User Sign-in and Recovery Events in the Okta System Log
During a security incident, it's critical that SOC analysts (or Okta admins) can rapidly identify all activity associated with a suspicious session, user or IP.
We are often asked to provide some sort of "cheat sheet" for new analysts that are unfamiliar with the extensive library of events available in Okta's Event Library.
The following blog post re-publishes a support article that offers a few of these shortcuts. Okta Security has also published a range of platform and bespoke detections for identifying suspicious activity.
The events below are found in both Okta Classic Engine (OCE) and Okta Identity Engine (OIE).
Working with Okta System Log
To access the System Log, go to Reports > System Log.
To view events in the System Log, type or paste a query into the Search field on the System Log page, and press Enter.
Search events by user
To view sign-in events for a particular user, use this query as an example. Replace the <enter user id> in this example with a User ID.
You can find the User ID for a given user by navigating to Directory > People, searching by name and selecting the user. The User ID is appended to the end of the resulting URL:
https://<Okta org URL>/admin/user/profile/view/<User ID>
| (actor.id eq "<enter user id>" or target.id eq "<enter user id>") and ( (eventType eq "user.session.start") or (eventType eq "policy.evaluate_sign_on") or (eventType eq "user.authentication.verify") or (eventType eq "application.policy.sign_on.deny_access") or (eventType eq "user.authentication.sso") or (eventType eq "user.authentication.auth_via_mfa") or (eventType eq "user.mfa.factor.activate") or (eventType eq "system.push.send_factor_verify_push") or (eventType eq "system.email.send_factor_verify_message") or (eventType eq "system.sms.send_factor_verify_message") or (eventType eq "system.sms.send_phone_verification_message") or (eventType eq "system.voice.send_mfa_challenge_call") or (eventType eq "system.voice.send_phone_verification_call") or (eventType eq "system.email.password_reset.sent_message") or (eventType eq "system.sms.send_password_reset_message") or (eventType eq "system.voice.send_password_reset_call") or (eventType eq "user.account.reset_password") or (eventType eq "user.account.update_password") or (eventType eq "system.email.account_unlock.sent_message") or (eventType eq "system.sms.send_account_unlock_message") or (eventType eq "system.voice.send_account_unlock_call") or (eventType eq "user.account.unlock_token") or (eventType eq "user.account.unlock") ) |
To learn more about each event in this query, refer to the Definitions table below for more information.
Search events by IP address
To view user sign-in events associated with a particular IP address, replace <enter ip address here> with an IP address.
| (client.ipAddress eq "<enter ip address here>") and ( (eventType eq "user.session.start") or (eventType eq "policy.evaluate_sign_on") or (eventType eq "user.authentication.verify") or (eventType eq "application.policy.sign_on.deny_access") or (eventType eq "user.authentication.sso") or (eventType eq "user.authentication.auth_via_mfa") or (eventType eq "user.mfa.factor.activate") or (eventType eq "system.push.send_factor_verify_push") or (eventType eq "system.email.send_factor_verify_message") or (eventType eq "system.sms.send_factor_verify_message") or (eventType eq "system.sms.send_phone_verification_message") or (eventType eq "system.voice.send_mfa_challenge_call") or (eventType eq "system.voice.send_phone_verification_call") or (eventType eq "system.email.password_reset.sent_message") or (eventType eq "system.sms.send_password_reset_message") or (eventType eq "system.voice.send_password_reset_call") or (eventType eq "user.account.reset_password") or (eventType eq "user.account.update_password") or (eventType eq "system.email.account_unlock.sent_message") or (eventType eq "system.sms.send_account_unlock_message") or (eventType eq "system.voice.send_account_unlock_call") or (eventType eq "user.account.unlock_token") or (eventType eq "user.account.unlock") ) |
Search events by External Session ID
To view all events associated with a particular user session, replace <enter external session id here> with an External Session ID.
