View System Log events for Identity Threat Protection
Some of these events are available to orgs with Adaptive MFA enabled. In these orgs, you must be directly assigned the super admin role to view them (no group assignments).
Identity Threat Protection with Okta AI records events in System Log when it detects changes in a user's session context or an entity's risk level. ITP also records events when a post auth session evaluation fails or when a security event token is received through the Shared Signals Framework. See Identity Threat Protection Event Types for event details.
View System Log events
-
In the Admin Console, go to .
-
Configure the date range and enter a username.
-
Click the magnifying glass icon beside the Search field.
You can also view System Log events from a user's profile.
-
In the Admin Console, go to .
-
Select a user.
-
In a user's profile, click View Logs.
-
Configure the date range, and then click the magnifying glass icon beside the Search field.
System Log event types
Paste this query into the System Log Search field to find specific event types: eventType eq "<event type>" (for example, eventType eq "policy.auth_reevaluate.enforce").
For each event type, the Behaviors and Risk fields describe the reason for the failure. For most event types, the actor field displays the username associated with the event.
Admin feedback
- analytics.feedback.provide: appears when a super admin provides feedback on a user risk detection.
Entity risk
- user.risk.detect: appears when an entity's risk level changes. This event was previously logged as user.risk.change. It was renamed in 2024.09.0. This event is available to orgs with Adaptive MFA enabled, but you must be directly assigned the super admin role to view it.
Entity risk policy
- policy.entity_risk.action: appears when Okta evaluates the entity risk policy and invokes an action.
- policy.entity_risk.evaluate: appears when Okta evaluates the entity risk policy and identifies change in an entity's risk level.
Okta Verify
- device.signals.status.timeout: appears when a registered device that's associated with a user hasn't communicated with Okta within the required time interval.
Post Auth Session
- policy.auth_reevaluate.enforce: appears when a post auth session evaluation occurs as a result of a change in the session's context. This event was previously logged as policy.continuous_access.evaluate. It was renamed in 2024.09.0.
- policy.auth_reevaluate.fail: appears when your org's authentication or global session policy is reevaluated and a policy violation occurs.
- policy.auth_reevaluate.action: appears when Okta signs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation. This event was previously logged as policy.continuous_access.action. It was renamed in 2024.09.0.
Session risk
- user.session.context.change: appears when Okta identifies a change in a user's session context, device context, or IP address. This event is available to orgs with Adaptive MFA enabled, but you must be directly assigned the super admin role to view it.
Shared Signals Framework
- security.events.provider.receive_event: appears when Okta receives a risk signal from a security events provider. This event is available to orgs with Adaptive MFA enabled, but you must be directly assigned the super admin role to view it.
Universal Logout
- user.session.end: appears when Okta invokes Universal Logout in response to a session violation.
- user.session.clear: appears when an admin clears a user's session.
- user.session.universal_logout: appears when Okta or an admin invokes Universal Logout for a user.
- user.authentication.universal_logout: appears when Okta or an admin invokes Universal Logout against an app instance.
- user.authentication.universal_logout.scheduled: appears when an admin manually triggers Universal Logout against an app instance.
Workflows
- workflows.user.delegatedflow.run: appears when Okta invokes a delegated flow in response to a session violation.