Security
Go to Okta.com ↗
‹ Back to blog

User Sign-in and Recovery Events in the Okta System Log

Okta

During a security incident, it's critical that SOC analysts (or Okta admins) can rapidly identify all activity associated with a suspicious session, user or IP.

We are often asked to provide some sort of "cheat sheet" for new analysts that are unfamiliar with the extensive library of events available in Okta's Event Library.

The following blog post re-publishes a support article that offers a few of these shortcuts. Okta Security has also published a range of platform and bespoke detections for identifying suspicious activity.

The events below are found in both Okta Classic Engine (OCE) and Okta Identity Engine (OIE).

Working with Okta System Log

To access the System Log, go to Reports > System Log.

To view events in the System Log, type or paste a query into the Search field on the System Log page, and press Enter.

Search events by user

To view sign-in events for a particular user, use this query as an example. Replace the <enter user id> in this example with a User ID.

You can find the User ID for a given user by navigating to Directory > People, searching by name and selecting the user. The User ID is appended to the end of the resulting URL:

https://<Okta org URL>/admin/user/profile/view/<User ID>

(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)

To learn more about each event in this query, refer to the Definitions table below for more information.

Search events by IP address

To view user sign-in events associated with a particular IP address, replace <enter ip address here> with an IP address.

(client.ipAddress eq "<enter ip address here>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)

Search events by External Session ID

To view all events associated with a particular user session, replace <enter external session id here> with an External Session ID.

(authenticationContext.externalSessionId eq "<enter external session id here>")

To only view sign-on events associated with a particular user session, replace <enter external session id here> with an External Session ID.

(authenticationContext.externalSessionId eq "<enter external session id here>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)

View logout events for a user

To view user sign-out events associated with a particular user, replace <enter user id> with a User ID.

(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.session.end") or
(eventType eq "user.authentication.slo")
)

View MFA configuration changes for a user

To identify any changes to authenticators associated with a particular user, replace <enter user id> with a User ID.

(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.mfa.factor.activate") or
(eventType eq "user.mfa.factor.deactivate") or
(eventType eq "user.mfa.factor.reset_all") or
(eventType eq "user.mfa.factor.suspend") or
(eventType eq "user.mfa.factor.unsuspend") or
(eventType eq "user.mfa.factor.update")
)

You can also share a link to a System Log query with your team members so they can view the same events in the System Log.

After you have run a query and viewed the events in the System Log, copy the link in the URL field of your browser and paste it into a message to your colleagues.

Event Scenarios

1. Troubleshooting sign-on events

Sign in to Okta

When a user signs in to Okta, you’ll see the following sequence of events:

Order

Event

Description

1

user.session.start

This event is fired after the first authentication method is verified.

2

policy.evaluate_sign_on

This event is fired after the Okta Sign-On Policy/Global Session Policy is evaluated and contains the result of the policy evaluation.

3

MFA events

If a policy requires multifactor authentication (MFA), you’ll see various MFA enrollment or verification-related events. See the

Multifactor authentication section

for details on those events.

4

user.authentication.verify

This event is fired after the user has successfully completed the sign-in flow. At this point, the a valid session should have been established for the user.

Sign in to an app

Once a user has established a session, they are (usually) then able to view a dashboard of available applications. There is no System Log event for when a user clicks an app tile to start the sign-in to that app. Instead, two sequences of events fire based on whether the sign-in to the app was successful or not.

In successful app sign-in attempts, the following events are triggered:

Order

Event

Description

1

Multifactor Authentication events

If a policy requires MFA, you’ll see various MFA enrollment or verification-related events. See the

Multifactor authentication section

for details on those events.

2

user.authentication.sso

This event is fired after the user meets all the requirements to access the app.

In unsuccessful app sign-in attempts, the following event is triggered:

Order

Event

Description

1

application.policy.sign_on.deny_access

This event is fired if the user doesn’t meet the requirements to access the app.

2. Review Multifactor Authentication Events

When any policy (Sign-On Policy/Global Session Policy/App Sign-On Policy) requires MFA, you should expect a number of the following events.

First there are those events that fire irrespective of the authenticator in question:

Order

Event

Description

1

user.authentication.auth_via_mfa

This event is fired after the user attempts to verify their identity using an MFA factor/authenticator.

2

user.mfa.factor.activate

If a user doesn’t have any MFA factors/authenticators enrolled, or is missing a required MFA factor/authenticator, the sign-in flow will force the user to enrol them. This event is fired after the user successfully enrols an MFA factor/authenticator.

