events API objectType

Target 0 - ID

Identifier for the first target entity that the actor performs the action on. A zero-based counter tracks the individual target entities.

Target 0 - type

Type of the first target

Target 0 - alternate ID

Alternative ID of the first target

Target 0 - display name

Display name of the first target

Target 1 - ID

Identifier for the second target entity

Target 1 - type

Type of the second target

Target 1 - alternate ID

Alternative ID of the second target

Target 1 - display name

Display name of the second target

Request - IP chain - geographic context - postal code

The Request object describes details that are related to the HTTP request that triggers this event. This field has the postal or zip code of the area associated with the IP chain's physical location.

Request - IP chain - geographic context - geolocation longitude

Longitude associated with the IP chain's physical location

Request - IP chain - geographic context - geolocation latitude

Latitude associated with the IP chain's physical location

Request - IP chain - geographic context - geolocation state

Full name of the state or province that encompasses the area that contains the geolocation coordinates for the IP chain

Request - IP chain - IP address

IP address used in the request

Request - IP chain - source

Details regarding the source of the IP chain

Request - IP chain - version

IP address version. Can be: V4 or V6