Event metadata for Execution Log Streaming
Early Access release
Every record sent to your SIEM system includes the metadata in the Base Schema. In addition, for any specific event the record includes the fields specified in the corresponding table.
For example, if Okta Workflows recorded a paused flow event, the JSON record sent to the downstream SIEM service includes the Base Schema fields and the Flow Paused fields. See the Example following the schema tables.
Base Schema
|
Field name |
Description |
Example value |
|---|---|---|
|
event_type |
The event type. For example, FLOW_START indicates that the flow started. |
"FLOW_START" |
|
execution_id |
A Universally Unique Identifier (UUID) for this execution of the flow. |
"4632dc20-6989-4c57-9b5f-c17528474086" |
|
timestamp |
The time the event fired, denoted with a standard ISO8601 UTC timestamp. |
"2024-04-04T18:30:38.730Z" |
|
flow_id |
The 26-character Universally Unique Lexicographically Sortable Identifier (ULID) for this flow. |
"01J29TGKQERR78AD3VN0P9DPSW" |
|
flow_name |
A human-readable name for this flow. |
"Log Stream Example" |
|
org_id |
The ULID for the org where the flow ran. |
"01J29TH3XHECT79M257GG2QTKJ" |
|
org_name |
A human-readable name for the Okta org. |
"logstream-01" |
|
org_hostname |
The domain for the org's Okta Workflows tenant. |
"atko.okta.com" |
|
user_id |
The ULID for the Okta user associated with this flow execution. |
"01J29TRZDZKSY6V70GATDAHN2N" |
|
user_email |
The contact email for the Okta user associated with this flow execution. |
"jessie.doe@example.corp" |
|
parent_execution_id |
If applicable, the UUID for the execution that directly invoked this flow. |
"5001fcad-2ec4-4cd8-935e-57f14166e673" |
|
parent_flow_id |
If applicable, the ULID for the flow that directly invoked this flow. |
"01J29TTH757HFCK5FPMCRCT6A3" |
|
parent_flow_name |
If applicable, a human-readable name for the flow that directly invoked this flow. |
"Immediate Parent Flow Calling Example Flow" |
|
root_execution_id |
If applicable, the UUID for the execution that started this chain of executions. |
"0af35fac-d6d8-47cc-b59a-9954711c5ec8" |
|
root_flow_id |
If applicable, the ULID for the flow that started this chain of executions. |
"01J29TTS7X37QSTKPJBGS52ENF" |
|
root_flow_name |
If applicable, a human-readable name for the flow that started this chain of executions. |
"Root Flow Calling Example Flow" |
|
folder_id_path |
The path of the folder IDs (given as an ULID value) where this flow lives. The value appears in descending order, with the parent folder listed first. |
"01J2CT7B5P5DFHKFDE85FW6BTV/ 01J2CT9EN0Q26F3BX8YMWE1EDX" |
|
folder_id |
The ULID for the folder where this flow lives. |
"01J29T9NX4WVFNNSDG2FMQBYR8" |
|
folder_name |
The path where this flow lives, using human-readable folder names. The parent folder is listed first. |
["My parent folder", "My child folder"] |
|
engine_mode |
At the time of this event, the mode in which Okta Workflows executed this flow. |
"realtime" |
|
idempotency_key |
The UUID for this message. |
"f1aaa750-6d92-485e-acf7-dd167e00db2f" |
|
throttled |
Indicates if this flow ran in throttled mode. |
"false" |
Flow Started
|
Field name |
Description |
Example value |
|---|---|---|
|
depth |
An indication of how many flows deep this is in the stack in relation to the number of executions that precede it. |
"5" |
|
address |
A text string identifying the action that started the flow. Internal operations start with root:kernel, while connector card strings include the vendor and method, for example gmail:sendEmail. |
"root:kernel:string:0.0.1:compose" |
Flow Completed
|
Field name |
Description |
Example value |
|---|---|---|
|
duration |
In milliseconds, the time it took the flow to complete. |
"1827" |
|
step_count |
The number of steps that ran in this flow execution. |
"108" |
|
address |
A text string that identifies the card or step where the flow finished. |
"root:kernel:control:0.0.1:return" |
Flow Failed
|
Field name |
Description |
Example value |
|---|---|---|
|
duration |
In milliseconds, the time it took the flow to complete. |
"7200" |
|
step_count |
The number of steps that ran in this flow execution. |
"12" |
|
address |
A text string that identifies the card or step where the flow finished. |
"gmail:sendEmail:example:1.0.17" |
|
error_message |
A human-readable error message returned by Okta or the third-party service. |
"Example error message" |
|
error_code |
The returned error code, either by Okta or the third-party service. |
"XXXXX_XXXXX" |
|
error_type |
An enumeration value that classifies the kind of error. |
"example_error" |
|
fatal |
Indicates if the failure was fatal. |
"TRUE" |
|
retry_policy |
If applicable, the policy in effect for retrying the flow. |
Flow | handler (try/catch) |
|
retry_delay |
If applicable, the waiting period in seconds before the next flow retry attempt. |
"600" |
Flow Canceled
|
Field name |
Description |
Example value |
|---|---|---|
|
duration |
In milliseconds, the time it took the flow to complete. |
"7200" |
|
step_count |
The number of steps that ran in this flow execution. |
"12" |
|
address |
A text string that identifies the card or step where the flow finished. |
"gmail:sendEmail:example:1.0.17" |
Flow Paused
|
Field name |
Description |
Example value |
|---|---|---|
|
pause_duration |
If applicable, the total length of time in milliseconds that the pause or wait operation is expected to last. |
"7200" |
|
address |
A text string that identifies the card or step where the flow paused. |
"gmail:sendEmail:example:1.0.17" |
Flow Rate Limited (by third party)
|
Field name |
Description |
Example value |
|---|---|---|
|
address |
A text string that identifies the card or step where the flow was rate-limited. |
"gmail:sendEmail:example:1.0.17" |
|
status_code |
The HTTP status code returned by the third-party service. |
"429" |
|
backoff_duration |
In seconds, the duration of the backoff. |
"30" |
|
hostname |
The domain where the rate limit occurred. |
"example.com" |
Flow Throttled (by Okta)
|
Field name |
Description |
Example value |
|---|---|---|
|
throttling_type |
The type of throttling that took place. |
|
|
throttling_level |
The scope of the throttling event. |
|
Example
This example demonstrates a flow triggered through an API Endpoint event card that also calls a helper flow to modify and return values. There are four log streaming events recorded when the parent and helper flows start and complete.