| (authenticationContext.externalSessionId eq "<enter external session id here>") |
To only view sign-on events associated with a particular user session, replace <enter external session id here> with an External Session ID.
| (authenticationContext.externalSessionId eq "<enter external session id here>") and ( (eventType eq "user.session.start") or (eventType eq "policy.evaluate_sign_on") or (eventType eq "user.authentication.verify") or (eventType eq "application.policy.sign_on.deny_access") or (eventType eq "user.authentication.sso") or (eventType eq "user.authentication.auth_via_mfa") or (eventType eq "user.mfa.factor.activate") or (eventType eq "system.push.send_factor_verify_push") or (eventType eq "system.email.send_factor_verify_message") or (eventType eq "system.sms.send_factor_verify_message") or (eventType eq "system.sms.send_phone_verification_message") or (eventType eq "system.voice.send_mfa_challenge_call") or (eventType eq "system.voice.send_phone_verification_call") or (eventType eq "system.email.password_reset.sent_message") or (eventType eq "system.sms.send_password_reset_message") or (eventType eq "system.voice.send_password_reset_call") or (eventType eq "user.account.reset_password") or (eventType eq "user.account.update_password") or (eventType eq "system.email.account_unlock.sent_message") or (eventType eq "system.sms.send_account_unlock_message") or (eventType eq "system.voice.send_account_unlock_call") or (eventType eq "user.account.unlock_token") or (eventType eq "user.account.unlock") ) |
View logout events for a user
To view user sign-out events associated with a particular user, replace <enter user id> with a User ID.
| (actor.id eq "<enter user id>" or target.id eq "<enter user id>") and ( (eventType eq "user.session.end") or (eventType eq "user.authentication.slo") ) |
View MFA configuration changes for a user
To identify any changes to authenticators associated with a particular user, replace <enter user id> with a User ID.
| (actor.id eq "<enter user id>" or target.id eq "<enter user id>") and ( (eventType eq "user.mfa.factor.activate") or (eventType eq "user.mfa.factor.deactivate") or (eventType eq "user.mfa.factor.reset_all") or (eventType eq "user.mfa.factor.suspend") or (eventType eq "user.mfa.factor.unsuspend") or (eventType eq "user.mfa.factor.update") ) |
Share a link to System Log reports
You can also share a link to a System Log query with your team members so they can view the same events in the System Log.
After you have run a query and viewed the events in the System Log, copy the link in the URL field of your browser and paste it into a message to your colleagues.
Event Scenarios
1. Troubleshooting sign-on events
Sign in to Okta
When a user signs in to Okta, you’ll see the following sequence of events:
| Order | Event | Description |
|---|---|---|
| 1 | user.session.start | This event is fired after the first authentication method is verified. |
| 2 | policy.evaluate_sign_on | This event is fired after the Okta Sign-On Policy/Global Session Policy is evaluated and contains the result of the policy evaluation. |
| 3 | MFA events | If a policy requires multifactor authentication (MFA), you’ll see various MFA enrollment or verification-related events. See the Multifactor authentication section for details on those events. |
| 4 | user.authentication.verify | This event is fired after the user has successfully completed the sign-in flow. At this point, the a valid session should have been established for the user. |
Sign in to an app
Once a user has established a session, they are (usually) then able to view a dashboard of available applications. There is no System Log event for when a user clicks an app tile to start the sign-in to that app. Instead, two sequences of events fire based on whether the sign-in to the app was successful or not.
In successful app sign-in attempts, the following events are triggered:
| Order | Event | Description |
|---|---|---|
| 1 | Multifactor Authentication events | If a policy requires MFA, you’ll see various MFA enrollment or verification-related events. See the Multifactor authentication section for details on those events. |
| 2 | user.authentication.sso | This event is fired after the user meets all the requirements to access the app. |
In unsuccessful app sign-in attempts, the following event is triggered:
| Order | Event | Description |
|---|---|---|
| 1 | application.policy.sign_on.deny_access | This event is fired if the user doesn’t meet the requirements to access the app. |
2. Review Multifactor Authentication Events
When any policy (Sign-On Policy/Global Session Policy/App Sign-On Policy) requires MFA, you should expect a number of the following events.
