System Log events for Identity Threat Protection with Okta AI

Early Access release

Identity Threat Protection with Okta AI records the following types of events:

  • When continuous access evaluation for an authentication policy fails
  • When a user’s session context changes
  • When an entity's risk level changes
  • When a security event token is received through the Shared Signals Framework

See Identity Threat Protection Event Types for detailed information about each of the event types in Okta.

View System Log events

  1. In the Admin Console, go to ReportsSystem Log.
  2. Optional. Configure the date range and enter a username.
  3. Click the magnifying glass icon beside the Search field.

On a user's profile, you can access System Log events by selecting View Logs. On the User risk profile > User-related detections table, you can click View System Log next to an event to view its System Log entry.

System Log event types

Okta provides several System Log events for policy and entity risk events.

For each event type, the Behaviors and Risk fields describe the reason for the failure. For most event types, the actor field displays the username associated with the event.

Paste this query into the System Log Search field to find specific event types: eventType eq "<event type>" (for example, eventType eq "policy.continuous_access.evaluate").

Continuous access

  • policy.auth_reevaluate.fail: appears when your org’s authentication or global session policy is reevaluated and a violation is identified.
  • policy.continuous_access.action: appears when Okta logs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation.
  • policy.continuous_access.evaluate: appears when a continuous access evaluation occurs.

Entity risk policy

  • policy.entity_risk.action: appears when Okta evaluates the entity risk policy and invokes an action.
  • policy.entity_risk.evaluate: appears when Okta identifies a change in a user’s session context or IP address.

Entity risk

  • user.risk.change: appears when an entity's risk level changes.
  • user.session.context.change: appears when Okta evaluates the entity risk policy and identifies change in an entity's risk level.

Admin feedback

analytics.feedback.provide: appears when a super admin provides feedback on a user risk detection.

Universal Logout

  • user.session.end: appears when Okta invokes Universal Logout in response to an access violation.
  • user.session.clear: appears when an admin clears a user's session.
  • user.session.universal_logout: appears when Okta or an admin invokes Universal Logout for a user.
  • user.authentication.universal_logout: appears when Okta or an admin invokes Universal Logout against an app instance.

Shared Signals Framework

  • security.events.provider.receive_event: appears when Okta receives a risk signal from a security events provider.
  • device.signals.status.timeout: appears when a registered device that's associated with a user hasn't communicated with Okta within the required time interval.

Workflows

workflows.user.delegatedflow.run: appears when Okta invokes a delegated flow in response to an access violation.

Related topics

System Log

Detections

Identity Threat Protection with Okta AI reports