On This Page
Event Types
Event types are the primary method of categorization within the Okta eventing platform. They allow consumers to easily group notable system occurrences based on behavior. This resource contains the complete event type catalog of this platform.
Catalog
The following is a full listing of event types used in the System Log API with associated description and related metadata. For migration purposes it also includes a mapping to the equivalent event type in the legacy Events API. The relationship between System Log API and Events API event types is generally one-to-many. Note that there are currently some System Log API event types which do not have an Events API equivalent.
Important: As of April 20th, 2020, the Events API does not track new event types added to the System Log API. For this reason we highly recommend migrating to the System Log API. For more information, see our Events API End of Life FAQ.
app.access_request.approver.approve
Request to access an app was approved by a administrator defined approver.
app.access_request.approver.deny
Request to access an app was denied by a administrator defined approver.
app.access_request.delete
Request to access an app was deleted by an administrator.
app.access_request.deny
Request to access an app was denied after at least one approver denied the request.
app.access_request.expire
Request to access an app expired by the system due to lack of approver action.
app.access_request.grant
Request to access an app was granted after all approvers approved the request.
app.access_request.request
Request to access an app was performed by a user.
app.ad.api.user_import.account_locked
Active Directory user account set to locked following profile update: user is locked in active directory.
app.ad.api.user_import.warn.skipped_contact.attribute_invalid_value
Skipping import of contact due to invalid attribute. Please consult with your Active Directory admin if you believe this contact should be imported.
app.ad.api.user_import.warn.skipped_user.attribute_invalid_value
Skipping import of user due to an invalid AD attribute.
app.ad.api.user_import.warn.skipped_user.missing_required_attribute
Skipping import of user due to a required AD attribute being null.
app.app_instance.csr.generate
Certificate signing request (CSR) generated.
app.app_instance.csr.publish
Certificate signing request (CSR) published.
app.app_instance.csr.revoke
Certificate signing request (CSR) revoked.
app.app_instance.provision_sync_job.completed
Fired when a provision sync job has successfully completed. This can be used to confirm that a provision sync job has finished running and is no longer processing users. When fired, this event contains details about number of users processed in the job. Related events include app.app_instance.provision_sync_job.started and app.app_instance.provision_sync_job.failed.
app.app_instance.provision_sync_job.failed
Fired when a provision sync job has failed. This can be used to identify when a provision sync job has failed. When fired, this event contains information about the reason the provision sync job failed. Related events include app.app_instance.provision_sync_job.started and app.app_instance.provision_sync_job.completed.
app.app_instance.provision_sync_job.started
Fired when a provision sync job has successfully started. This can be used to confirm that a provision sync job has successfully started. Related events include app.app_instance.provision_sync_job.completed and app.app_instance.provision_sync_job.failed.
app.audit_report.download.local.active
Application access report downloaded.
app.audit_report.download.local.deprov
Recent unassignments report downloaded.
app.audit_report.download.rogue.report
Rogue report downloaded.
app.generic.unauth_app_access_attempt
User attempted unauthorized access to app.
app.inbound_del_auth.login_success
Successful inbound delegated authentication request for user.
app.kerberos_rich_client.account_not_found
Kerberos based rich client authentication failed: Could not find Office 365 app user for the AD user with principal id.
app.kerberos_rich_client.instance_not_found
Kerberos based rich client authentication failed: Unknown app instance id.
app.kerberos_rich_client.multiple_accounts_found
Kerberos based rich client authentication failed: Multiple users with username found.
app.kerberos_rich_client.user_authentication_successful
Kerberos based rich client authentication successful for Office 365 user.
app.keys.clone
Application signing key cloned.
app.keys.generate
New signing key generated.
app.keys.rotate
Application signing key rotated.
app.ldap.password.change.failed
Password change failed.
app.oauth2.admin.consent.grant
Administrator consent granted for scope. This event can be used to track when an administrator grants consent to a client to request a specific scope. This event is fired when an admin grants consent.
app.oauth2.admin.consent.revoke
Administrator consent revoked for scope. This event can be used to track when an administrator revokes consent to a client to request a specific scope. This event is fired when an admin revokes consent.
app.oauth2.as.authorize
OAuth2 authorization request.
app.oauth2.as.authorize.code
OAuth2 authorization code request.
app.oauth2.as.authorize.implicit.access_token
OAuth2 authorization implicit access token request.
app.oauth2.as.authorize.implicit.id_token
OAuth2 authorization implicit ID token request.
app.oauth2.as.authorize.scope_denied
Some of the requested scopes were denied by the policy.
app.oauth2.as.consent.grant
User granted consent to app.
app.oauth2.as.consent.revoke
Consent revoked.
app.oauth2.as.consent.revoke.implicit.as
All consent revoked for authorization server.
app.oauth2.as.consent.revoke.implicit.client
All consent revoked for client.
app.oauth2.as.consent.revoke.implicit.scope
All consent revoked for scope.
app.oauth2.as.consent.revoke.implicit.user
Consent for all scopes revoked for user.
app.oauth2.as.consent.revoke.user
All consent revoked for user.
app.oauth2.as.consent.revoke.user.client
User consent revoked for client.
app.oauth2.as.evaluate.claim
Claim evaluation for OAuth2 token.
app.oauth2.as.key.rollover
Custom Authorization Server token signing key rolled over.
app.oauth2.as.token.detect_reuse
Detect one-time refresh token attempted reuse. This event can be used by administrators to detect and audit attempted reuse of one-time refresh tokens. When fired this event contains information about the user, client to which the refresh token was minted, and the hash of the refresh tokens.
app.oauth2.as.token.grant
OAuth2 token request.
app.oauth2.as.token.grant.access_token
OAuth2 access token is granted.
app.oauth2.as.token.grant.id_token
OAuth2 id token is granted.
app.oauth2.as.token.grant.refresh_token
OAuth2 refresh token is granted.
app.oauth2.as.token.revoke
OAuth2 token revocation request.
app.oauth2.authorize
OIDC authorization request.
app.oauth2.authorize.code
OIDC authorization code request.
app.oauth2.authorize.implicit.access_token
OIDC authorization implicit access token request.
app.oauth2.authorize.implicit.id_token
OIDC authorization implicit ID token request.
app.oauth2.client.lifecycle.activate
Activate OAuth client.
app.oauth2.client.lifecycle.create
Create OAuth client.
app.oauth2.client.lifecycle.deactivate
Deactivate OAuth client.
app.oauth2.client.lifecycle.delete
Delete OAuth client.
app.oauth2.client.lifecycle.update
Update OAuth client.
app.oauth2.client_id_rate_limit_warning
Fired when requests from a single client id has consumed majority of an org's rate limit on the OAuth2 endpoint. This event can be used by admins to discover and deactivate a rogue client. The admin is able to manage the client via the Syslog UI. When fired, this event contains information about the responsible client id. As of release, this event is fired when a single client id consumes 90% of an org's OAuth2 rate limit; this threshold is subject to change.