First there are those events that fire irrespective of the authenticator in question:
| Order | Event | Description |
|---|---|---|
| 1 | user.authentication.auth_via_mfa | This event is fired after the user attempts to verify their identity using an MFA factor/authenticator. |
| 2 | user.mfa.factor.activate | If a user doesn’t have any MFA factors/authenticators enrolled, or is missing a required MFA factor/authenticator, the sign-in flow will force the user to enrol them. This event is fired after the user successfully enrols an MFA factor/authenticator. |
Specific MFA factors/authenticators also fire additional events that indicate progress of the verification flow:
| Event | Description |
|---|---|
| system.push.send_factor_verify_push | When using the Okta Verify Push factor/authenticator, this event is fired when Okta sends the push notification to the user’s device. |
| system.email.send_factor_verify_message | When using the Email MFA factor/authenticator, this event is fired when Okta sends a message with a one-time password (OTP) code to the user via email. |
| system.sms.send_phone_verification_message | When enrolling the Phone MFA factor/authenticator in SMS mode, this event is fired after Okta sends the message containing the OTP code by SMS. |
| system.sms.send_factor_verify_message | When authenticating with the Phone MFA factor/authenticator in SMS mode, this event is fired after Okta sends the message containing the OTP code by SMS. |
| system.voice.send_mfa_challenge_call | When enrolling Phone MFA factor/authenticator in Voice Call mode, this event is fired after Okta sends the message containing the OTP code in a voice call. |
| system.voice.send_phone_verification_call | When authenticating with the Phone MFA factor/authenticator in Voice Call mode, this event is fired after Okta sends the message containing the OTP code in a voice call. |
3. Review Password Reset and Account Lockout Events
Self-Service Password Reset
If your organization using Okta Classic Engine (OCE) supports user-initiated ("self-service") password resets, an analyst should expect to see the following sequence of events:
| Order | Event | Description |
|---|---|---|
| 1 | One of the following:
NB: Administrators using Okta Identity Engine can initiate recovery flows with Okta Verify, Email or SMS, and perform additional verification via any authenticator the user is enrolled in. | These events are fired after an email, SMS message or voice call are sent to the user to initiate the SSPR flow. |
| 2 | user.account.reset_password | This event is fired after Okta resets the user's password, after the email, SMS message or voice call are verified. The user’s password is reset to allow the user to change it. |
| 3 | user.account.update_password | This event is fired after the user has successfully changed their password. |
Once a user completes the SSPR, they commence a normal Okta sign-on flow. See the Sign in to Okta section for information about those events.