Parent Flow: Flow Started
{
"event_type": "FLOW_START",
"execution_id": "326b7317-6ea5-4d6a-a9f5-0ee8675c0428",
"timestamp": "2024-04-04T18:30:38.730Z",
"flow_id": "632567",
"flow_name": "PDV Log Streaming",
"org_id": "00o4mhtja45vHndwd0g7",
"org_name": "logstream-01",
"user_email": "j_xyht433h5oxg1qsdvi3hj_jmr0rpxkckkxw-uzsys",
"folder_id_path": "372061/378378",
"folder_id": "378378",
"engine_mode": "realtime",
"idempotency_key": "67c775008e83c5205f1114a86bba2521",
"throttled": false,
"address": "root:kernel:string:0.0.1:compose"
}Parent Flow: Flow Completed
{
"event_type": "FLOW_COMPLETE",
"execution_id": "326b7317-6ea5-4d6a-a9f5-0ee8675c0428",
"timestamp": "2024-04-04T18:30:38.777Z",
"flow_id": "632567",
"flow_name": "PDV Log Streaming",
"org_id": "00o4mhtja45vHndwd0g7",
"org_name": "logstream-01",
"user_email": "j_xyht433h5oxg1qsdvi3hj_jmr0rpxkckkxw-uzsys",
"folder_id_path": "372061/378378",
"folder_id": "378378",
"engine_mode": "realtime",
"idempotency_key": "3c38b738b561288ddc8d345a3b59e6f7",
"throttled": false,
"duration": 1827,
"step_count": 108,
"address": "root:kernel:control:0.0.1:return"
}Helper Flow: Flow Started
{
"event_type": "FLOW_START",
"execution_id": "538911d5-6234-4edc-9f24-38bb633a4574",
"timestamp": "2024-04-04T18:58:15.861Z",
"flow_id": "625207",
"flow_name": "2. Simple Helper flow ",
"org_id": "00o4mhtja45vHndwd0g7",
"org_name": "logstream-01",
"user_email": "j_xyht433h5oxg1qsdvi3hj_jmr0rpxkckkxw-uzsys",
"parent_execution_id": "c0e2a040-9c6e-44fe-8c45-5b40dae3c4ab",
"parent_flow_id": "0ff53d44-7c49-4dcd-ae8a-b16fc5a5a5d2",
"parent_flow_name": "Flow 1: API Invoke Flow",
"root_execution_id": "13881f3b-b0e0-4385-afca-7ad833e40c77",
"root_flow_id": "543087",
"folder_id_path": "",
"folder_id": "",
"engine_mode": "realtime",
"idempotency_key": "23ac58e41d9b376f5fceb59881bd5c4",
"throttled": false,
"address": "root:kernel:control:0.0.1:callable"
}Helper Flow: Flow Completed
{
"event_type": "FLOW_COMPLETE",
"execution_id": "538911d5-6234-4edc-9f24-38bb633a4574",
"timestamp": "2024-04-04T18:58:15.901Z",
"flow_id": "625207",
"flow_name": "2. Simple Helper flow ",
"org_id": "00o4mhtja45vHndwd0g7",
"org_name": "logstream-01",
"user_email": "j_xyht433h5oxg1qsdvi3hj_jmr0rpxkckkxw-uzsys",
"parent_execution_id": "c0e2a040-9c6e-44fe-8c45-5b40dae3c4ab",
"parent_flow_id": "0ff53d44-7c49-4dcd-ae8a-b16fc5a5a5d2",
"parent_flow_name": "Flow 1: API Invoke Flow",
"root_execution_id": "13881f3b-b0e0-4385-afca-7ad833e40c77",
"root_flow_id": "543087",
"folder_id_path": "",
"folder_id": "",
"engine_mode": "realtime",
"idempotency_key": "a888ffb7e2d71d264fcce697a855fc8",
"throttled": false,
"duration": 41,
"step_count": 2,
"address": "root:kernel:string:0.0.1:compose"
}