app.oauth2.invalid_client_credentials
Multiple requests with invalid client credentials for client id.
app.oauth2.invalid_client_ids
Multiple requests with invalid client ids.
app.oauth2.key.rollover
Org Authorization Server token signing key rolled over.
app.oauth2.signon
User performed OIDC single sign on to app.
app.oauth2.token.detect_reuse
Detect one-time refresh token attempted reuse. This event can be used by administrators to detect and audit attempted reuse of one-time refresh tokens. When fired this event contains information about the user, client to which the refresh token was minted, and the hash of the refresh tokens.
app.oauth2.token.grant
OIDC token request.
app.oauth2.token.grant.access_token
OIDC access token is granted.
app.oauth2.token.grant.id_token
OIDC id token is granted.
app.oauth2.token.grant.refresh_token
OIDC refresh token is granted.
app.oauth2.token.revoke
OIDC token revocation request.
app.oauth2.token.revoke.implicit.as
Tokens revoked for authorization server.
app.oauth2.token.revoke.implicit.client
Tokens revoked for client.
app.oauth2.token.revoke.implicit.user
Tokens revoked for user.
app.office365.api.change.domain.federation.success
Successfully updated the domain federation from old settings to new settings.
app.office365.api.error.ad.user
User is assigned to more than one instance of Active Directory, could not set Immutable ID.
app.office365.api.error.check.user.exists
Could not determine status of Office 365 user, received error.
app.office365.api.error.create.user
Could not create user in Office 365, received error.
app.office365.api.error.deactivate.user
Could not deactivate Office 365 user, received error.
app.office365.api.error.download.custom.objects
Could not download group/role/license data for your Office 365 instance, received error.
app.office365.api.error.download.groups
Could not download all groups from your Office 365 instance, received error.
app.office365.api.error.download.users
Could not download all users from your Office 365 instance, received error.
app.office365.api.error.endpoint.unavailable
Unable to reach the Office 365 endpoint.
app.office365.api.error.get.company.dirsync.failure
Unable to read Office 365 directory sync for the company, received error.
app.office365.api.error.get.company.dirsync.status.failure
Unable to provision user to Office 365, because 'Directory Sync' value in Azure Active Directory is unsupported. Please visit the Azure Active Directory portal and set 'Directory Sync' state to Activated and retry.
app.office365.api.error.get.company.dirsync.status.pending
Unable to provision user to Office 365, because 'Directory Sync' value in Azure Active Directory not yet in Activated state. This may take up to 72 hours. Please visit the Azure Active Directory portal and retry when in Activated state.
app.office365.api.error.get.object.ids.by.group.id
Could not get users by group id from your Office 365 instance, received error.
app.office365.api.error.group.create.failure
Could not create Office 365 group, received error.
app.office365.api.error.group.create.failure.name.in.use
Could not create Office 365 group because the name is already in use, received error.
app.office365.api.error.group.delete.failure
Could not delete Office 365 group, received error.
app.office365.api.error.group.membership.update.assignment.failure
Could not update the Office 365 group membership because of an error assigning a user to the group, received error.
app.office365.api.error.group.membership.update.failure
Could not update the Office 365 group membership, received error.
app.office365.api.error.group.membership.update.group.not.found.failure
Could not update the Office 365 group membership because the group could not be found, received error.
app.office365.api.error.group.membership.update.removal.failure
Could not update the Office 365 group membership because of an error removing a user from the group, received error.
app.office365.api.error.group.update.failure
Could not update Office 365 group, received error.
app.office365.api.error.group.update.failure.not.found
Could not update Office 365 group because it was not found, received error.
app.office365.api.error.import.profile
Could not import profile for Office 365 user, received error.
app.office365.api.error.no.endpoints.found
No Office 365 endpoint found to send our request.
app.office365.api.error.push.password
Could not push password for Office 365 user, received error.
app.office365.api.error.push.profile
Could not push profile for Office 365 user, received error.
app.office365.api.error.reactivate.user
Could not reactivate Office 365 user, received error.
app.office365.api.error.remove.domain.federation.failure
Unable to remove the domain federation, received error.
app.office365.api.error.remove.domain.federation.failure.access.denied
Unable to remove the domain federation because the admin user is not authorized to perform the task.
app.office365.api.error.remove.domain.federation.failure.domain.not.found
Unable to remove the domain federation because the specified domain was not found.
app.office365.api.error.revoke.refresh.token
Failed to revoke refresh tokens for user.
app.office365.api.error.set.company.dirsync.failure
Unable to enable Office 365 directory sync for the company, received error.
app.office365.api.error.set.company.dirsync.status.failure
Unable to enable Office 365 directory sync for the company, because 'Directory Sync' value in Azure Active Directory is unsupported. Please visit the Azure Active Directory portal and set 'Directory Sync' state to Activated.
app.office365.api.error.set.domain.federation.failure
Unable to setup the domain federation, received error.
app.office365.api.error.set.domain.federation.failure.access.denied
Unable to setup the domain federation because the admin user is not authorized to perform the task.
app.office365.api.error.set.domain.federation.failure.domain.default
Unable to setup the domain federation because the specified domain is the default domain.
app.office365.api.error.set.domain.federation.failure.domain.not.found
Unable to setup the domain federation because the specified domain was not found.
app.office365.api.error.sync.contact
Failed to sync contact, received error.
app.office365.api.error.sync.finalize
Failed to finalize export to Office 365, received error.
app.office365.api.error.sync.group
Failed to sync group, received error.
app.office365.api.error.sync.not.activated
Sync could not execute because Office 365 directory sync for the company not yet Activated. Sync will retry after a period of time.
app.office365.api.error.sync.set.attribute
Failed to set attribute, received error.
app.office365.api.error.sync.user
Failed to sync user, received error.
app.office365.api.error.unable.to.create.graph.client
An error occurred while creating the Azure Active Directory Graph API client. Please try the last operation again. If this error persists, please contact Okta support.
app.office365.api.error.validate.admin.creds
User does not have the Company Administrator role. Please try again with a user which has this role.
app.office365.api.error.validate.creds
Could not validate your Office 365 credentials, received error.
app.office365.api.error.validate.creds.unknown.exception
Could not communicate with Office 365 to validate your credentials, received error.
app.office365.api.error.x-ms-forwarded-client-ip-header.absent
X-MS-Forwarded-Client-IP header either empty or not found in the request.
app.office365.api.remove.domain.federation.success
Successfully removed the domain federation.
app.office365.api.set.domain.federation.success
Successfully set up the domain federation with new settings.
app.office365.api.sync.complete
User sync completed.
app.office365.api.sync.heartbeat.sent
Heartbeat sent to Microsoft Azure Active Directory.
app.office365.api.sync.job.complete
Sync job completed.
app.office365.api.sync.job.complete.contact
Sync job completed.
app.office365.api.sync.job.complete.group
Sync job completed.
app.office365.api.sync.job.complete.user
Sync job completed.
app.office365.clientplatform.conversion.job.processing.app.instance
Begin processing client access conversion for app instance.
