System Log events for Identity Threat Protection

Identity Threat Protection with Okta AI records the following types of events:

  • When post auth session evaluation for an authentication policy fails
  • When a user's session context changes
  • When an entity's risk level changes
  • When a security event token is received through the Shared Signals Framework

See Identity Threat Protection Event Types for detailed information about each of the event types in Okta.

View System Log events

  1. In the Admin Console, go to ReportsSystem Log.
  2. Optional. Configure the date range and enter a username.
  3. Click the magnifying glass icon beside the Search field.

On a user's profile, you can access System Log events by selecting View Logs. On the User risk profile > User-related detections table, you can click View System Log next to an event to view its System Log entry.

System Log event types

Okta provides several System Log events for policy and entity risk events.

For each event type, the Behaviors and Risk fields describe the reason for the failure. For most event types, the actor field displays the username associated with the event.

Paste this query into the System Log Search field to find specific event types: eventType eq "<event type>" (for example, eventType eq "policy.auth_reevaluate.enforce").

Post Auth Session

  • policy.auth_reevaluate.enforce: appears when a post auth session evaluation occurs as a result of a change in the session's context. This event was previously logged as policy.continuous_access.evaluate. It was renamed in 2024.09.0.
  • policy.auth_reevaluate.fail: appears when your org's authentication or global session policy is reevaluated and a policy violation occurs.
  • policy.auth_reevaluate.action: appears when Okta signs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation. This event was previously logged as policy.continuous_access.action. It was renamed in 2024.09.0.

Entity risk policy

  • policy.entity_risk.action: appears when Okta evaluates the entity risk policy and invokes an action.
  • policy.entity_risk.evaluate: appears when Okta evaluates the entity risk policy and identifies change in an entity's risk level.

Entity risk

  • user.risk.detect: appears when an entity's risk level changes. This event was previously logged as user.risk.change. It was renamed in 2024.09.0.

Session risk

  • user.session.context.change: appears when Okta identifies a change in a user's session context or IP address.

Admin feedback

analytics.feedback.provide: appears when a super admin provides feedback on a user risk detection.

Universal Logout

  • user.session.end: appears when Okta invokes Universal Logout in response to a session violation.
  • user.session.clear: appears when an admin clears a user's session.
  • user.session.universal_logout: appears when Okta or an admin invokes Universal Logout for a user.
  • user.authentication.universal_logout: appears when Okta or an admin invokes Universal Logout against an app instance.
  • user.authentication.universal_logout.scheduled: appears when an admin manually triggers Universal Logout against an app instance.

Shared Signals Framework

  • security.events.provider.receive_event: appears when Okta receives a risk signal from a security events provider.
  • device.signals.status.timeout: appears when a registered device that's associated with a user hasn't communicated with Okta within the required time interval.

Workflows

workflows.user.delegatedflow.run: appears when Okta invokes a delegated flow in response to a session violation.

Related topics

System Log

Detection settings for entity risk policy

Identity Threat Protection reports