Specific MFA factors/authenticators also fire additional events that indicate progress of the verification flow:

Event

Description

system.push.send_factor_verify_push

When using the Okta Verify Push factor/authenticator, this event is fired when Okta sends the push notification to the user’s device.

system.email.send_factor_verify_message

When using the Email MFA factor/authenticator, this event is fired when Okta sends a message with a one-time password (OTP) code to the user via email.

system.sms.send_phone_verification_message

When

enrolling

the Phone MFA factor/authenticator in SMS mode, this event is fired after Okta sends the message containing the OTP code by SMS.

system.sms.send_factor_verify_message

When authenticating with the Phone MFA factor/authenticator in SMS mode, this event is fired after Okta sends the message containing the OTP code by SMS.

system.voice.send_mfa_challenge_call

When enrolling Phone MFA factor/authenticator in Voice Call mode, this event is fired after Okta sends the message containing the OTP code in a voice call.

system.voice.send_phone_verification_call

When authenticating with the Phone MFA factor/authenticator in Voice Call mode, this event is fired after Okta sends the message containing the OTP code in a voice call.

3. Review Password Reset and Account Lockout Events

Self-Service Password Reset

If your organization using Okta Classic Engine (OCE) supports user-initiated ("self-service") password resets, an analyst should expect to see the following sequence of events:

Order

Event

Description

1

One of the following:

system.email.password_reset.sent_message

system.sms.send_password_reset_message

system.voice.send_password_reset_call

NB: Administrators using Okta Identity Engine can initiate recovery flows with Okta Verify, Email or SMS, and perform additional verification via any authenticator the user is enrolled in.

These events are fired after an email, SMS message or voice call are sent to the user to initiate the SSPR flow.

2

user.account.reset_password

This event is fired after Okta resets the user's password, after the email, SMS message or voice call are verified. The user’s password is reset to allow the user to change it.

3

user.account.update_password

This event is fired after the user has successfully changed their password.

Once a user completes the SSPR, they commence a normal Okta sign-on flow. See the Sign in to Okta section for information about those events.

Below is a query analysts using OCE can use to search for SSPR-related activity in Okta System Log:

(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password")
)

Self-Service Account Unlock

If an organization using Okta Classic Engine (OCE) allows self-service account unlock (SSU), an analyst should expect to see the following sequence of events:

Order

Event

Description

1

One of the following:

system.email.account_unlock.sent_message

system.sms.send_account_unlock_message

system.voice.send_account_unlock_call

NB: Administrators using Okta Identity Engine can initiate recovery flows with Okta Verify, Email or SMS, and perform additional verification via any authenticator the user is enrolled in.

These events are fired after the email, SMS message or voice call are sent to the user to initiate the SSU flow.

2

user.account.unlock_token

This event is fired after Okta grants a recovery token to the user. The recovery token is used as part of the request that verifies the user’s security question.

3

user.account.unlock

This event is fired after the user has successfully unlocked their account.

Below is a query analysts using OCE can use to search for self-service unlock activity in Okta System Log:

(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)

Definitions

Event

Description

actor.id

The actor that performed an event on a target (typically a user)

application.policy.sign_on.deny_access

A user was denied access to an application.

policy.evaluate_sign_on

Provides context on the values that are used and evaluated in the context of the Global Session Policy.

system.email.account_unlock.sent_message

Okta sends a system-generated account unlock email to the user when they request account unlocking.

system.email.password_reset.sent_message

Okta sends a system-generated password reset email to the user when they request a password reset.

system.email.send_factor_verify_message

Okta sends a system-generated verification email to the user when they sign in.

system.push.send_factor_verify_push

Okta sends a push notification to the user.

system.sms.send_account_unlock_message

Okta sends a system-generated account unlock text message to the user when they request account unlocking.

system.sms.send_factor_verify_message

Okta sends a system-generated verification text message to the user when they sign in.

system.sms.send_password_reset_message

Okta sends a system-generated password reset text message to the user when they request a password reset.

system.sms.send_phone_verification_message

Okta sends a system-generated one-time password text message to the user when they select the Phone authenticator and the SMS mode.

system.voice.send_account_unlock_call

Okta triggers a phone call to the user containing a one-time password when they request account unlocking.

system.voice.send_mfa_challenge_call

Okta triggers a phone call to the user containing a one-time password when they select the Phone authenticator and the Voice mode.

system.voice.send_password_reset_call

Okta triggers a phone call to the user containing a one-time password when they request a password reset.

system.voice.send_phone_verification_call

Okta triggers a phone call to the user containing a one-time password when they select the Phone authenticator and the Voice mode.

user.account.reset_password

The user reset their password.

user.account.unlock

The user’s account was unlocked.

user.account.unlock_token

A token was issued for unlocking the user’s account.

user.account.update_password

The user updated their password.

user.authentication.auth_via_mfa

The user responded to an authentication challenge with a multifactor authentication method.

user.authentication.sso

A user attempts a Single Sign-On (SSO) to an application managed in Okta. This event doesn't capture whether the SSO attempt is successful or has failed, as Okta can't collect the subsequent authentication attempt status from the third-party service.

user.authentication.verify

The user was successfully verified.

user.mfa.factor.activate

An MFA factor/authenticator was activated for a user.

user.session.start

Okta issues a session to a user who is authenticating.

More information

For more information about the System Log, see the online help for your version of Okta:

Okta