app.office365.clientplatform.conversion.job.skipping.migration
Skipping migration of client access rules for app instance.
app.office365.dirsync.skipping.conflict-object
Skipping sync of conflict object.
app.office365.dirsync.skipping.critical-system-object
Skipping sync of critical system object.
app.office365.dirsync.skipping.non-security-group-invalid-mail
Skipping sync of non security object with invalid mail.
app.office365.dirsync.skipping.reserved-attribute-value
Skipping sync of object with reserved attribute value.
app.office365.dirsync.skipping.systemmailbox
Skipping sync of system mailbox object.
app.office365.dirsync.skipping.without-name-and-displayname
Skipping sync of non security object without name and display name.
app.office365.error.importing.user
An error occurred while importing user.
app.office365.graph.api.error.no.mailbox.found
No MailBox found for Office 365 user.
app.office365.graph.api.error.rate-limit.exceeded
Rate limit exceeded for Microsoft Graph.
app.office365.graph.api.error.service.principal.creation.failed
Failure while trying to create service principal.
app.office365.graph.api.error.service.principal.msgraph.authentication.failure
Failure while trying to create service principal due to a Mircrosoft Graph authentication issue.
app.office365.service.principal.cleanup.job.complete
End processing Office 365 service principal cleanup.
app.office365.service.principal.cleanup.job.invalid.credentials
The admin username or password is invalid. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal.
app.office365.service.principal.cleanup.job.processing
Begin performing Office 365 service principal cleanup.
app.office365.service.principal.cleanup.job.skipping.missing.creds
Skipping app instance during Office 365 service principal cleanup as it does not contain Office 365 admin user credentials. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal.
app.office365.service.principal.cleanup.job.skipping.no.service.principal
Skipping app instance during Office 365 service principal cleanup as it does not have a service principal.
app.office365.service.principal.cleanup.job.unable.to.delete.service.principal
Unable to automatically delete the Office 365 service principal. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal.
app.office365.user.delete.success
Successfully deleted the Office 365 user.
app.office365.user.lifecycle.action.failed
Unable to complete app user lifecycle action for AppUser.
app.office365.user.remove.licenses.success
Successfully removed all the licenses for the Office 365 user.
app.radius.agent.port_inaccessible
Radius agent failed to listen on port.
app.radius.agent.port_reaccessible
Radius agent was able to listen on port again.
app.radius.info_access.no_permission
No permission accessing any Radius app info. This event can be used to monitor and notify admins when some users who access radius app info have no permission. Fired when users who access radius app info have no permission.
app.radius.info_access.partial_permission
No permission accessing info for part of Radius apps. This event can be used to monitor and notify admins when some users who access radius app info have only partial permission. Fired when users who access radius app info have partial permission.
app.realtimesync.import.details.add_user
Real time sync added new User.
app.realtimesync.import.details.delete_user
Real time sync removed existing User.
app.realtimesync.import.details.update_user
Fired when a real time import includes an update to an existing user. This can be used to see details about the user updates included in a real time sync import. When fired, this event contains information about the type of update made, including whether or not a user was suspend or unsuspended. Related events include: app.realtimesync.import.details_add_user and app.realtimesync.import.details_delete_user.
app.rum.config.validation.error
Error validating instance configuration. Can be used to identify configuration issues with remote user management.
app.rum.is.api.account.error
RUM API account is not configured or empty. Can be used to identify RUM API account configuration issues.
app.rum.package.thrown.error
Errors during execution. Can be used to identify any errors during execution of remote user management.
app.rum.validation.error
Error during package validation. Can be used to identify validation issues with remote user management packages.
app.saml.sensitive.attribute.update
Fired when a SAML assertion contains a sensitive attribute, and that sensitive attribute has been updated (modified/added/deleted). This event does not fire when non-sensitive SAML attributes are updated. This can be used to audit that a sensitive attribute attached to an outbound SAML assertion has been correctly modified, added, or deleted. When fired, this event contains the specific attributes that have been modified, added, or deleted to/from the SAML assertion. Related events include: application.lifecycle.update.
app.user_management
Imported new or deleted existing member of an application group.
app.user_management.grouppush.mapping.created.from.rule
A Group Push mapping to the group has been created from the rule.
app.user_management.grouppush.mapping.created.from.rule.error.duplicate
A Group Push mapping to the group did not get created from rule because an existing mapping already existed.
app.user_management.grouppush.mapping.created.from.rule.error.validation
A Group Push mapping to the group did not get created from rule because of the validation error.
app.user_management.grouppush.mapping.created.from.rule.errors
A Group Push mapping to the group did not get created from rule.
app.user_management.grouppush.mapping.okta.users.ignored
Okta users ignored while pushing group to AppInstance.
app.user_management.import.csv.line.error
Error reading line from CSV.
app.user_management.push_new_user_success
Successfully pushed new user account to app.
app.user_management.update_from_master_failed
Could not apply import.
app.user_management.user_group_import.create_failure
Failed to create group from app.
app.user_management.user_group_import.delete_success
Deleted the group from app.
app.user_management.user_group_import.update_failure
Failed to update group from app.
app.user_management.user_group_import.upsert_fail
Failed to import the group from app. This event helps identify when a group is failed to be imported. Fired when we skip processing an import of a group.
app.user_management.user_group_import.upsert_success
Imported the group from app.
application.appuser.mapping.invalid.expression
App user property mapping has invalid expressions. Can be used to identify invalid expressions. Note that a single event is fired for all invalid expressions.
application.cache.invalidate
Event fired when a app list cache is invalidated because a new app is created. Can be used to make sure App List cache is invalidated after a new app is created.
application.configuration.detect_error
Application configuration error detected.
application.configuration.disable_delauth_outbound
Disable delegated authentication for app.
application.configuration.disable_fed_broker_mode
Disable Federation Broker Mode for app.
application.configuration.enable_delauth_outbound
Enable delegated authentication for app.
application.configuration.enable_fed_broker_mode
Enable Federation Broker Mode for app.
application.configuration.import_schema
Okta couldn't download application configuration. Can be used to identify when an app schema couldn't be downloaded from a remote application. Event fired when Okta couldn't download application-specific data from a remote app. This may happen when admin updates provisioning details.
application.configuration.reset_logo
Reset app logo.
application.configuration.update
Okta couldn't verify api credentials. Can be used when Okta couldn't check the credentials by execution some custom, application dependent, set of requests. Okta fires this event to notify issues with credentials validation. Could be issues with proper permissions as well.
application.configuration.update_api_credentials_for_pass_change
Update API credentials due to user updating password.
application.configuration.update_logo
Change app logo.
application.integration.api_query
Unable to query remote API. Can be used to determine when okta fails to query remote application. Okta fires this event for unspecified events which include remote api response processing.
application.integration.authentication_failure
Error authenticating. Can be used when Okta couldn't authenticate with the provided credentials to a remote api. Okta fires this event when it couldn't access a remote api with provided credentials.
application.integration.general_failure
Generic error occured. Can be used when there is some uncategorized error occurs. Okta fires this event for different unhandled exceptions.
application.integration.rate_limit_exceeded
API rate limit exceeded. Can be used when Okta reaches api calls/minute rate limit. Okta fires this event when there are too many requests for a specific customer.
application.integration.transfer_files
Unable to transfer files. Can be used when Okta fails to transfer files from one user to another. Okta fires this event when it fails to process user-to-user file transfers.
application.lifecycle.activate
Activate application.
application.lifecycle.create
Create application.
application.lifecycle.deactivate
Deactivate application.
application.lifecycle.delete
Delete application.
application.lifecycle.update
Update application.
application.policy.sign_on.deny_access
Deny user access due to app sign on policy. When fired due to app assurance being evaluated as unsatisfiable (the policy requirements could not be satisfied by the users' current set of available authenticator enrollments), this event contains information about the user and the app that the user is trying to authenticate into.
application.policy.sign_on.rule.create
Create rule for app sign on policy.
application.policy.sign_on.rule.delete
Delete rule from app sign on policy.
application.policy.sign_on.update
Update app sign on policy.
application.provision.field_mapping_rule.change
Event fired when field mapping rules modified. Can be used to make sure when custom mapping rules are modified.
application.provision.group.add
Fired when Okta provisions a new group on a remote application. Can be used to identify when Okta provisions a group on a remote application. Event fired when the group provisioning failed for any reason.
application.provision.group.import
Fired when Okta downloads a remote group. Can be used to identify when Okta tries to download remote group details. Event fired when Okta fails to reach the group detail from a remote application.
application.provision.group.remove
Fired when Okta removes a remote group. Can be used to identify when a group has been unassigned. Event fired when Okta failed to delete group from remote application.
application.provision.group.update
Fired when Okta updates the user group. Can be used to identify when a group has been updated. Event fired when Okta fails to update a remote group for any reason.
application.provision.group.verify_exists
Fired when group no longer exists on a remote application. Can be used to identify when a group no longer exists on a remote application. Event fired when group push enhancement enabled and there is no group found on update or delete.
application.provision.group_membership.add
Failed to assign a user to a group. Can be used when Okta failed to assign user to a group on remote application. Okta fires this event if there are any issues while provision a membership to a remote application.
application.provision.group_membership.import
Error while downloading memberships. Can be used when Okta failed to download users and groups relationships. Okta fires this event if there are any issues while importing a membership from a remote application.
application.provision.group_membership.remove
Fired when there is an error while removing user(s) from group. Can be used when Okta failed to unassign user from a group on remote application. Okta fires this event when there are any issues while provision a membership to a remote application.
application.provision.group_membership.update
Fired when there is an error while updating user group membership for group. Can be used when Okta failed to push updated memberships to a remote application. Okta fires this event when couldn't update memberships on a remote application. Could be user removal/addition.
application.provision.group_push.activate_mapping
Group push activated mappings.
application.provision.group_push.delete_appgroup
Group push deleted application group.
application.provision.group_push.mapping.and.groups.deleted.rule.deleted
An existing mapping and its target groups have been deleted because a mapping rule was deleted.
application.provision.group_push.mapping.app.group.renamed
A mapped app group has been renamed because the source group was renamed.
application.provision.group_push.mapping.app.group.renamed.failed
A mapped app group couldn't be renamed when the source group was renamed.
application.provision.group_push.mapping.created
A new mapping has been created.
application.provision.group_push.mapping.created.from.rule.warning.duplicate.name
A new mapping from a rule was not created due to a duplicate group name.
application.provision.group_push.mapping.created.from.rule.warning.duplicate.name.tobecreated
A new mapping from a rule was not created due to another mapping will be created that has the same user group name.
application.provision.group_push.mapping.created.from.rule.warning.upsertGroup.duplicate.name
An upsert to a group caused group push rule re-evaluation. A new mapping from a rule was not created due to a duplicate group name.
application.provision.group_push.mapping.deactivated.source.group.renamed
An existing mapping has been deactivated because the source group was renamed.
application.provision.group_push.mapping.deactivated.source.group.renamed.failed
An existing mapping couldn't be deactivated when the source group was renamed.
application.provision.group_push.mapping.update.or.delete.failed
Failed to push mapping changes due to an exception.
application.provision.group_push.mapping.update.or.delete.failed.with.error
Failed to push mapping changes due to user exception.
application.provision.group_push.push_memberships
Group push pushed memberships.
application.provision.group_push.pushed
A group was pushed to an app.
application.provision.group_push.removed
A group was removed from an app.
application.provision.group_push.updated
A group was updated in an app.
application.provision.integration.call_api
Application integration API called.
application.provision.user.activate
Activate user's application membership.
application.provision.user.deactivate
Push user deactivation to external application.
application.provision.user.deprovision
Deprovision user from external application.
application.provision.user.import
Deactivate user from external application.
application.provision.user.import_profile
Import profile from external application.
application.provision.user.password
Issue pushing user password to external application.
application.provision.user.push
Push new user to external application.
application.provision.user.push_okta_password
Push user's Okta password to application.
application.provision.user.push_password
Push user's password to application.
application.provision.user.push_profile
Push user's profile to external application.
application.provision.user.reactivate
Push user reactivation in external application.
application.provision.user.sync
Sync user in external application.
application.provision.user.verify_exists
Verify user exists in external application.
application.registration_policy.lifecycle.create
Create registration policy.
application.registration_policy.lifecycle.update
Update registration policy.
application.user_membership.add
Add user to application membership.
application.user_membership.approve
User approved for application (assigned by not provisioned).
application.user_membership.change_password
Change application password for user.
application.user_membership.change_username
Change user's application username.
application.user_membership.deprovision
User deprovisioned from application (was previously revoked).
application.user_membership.provision
User provisioned to application (was previously approved).
application.user_membership.remove
Remove user's application membership.
application.user_membership.restore
Restore user assignment to an application.
application.user_membership.restore_password
Restore user's password for an application.
application.user_membership.revoke
User revoked from application (unassigned but not yet deprovisioned).
application.user_membership.show_password
Show user's password for application.
application.user_membership.update
Updated user application property.
core.concurrency.org.limit.violation
Too many requests in flight.
core.el.evaluate
Evaluate Expression Language.
core.user_auth.idp.x509.crl_download_failure
Failed to download CRL from the endpoint.
credential.register
Fired when a credential is registered. This event fires when the registration of a credential is successful or fails. This can be used to audit that a credential has been successfully registered, and troubleshoot why a credential registration attempt has failed.
credential.revoke
Fired when a credential is revoked. This event fires when the revocation of a credential is successful or fails. This can be used to audit that a credential has been successfully revoked, and troubleshoot why a credential revocation attempt has failed.
directory.app_user_profile.bootstrap
Bootstrap application user profile.
directory.app_user_profile.update
Update application user profile.
directory.mapping.update
Update universal directory mappings.
directory.non_default_user_profile.create
Create non-default universal directory user profile. This can be used to audit that a new non-default universal directory user profile has been created. When fired, this event contains the name and id of the newly created user profile.
directory.user_profile.bootstrap
Bootstrap universal directory user profile.
directory.user_profile.update
Update universal directory user profile directory.user_profile.update.
event_hook.activated
Triggered when an event hook has been activated. Used to notify admins that an event hook has been activated. When triggered, this events contains information about the activated event hook.
event_hook.created
Triggered when an event hook has been created. Used to notify admins that an event hook has been created. When triggered, this events contains information about the created event hook.
event_hook.deactivated
Triggered when an event hook has been deactivated. Used to notify admins that an event hook has been deactivated. When triggered, this events contains information about the deactivated event hook.
event_hook.deleted
Triggered when an event hook has been deleted. Used to notify admins that an event hook has been deleted. When triggered, this events contains information about the deleted event hook.
event_hook.delivery
Triggered when an event hook delivery fails. Used to identify when an event hook from Okta is not successfully delivered to the configured endpoint. Note that the event is triggered only when the delivery is unsuccessful.
event_hook.updated
Triggered when an event hook has been updated. Used to notify admins that an event hook has been updated. When triggered, this events contains information about the updated event hook.
event_hook.verified
Triggered when attempting to verify an event hook. Used to notify admins about the outcome of event hook endpoint URL verification. Note that the event is fired even when the verification is unsuccessful.
group.application_assignment.add
Add assigned application to group.
group.application_assignment.remove
Remove assigned application from group.
group.application_assignment.skip_assignment_reconcile
No Description
group.application_assignment.update
Update assigned application in group.
group.lifecycle.create
Create Okta group. This can be used to make sure an Okta group is successfully created. Event fired when an Okta group is successfully created.
group.lifecycle.delete
Delete Okta group. This can be used to make sure an Okta group is successfully deleted. Event fired when an Okta group is successfully deleted.
group.privilege.grant
Fired when a group within Okta has been granted admin privileges. The group granted privileges can be an Okta mastered group, and AD mastered group, or an LDAP mastered group. This can be used to audit the provisioning of admin privileges for groups. When fired, this event contains information about the type of admin privileges that have been granted, and what entity masters the group. Related events include: GROUP_PRIVILEGE_REVOKE.
group.privilege.revoke
Fired when a group within Okta has had admin privileges revoked. The group with revoked privileges can be an Okta mastered group, and AD mastered group, or an LDAP mastered group. This can be used to audit the provisioning of admin privileges for groups. When fired, this event contains information about the type of admin privileges that have been revoked, and what entity masters the group. Related events include: GROUP_PRIVILEGE_REVOKE.
group.user_membership.add
Add user to group membership.
group.user_membership.remove
Remove user from group membership.
group.user_membership.rule.add_exclusion
Add user to group membership exclusion rule.
group.user_membership.rule.deactivated
No Description
group.user_membership.rule.error
group membership rule is in error state.
group.user_membership.rule.evaluation
No Description
group.user_membership.rule.invalidate
Invalidate group membership rule.
group.user_membership.rule.trigger
Trigger group membership rule.
inline_hook.activated
Triggered when an inline hook in activated. Used to identify when an inline hook lifecycle status was changed to activated. When triggered, this events contains information about the activated inline hook.
inline_hook.created
Triggered when an inline hook has been created. Used to notify admins that an inline hook has been created. When triggered, this events contains information about the created inline hook.
inline_hook.deactivated
Triggered when an inline hook is deactivated. Used to identify when an inline hook lifecycle status was changed to deactivated. When triggered, this events contains information about the deactivated inline hook.
inline_hook.deleted
Triggered when an inline hook has been deleted. Used to notify admins that an inline hook has been deleted. When triggered, this events contains information about the deleted inline hook.
inline_hook.executed
Triggered when an inline hook has been executed. Used to notify admins about the outcome of execution of an inline hook. Note that the event is fired when the execution is unsuccessful.
inline_hook.response.processed
Triggered after Okta has finished processing response from an inline hook. Used to notify admins about the outcome of processing response from an inline hook. Note that the event is fired even when the processing is unsuccessful.
inline_hook.updated
Triggered when an inline hook has been modified. Used to notify admins that an inline hook has been updated. When triggered, this events contains information about the updated inline hook.
master_application.user_membership.add
User provisioned to app.
mim.command.generic.acknowledged
No Description
mim.command.generic.cancelled
No Description
mim.command.generic.delegated
No Description
mim.command.generic.error
No Description
mim.command.generic.notnow
No Description
mim.command.ios.acknowledged
No Description
mim.command.ios.cancelled
No Description
mim.command.ios.formaterror
No Description
mim.createEnrollment.ANDROID
No Description
mim.createEnrollment.UNKNOWN
No Description
mim.createEnrollment.WINDOWS
No Description
mim.streamDevicesAppListCSVDownload
No Description
mim.streamDevicesCSVDownload
No Description
network_zone.rule.disabled
No Description
oauth2.as.activated
Authorization server is activated.
oauth2.as.created
Authorization server is created.
oauth2.as.deactivated
Authorization server is deactivated.
oauth2.as.deleted
Authorization server is deleted.
oauth2.as.updated
Authorization server is updated.
oauth2.claim.created
OAuth2 claim is created.
oauth2.claim.deleted
OAuth2 claim is deleted.
oauth2.claim.updated
OAuth2 claim is updated.
oauth2.scope.created
OAuth2 scope is created.
oauth2.scope.deleted
OAuth2 scope is deleted.
oauth2.scope.updated
OAuth2 scope is updated.
omm.app.VPN.settings.changed
No Description
omm.app.WIFI.settings.changed
No Description
omm.app.eas.cert_based.settings.changed
No Description
omm.app.eas.settings.changed
No Description
org.not_configured_origin.redirection.usage
Using untrusted origin for redirection.
pki.cert.issue
Device Trust certificate issuance.
pki.cert.renew
Device Trust certificate renewal.
pki.cert.revoke
Device Trust certificate revocation.
plugin.script_status
Status information from script execution.
policy.execute.user.start
Start execution of policy for user.
policy.lifecycle.deactivate
Deactivate policy.
policy.rule.action.execute
Scheduled execution of policy rule action.
policy.rule.deactivate
Deactivate policy rule.
policy.rule.invalidate
Invalidate policy rule.
policy.scheduled.execute
Scheduled execution of policy.
scheduled_action.user_suspension.canceled
Canceled scheduled user suspension.
scheduled_action.user_suspension.completed
Completed scheduled user suspension.
scheduled_action.user_suspension.scheduled
Scheduled user suspension.
scheduled_action.user_suspension.updated
Updated scheduled user suspension.
security.device.add_request_blacklist_policy
Added request blacklist to request blacklist policies.
security.device.remove_request_blacklist_policy
Removed request blacklist from request blacklist policies.
security.device.temporarily_disable_blacklisting
Temporarily disabling blacklisting.
security.request.blocked
Security request blocked.
security.session.detect_client_roaming
Roaming session detected for user.
security.threat.configuration.update
Fired when a ThreatInsight configuration has been updated. This can be used to identify when an existing ThreatInsight configuration has been updated. An update can be updating the action or the excluded zones. When fired, this event contains information about who made the update to the configuration.
security.threat.detected
Request from an IP identified as malicious by Okta ThreatInsight. This can be used to monitor and act on credential based attacks (such as Brute Force, Password Spray) on your organization. The reasons why the request was classified as malicious can be found in the outcome.reason field. The outcome.result field will be 'ALLOW' or 'DENY' based on whether Okta Threat Insight is configured in log mode or log and block mode, where 'ALLOW' means the request continued and 'DENY' means the request was blocked.
security.voice.add_country_blacklist
Fired when a country has been added to the voice call blacklist. This can be used to identify when a country has been blacklisted for voice call. When fired, this event contains information about the country that was added to the blacklist.Related events include security.voice.remove_country_blacklist.
security.voice.remove_country_blacklist
Fired when a country has been removed from the voice call blacklist. This can be used to identify when a country has been removed from voice call blacklist. When fired, this event contains information about the country that was removed from the blacklist.Related events include security.voice.add_country_blacklist.
security.zone.make_blacklist
Added IPs to blacklist zone.
security.zone.remove_blacklist
Removed IPs from blacklist zone.
self_service.disabled
Self-service disabled for app.
self_service.enabled
Self-service enabled for app.
system.agent.ad.connect
Connect AD agent to Okta.
system.agent.ad.create
Create AD agent.
system.agent.ad.deactivate
Deactivate AD agent.
system.agent.ad.delete
Delete AD agent.
system.agent.ad.import_ou
Perform import OU by AD agent.
system.agent.ad.import_user
Perform import user by AD agent.
system.agent.ad.invoke_dir
Perform directory invoke command by AD agent.
system.agent.ad.reactivate
Reactivate AD agent.
system.agent.ad.read_config
Perform config read by AD agent.
system.agent.ad.read_dirsync
Perform dirsync read by AD agent.
system.agent.ad.read_ldap
Perform LDAP read by AD agent.
system.agent.ad.read_schema
Perform schema read by AD agent.
system.agent.ad.read_topology
Directory agent performed topology import operation.
system.agent.ad.realtimesync
Perform RealTimeSync by AD agent.
system.agent.ad.reset_user_password
Perform user password reset by AD agent.
system.agent.ad.unlock_user_account
Perform unlock user account by AD agent.
system.agent.ad.update
Update AD agent configuration.
system.agent.ad.update_user
User Auth and Update.
system.agent.ad.upgrade
Upgrade AD agent.
system.agent.ad.upload_iwa_log
Fired when an AD agent has fetched and uploaded IWA agent log file. This event fires when the log file upload is successful or fails. This can be used to audit that logs files are being fetched successfully, have been uploaded successfully, and troubleshoot why an IWA log upload has failed. When fired, this event indicates whether a log file upload has been successful or failed. This event also indicates whether the event was initiated by the Okta system or a user. Related events: none, all debugging context is included in this event.
system.agent.ad.upload_log
Upload AD agent log.
system.agent.ad.write_ldap
Perform LDAP write by AD agent.
system.agent.connector.connect
Connect connector agent to Okta.
system.agent.connector.deactivate
Deactivate connector agent.
system.agent.connector.delete
Delete connector agent.
system.agent.connector.reactivate
Reactivate connector agent.
system.agent.ldap.change_user_password
Perform change user password by LDAP agent.
system.agent.ldap.create_user_JIT
Perform create user JIT by LDAP agent.
system.agent.ldap.disconnect
Disconnect LDAP agent from Okta.
system.agent.ldap.reconnect
Reconnect LDAP agent to Okta.
system.agent.ldap.reset_user_password
LDAP agent performed a password reset.
system.agent.ldap.unlock_user_account
LDAP agent performed account unlock for User.
system.agent.ldap.update_user_password
Perform update user password by LDAP agent.
system.billing.sms_usage_sent
Indicates that a report for SMS usage was sent to the billing system.
system.client.concurrency_rate_limit.notification
Notify when too many requests in flight for client. This can be used to notify whenever there are too many concurrent requests from a client without enforcing any violation. When fired, this event contains information about the request such as client, device and ip details.
system.client.concurrency_rate_limit.violation
Too many requests in flight for client. This can be used to track if there are too many concurrent requests from a client. When fired, this event contains information about the request such as client, device and ip details.
system.client.rate_limit.notification
Notify when client rate limits are exceeded. This can be used to notify whenever a client is exceeding its rate limit without enforcing any violation. When fired, this event contains information about the request such as client, device and ip details.
system.client.rate_limit.violation
Client rate limit violation. This can be used to track if a client is exceeding its rate limit. When fired, this event contains information about the request such as client, device and ip details.
system.csv.import_user
Perform import user by CSV.
system.directory.debugger.extend
Extend Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access extension. When fired, this event contains information about Directory Debugger access extension.
system.directory.debugger.grant
Grant Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access grants to Okta support. When fired, this event contains information about Directory Debugger access grant.
system.directory.debugger.query_executed
A read-only query executed against AD/LDAP instance by Okta support using the Directory Debugger tool. This can be used to audit the queries executed by Okta support using Directory Debugger. When fired, this event contains information about Directory Debugger query.
system.directory.debugger.revoke
Revoke Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access revoke. When fired, this event contains information about Directory Debugger access revoke.
system.email.account_unlock.sent_message
Send self-service account unlock email.
system.email.challenge_factor_redeemed
This event indicates that a user completed an email factor challenge. This can be used to identify when a credential sent in an email to a user has been redeemed (the link was clicked or the code was entered). When fired, this event contains information about the result. Success if successful or error reasons should be present for failure cases (e.g. incorrect code, timeout, expired, etc.). The event also contains a debugData with the action (the link was clicked or the code was entered).
system.email.mfa_enroll_notification.sent_message
MFA enrollment notification email sent. Used to notify admins MFA enrollment notification email has been sent.
system.email.mfa_reset_notification.sent_message
MFA reset notification email sent. Used to notify admins MFA reset notification email has been sent.
system.email.new_device_notification.sent_message
New device signin notification email sent.
system.email.password_reset.sent_message
Send self-service password reset email.
system.email.send_factor_verify_message
An email was sent to a user for verification. Used to notify admins that an email was sent to a user for verification. When fired, this event contains information about the token lifetime in the debugData.
system.email.template.update
Fired when a custom email template has been updated. Can be used to identify when an admin user has updated a custom email template. This event can be used to understand which email template has been updated, but this event does not provide information about the type of update made to a template.
system.feature.ea_auto_enroll
Fired when an org has subscribed to or unsubscribed from EA Feature Auto Enroll. This can be used to understand the status of EA Feature Auto Enroll subscription and identify who has made changes to the subscription. When fired, this event contains information about the status of EA Feature Auto enroll subscription, as well as the admin who made any subscription changes.
system.idp.lifecycle.activate
Fired when an Identity provider is activated. This can be used to audit that an identity provider has been activated. When fired, this event indicates an Identity provider was activated. This event also indicates the type of the identity provider that was activated.
system.idp.lifecycle.create
Fired when a new Identity provider is created. This can be used to audit that a new identity provider has been created. When fired, this event indicates an Identity provider was successfully created. This event also indicates the type of the identity provider that was created.
system.idp.lifecycle.deactivate
Fired when an Identity provider is deactivated. This can be used to audit that an identity provider has been deactivated. When fired, this event indicates an Identity provider has been deactivated. This event also indicates the type of the identity provider that was deactivated.
system.idp.lifecycle.delete
Fired when an Identity provider is deleted. This can be used to audit that an identity provider has been deleted. When fired, this event indicates an Identity provider was deleted. This event also indicates the type of the identity provider that was deleted.
system.idp.lifecycle.update
Fired when an Identity provider is updated. This can be used to audit that an identity provider configuration has been updated. When fired, this event indicates an Identity provider configuration was updated. This event also indicates the type of the identity provider that was updated.
system.import.clear.unconfirmed.users.summary
Clear Unconfirmed Imported Users. Can be used for clearing unconfirmed imported users from last import result. Note that a single event is fired for clearing unconfirmed imported users instead of fire delete event on each user.
system.import.complete
Import process complete.
system.import.complete_batch
Batch import process complete.
system.import.custom_object.complete
Import of custom objects completed.
system.import.custom_object.create
Create custom object triggered by import process.
system.import.custom_object.delete
Delete custom object triggered by import process.
system.import.custom_object.update
Update custom object triggered by import process.
system.import.download.complete
Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record.
system.import.download.start
Fired at the start of the download objects phase, when the objects (users, groups, devices) to be imported are being downloaded from the system of record. This can be used to determine when an import has started, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the download objects phase, when the objects (users, groups, devices) to be imported are being downloaded from the system of record.
system.import.group.complete
Import of groups completed.
system.import.group.create
Create group triggered by import process.
system.import.group.delete
Remove group triggered by import process.
system.import.group.start
Start importing groups from refreshing AppGroups.
system.import.group.update
Update group triggered from import process.
system.import.group_membership.complete
Import of application group members completed.
system.import.implicit_deletion.complete
Fired upon completion of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects.
system.import.implicit_deletion.start
Fired at the start of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects.
system.import.import_profile
Import user profile triggered by import process.
system.import.import_provisioning_info
Import provisioning info triggered by import process.
system.import.membership_processing.complete
Fired upon completion of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from.
system.import.membership_processing.start
Fired at the start of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from.
system.import.object_creation.complete
Fired upon completion of the object creation phase, when the first batch of objects is created/updated. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the object creation phase, when the first batch of objects is created/updated.
system.import.object_creation.start
Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record.
system.import.roadblock
Import roadblock triggered due to exceeded threshold.
system.import.roadblock.reschedule_and_resume
The affected import from AppInstance has been rescheduled. All other imports will resume.
system.import.roadblock.resume
The affected import from AppInstance has been canceled. All other imports will resume.
system.import.roadblock.updated
Fired when an import roadblock (aka, Import Safeguard) has been updated. This event can be used to identify when an admin updated the Max Import Unassignment roadblock setting, and what the setting was updated to. This event includes details on what the roadblock was updated to and who made the change.
system.import.user.complete
Import of user completed.
system.import.user.create
Create user triggered by import process.
system.import.user.delete
Delete user triggered by import process.
system.import.user.match
Assign user triggered by import process with callback. This event can be used to alter the matching result for a given imported user. This event is fired when the matching result is altered by the synchronous callback.
system.import.user.start
Start importing users triggered import process.
system.import.user.suspend
Suspend user triggered by import process.
system.import.user.unsuspend
Unsuspend user triggered by import process.
system.import.user.unsuspend_after_confirm
No Description
system.import.user.update
Update user triggered by import process.
system.import.user.update_user_lifecycle_from_master
Update user status triggered by import process.
system.import.user_matching.complete
Fired upon completion of the user matching phase, when Okta attempts to match imported users to existing Okta users. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the user matching phase, when Okta attempts to match imported users to existing Okta users.
system.import.user_matching.start
Fired at the start of the user matching phase, when Okta attempts to match imported users to existing Okta users. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the user matching phase, when Okta attempts to match imported users to existing Okta users.
system.iwa.create
Create IWA agent.
system.iwa.go_offline
IWA going offline.
system.iwa.promote_primary
Promote IWA agent to primary.
system.iwa.update
Update IWA agent.
system.iwa.use_default
No primary IWA app found. Using default login.
system.iwa_agentless.auth
Agentless IWA authentication.
system.iwa_agentless.redirect
Fired when an Agentless DSSO authentication request is redirected to an onprem IWA authentication or the default login page. This can be used to identify when an agentless authentication request resulted in a redirect to an onprem IWA or default login page. This can also be used to identify the potential cause of the redirect. When fired, this event identifies the cause of the redirection. When a custom error page is defined, a redirect event is not always generated when a redirection occurs.
system.iwa_agentless.update
Update to agentless IWA.
system.iwa_agentless.user.not_found
Fired when a user could not be found during Agentless DSSO authentication, resulting in an authentication failure. This can be used to identify when an agentless authentication request resulted in a failure. The failure could be due to the user not being found in Okta, Okta not being able to connect to AD, or the user not being found in AD. This can also be used to identify the potential cause of the failure. When fired, this event contains information about the potential cause of the failure.
system.iwa_agentless_kerberos.update
Fires when a Kerberos realm settings is updated by an admin. This event fires when the update is successful or fails. This can be used to audit Kerberos realm setting, and troubleshoot why Kerberos authentication failed. When fired, this event indicates whether Kerberos realm setting update has been successful or failed. This event also indicates the initiator of the event and the current setting for Kerberos Realm. Related events: none, all debugging context is included in this event.
system.ldapi.bind
Fired when a user performs a BIND to LDAP Interface. Can be used to identify when a user attempted to perform an LDAP authentication for audit or debugging purposes. Note that the firing of this event is subject to LDAPi event filtering rules.
system.ldapi.search
Fired when a user performs a SEARCH to LDAP Interface. Can be used to identify when a user attempted to perform a search on LDAP Interface for audit or debugging purposes. Note that the firing of this event is subject to LDAPi event filtering rules.
system.ldapi.unbind
Fired when a user performs an UNBIND to LDAP Interface. Can be used to identify when a user attempted to end an LDAP Interface session for audit or debugging purposes. Note that the firing of this event is subject to LDAPi event filtering rules.
system.org.lifecycle.create
Org creation.
system.org.rate_limit.expiration.warning
Rate limit approaching expiration date.
system.org.rate_limit.violation
Rate limit violation.
system.org.rate_limit.warning
Rate limit warning.
system.push.send_factor_verify_push
Fired when a Push notification is sent to a device. Used to notify admins when a push was sent to a user for verification. Note that this event is fired whenever a Push is sent.
system.sms.receive_status
Fired when receiving a status update on SMS message from provider. This event can be used by Org Admins to identify users that are/aren't getting one-time passcodes delivered successfully via SMS, provider status can be obtained from status field in debug data. For any system.sms.send_* event, there should be exactly one of this event.
system.sms.send_account_unlock_message
Send self-service account unlock SMS message.
system.sms.send_factor_verify_message
Send second factor auth SMS.
system.sms.send_okta_push_verify_message
Send activate Okta Verify Push for mobile SMS.
system.sms.send_password_reset_message
Send self-service password reset SMS message.
system.sms.send_phone_verification_message
Send phone verification SMS message.
system.voice.receive_status
Fired when receiving a status update on voice call from provider. This event can be used by Org Admins to identify users that are/aren't getting one-time passcodes delivered successfully via voice call, provider status can be obtained from status field in debug data. For any system.voice.send_* event, there should be exactly one of this event.
system.voice.send_account_unlock_call
Send self-service account unlock call.
system.voice.send_call
Send phone call.
system.voice.send_mfa_challenge_call
Send second factor auth call.
system.voice.send_password_reset_call
Send self-service password reset call.
system.voice.send_phone_verification_call
Send phone verification call.
task.lifecycle.activate
Activated system task.
task.lifecycle.create
Created system task.
task.lifecycle.deactivate
Deactivated system task.
task.lifecycle.delete
Deleted system task.
task.lifecycle.update
Updated system task.
user.account.access_super_user_app
Access super user in Okta.
user.account.lock
Auto-lock user account for Okta.
user.account.lock.limit
This event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password.
user.account.privilege.grant
Grant user privilege.
user.account.privilege.revoke
Revoke user privilege.
user.account.report_suspicious_activity_by_enduser
User reported suspicious activity. This event is used to identify user account suspicious activity.
user.account.reset_password
User reset password for Okta (by admin).
user.account.unlock
Auto-unlock user account for Okta.
user.account.unlock_by_admin
User account unlock by admin.
user.account.unlock_failure
Failed to schedule unlock job for user.
user.account.unlock_token
Issued recovery token for self-service account unlock.
user.account.update_password
User update password for Okta.
user.account.update_primary_email
User primary email updated.
user.account.update_profile
Update user profile for Okta.
user.account.update_secondary_email
User secondary email updated.
user.account.update_user_type
Fires when a user changes from one type to another. Can be used to audit when a user gets converted from a contractor to a full-time employee, for example. Data includes the old and new type ids. There may be an accompanying update_profile event if values were changed.
user.account.use_token
Invalid self service recovery token used by user.
user.authentication.auth
Authenticate user.
user.authentication.auth_via_AD_agent
Authenticate user with AD agent.
user.authentication.auth_via_IDP
Authenticate user via IDP.
user.authentication.auth_via_LDAP_agent
Authenticate user via LDAP agent.
user.authentication.auth_via_inbound_SAML
Authenticate user via inbound SAML.
user.authentication.auth_via_inbound_delauth
Authenticate user via inbound delauth.
user.authentication.auth_via_iwa
Authenticate user via IWA.
user.authentication.auth_via_mfa
Authentication of user via MFA.
user.authentication.auth_via_radius
Authentication of user via Radius.
user.authentication.auth_via_richclient
Authentication of a user via Rich Client.
user.authentication.auth_via_social
Authenticate user with social login.
user.authentication.authenticate
Authentication via device trust certificate.
user.authentication.slo
User single logout out (SLO) from app.
user.authentication.sso
Fired when a user performs a single sign-on (SSO) to an app instance and contains the client details of the user. Can be used to identify when a user attempted to sign into an application for audit or debugging purposes. Note that the event is fired even when the sign-on is unsuccessful.
user.authentication.verify
Verify user identity.
user.credential.enroll
Device Trust certificate enrollment.
user.identity_snapshot.attestation.create
Create identity snapshot attestation for a user. This event can be used by administrators to audit identity snapshot attestations minted for a user. The user and the application are in the event, signifying which user the attestation token is being minted for, and which application is requesting it.
user.import.password
Fired when a user has successfully logged in to Okta and an attempt to import their Password has been made. This can be used to understand if a user password import attempt was successful or if it failed. If the attempt failed, the password import will be tried again on a subsequent successful login. When fired, this event contains information about the import type, and whether or not the password import was successful. If the import is successful, it is safe to "clean up" that user from an external system. If the import failed, Okta will continue retrying the import during every successful authentication attempt until the password is successfully imported. Check the failure reason for details about whether any action is needed for the import to succeed.
user.lifecycle.activate
Activate Okta user.
user.lifecycle.create
Create Okta user.
user.lifecycle.deactivate
Deactivate Okta user.
user.lifecycle.delete.completed
Delete Okta user completed.
user.lifecycle.delete.initiated
Delete Okta user initiated.
user.lifecycle.jit.error.read_only
Failed to JIT create user.
user.lifecycle.password_mass_expiry
Mass expire all users' passwords initiated.
user.lifecycle.reactivate
Reactivate Okta user.
user.lifecycle.suspend
Suspend Okta user.
user.lifecycle.unsuspend
Unsuspend Okta user.
user.mfa.attempt_bypass
Attempt bypass of factor.
user.mfa.factor.activate
Activate factor for user. Provides org admins with audit log and oversight utility for an MFA factor when it is activated. When fired, the event contains information about the MFA factor that has been activated, as well as the target user and the user activating the factor.
user.mfa.factor.deactivate
Reset factor for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle status when a specific factor is permanently deactivated. When fired, the event contains information about the MFA factor that has been deactivated, as well as the target user and the user deactivating the factor.
user.mfa.factor.reset_all
Reset all factors for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle statuses when all MFA factors for a user are permanently deactivated. When fired, the event contains information about the target user for whom all factors have been deactivated, as well as the user resetting the factors.
user.mfa.factor.update
Update factor for user.
user.mfa.okta_verify
Verify user with Okta verify.
user.mfa.okta_verify.deny_push
User rejected Okta push verify.
user.mfa.okta_verify.deny_push_upgrade_needed
Rejected Okta push verify as Upgrade Needed. This can be used to audit events where Okta push verify was rejected as the app needed upgrade. Note that the event is fired when Okta Verify push is rejected. It is possible that the user might have chosen another factor and made successful login as well.
user.session.access_admin_app
User accessing Okta admin app.
user.session.clear
Clear user session.
user.session.end
User logout from Okta.
user.session.expire
Expire user session.
user.session.impersonation.end
End impersonation session.
user.session.impersonation.extend
Extend impersonation session.
user.session.impersonation.grant
Enable impersonation grant.
user.session.impersonation.initiate
Initiate impersonation session.
user.session.impersonation.revoke
Revoke impersonation grant.
user.session.start
User login to Okta.
zone.make_blacklist
Network zone mark as blacklist.
zone.remove_blacklist
Network zone unmark as blacklist.