Below is a query analysts using OCE can use to search for SSPR-related activity in Okta System Log:
| (actor.id eq "<enter user id>" or target.id eq "<enter user id>") and ( (eventType eq "system.email.password_reset.sent_message") or (eventType eq "system.sms.send_password_reset_message") or (eventType eq "system.voice.send_password_reset_call") or (eventType eq "system.push.send_factor_verify_push") or (eventType eq "system.email.send_factor_verify_message") or (eventType eq "system.sms.send_factor_verify_message") or (eventType eq "system.sms.send_phone_verification_message") or (eventType eq "system.voice.send_mfa_challenge_call") or (eventType eq "system.voice.send_phone_verification_call") or (eventType eq "user.authentication.auth_via_mfa") or (eventType eq "user.account.reset_password") or (eventType eq "user.account.update_password") ) |
Self-Service Account Unlock
If an organization using Okta Classic Engine (OCE) allows self-service account unlock (SSU), an analyst should expect to see the following sequence of events:
| Order | Event | Description |
|---|---|---|
| 1 | One of the following:
NB: Administrators using Okta Identity Engine can initiate recovery flows with Okta Verify, Email or SMS, and perform additional verification via any authenticator the user is enrolled in. | These events are fired after the email, SMS message or voice call are sent to the user to initiate the SSU flow. |
| 2 | user.account.unlock_token | This event is fired after Okta grants a recovery token to the user. The recovery token is used as part of the request that verifies the user’s security question. |
| 3 | user.account.unlock | This event is fired after the user has successfully unlocked their account. |
Below is a query analysts using OCE can use to search for self-service unlock activity in Okta System Log:
| (actor.id eq "<enter user id>" or target.id eq "<enter user id>") and ( (eventType eq "system.email.account_unlock.sent_message") or (eventType eq "system.sms.send_account_unlock_message") or (eventType eq "system.voice.send_account_unlock_call") or (eventType eq "system.push.send_factor_verify_push") or (eventType eq "system.email.send_factor_verify_message") or (eventType eq "system.sms.send_factor_verify_message") or (eventType eq "system.sms.send_phone_verification_message") or (eventType eq "system.voice.send_mfa_challenge_call") or (eventType eq "system.voice.send_phone_verification_call") or (eventType eq "user.authentication.auth_via_mfa") or (eventType eq "user.account.unlock_token") or (eventType eq "user.account.unlock") ) |
Definitions
| Event | Description |
|---|---|
| actor.id | The actor that performed an event on a target (typically a user) |
| application.policy.sign_on.deny_access | A user was denied access to an application. |
| policy.evaluate_sign_on | Provides context on the values that are used and evaluated in the context of the Global Session Policy. |
| system.email.account_unlock.sent_message | Okta sends a system-generated account unlock email to the user when they request account unlocking. |
| system.email.password_reset.sent_message | Okta sends a system-generated password reset email to the user when they request a password reset. |
| system.email.send_factor_verify_message | Okta sends a system-generated verification email to the user when they sign in. |
| system.push.send_factor_verify_push | Okta sends a push notification to the user. |
| system.sms.send_account_unlock_message | Okta sends a system-generated account unlock text message to the user when they request account unlocking. |
| system.sms.send_factor_verify_message | Okta sends a system-generated verification text message to the user when they sign in. |
| system.sms.send_password_reset_message | Okta sends a system-generated password reset text message to the user when they request a password reset. |
| system.sms.send_phone_verification_message | Okta sends a system-generated one-time password text message to the user when they select the Phone authenticator and the SMS mode. |
| system.voice.send_account_unlock_call | Okta triggers a phone call to the user containing a one-time password when they request account unlocking. |
| system.voice.send_mfa_challenge_call | Okta triggers a phone call to the user containing a one-time password when they select the Phone authenticator and the Voice mode. |
| system.voice.send_password_reset_call | Okta triggers a phone call to the user containing a one-time password when they request a password reset. |
| system.voice.send_phone_verification_call | Okta triggers a phone call to the user containing a one-time password when they select the Phone authenticator and the Voice mode. |
| user.account.reset_password | The user reset their password. |
| user.account.unlock | The user’s account was unlocked. |
| user.account.unlock_token | A token was issued for unlocking the user’s account. |
| user.account.update_password | The user updated their password. |
| user.authentication.auth_via_mfa | The user responded to an authentication challenge with a multifactor authentication method. |
| user.authentication.sso | A user attempts a Single Sign-On (SSO) to an application managed in Okta. This event doesn't capture whether the SSO attempt is successful or has failed, as Okta can't collect the subsequent authentication attempt status from the third-party service. |
| user.authentication.verify | The user was successfully verified. |
| user.mfa.factor.activate | An MFA factor/authenticator was activated for a user. |
| user.session.start | Okta issues a session to a user who is authenticating. |
More information
For more information about the System Log, see the online help for your version of Okta: