developer.okta.com
Open in
urlscan Pro
2600:9000:289d:cc00:d:5427:c40:93a1
Public Scan
Submitted URL: https://developer.okta.com/docs/reference/api/event-types/#catalog
Effective URL: https://developer.okta.com/docs/reference/api/event-types/
Submission: On November 21 via api from US — Scanned from CA
Effective URL: https://developer.okta.com/docs/reference/api/event-types/
Submission: On November 21 via api from US — Scanned from CA
Form analysis 0 forms found in the DOM
Text Content
Check out our new and improved API documentation! ↗ * Community * Forum * * * Blog * Pricing * Okta.com * Log in * References * Classic Engine Content * Error Codes * Event Types * Okta Expression Language * Expression Language in Identity Engine * Rate Limits * System Log query * User query options * Test APIs with Postman Sign up Guides Concepts API Docs References SDKs Release Notes * Classic Engine Content * Authentication API * WebFinger API * Error Codes * Event Types * Okta Expression Language * Expression Language in Identity Engine * Rate Limits * Rate limit dashboard * Authn/End-user rate limits * Management rate limits * Additional limits * Rate limit best practices * Client-based rate limits * DynamicScale * System Log events for rate limits * System Log query * User query options * Test APIs with Postman * Postman Collections 1. References 2. Event Types ON THIS PAGE Catalog Loading... EVENT TYPES Event types are the primary method of categorization within the Okta eventing platform. They allow consumers to easily group notable system occurrences based on behavior. This resource contains the complete event type catalog of this platform. CATALOG The following is a full list of event types used in the System Log API (opens new window) with associated descriptions and related metadata. Download a CSV file with all event types: Okta Event Types. > Note: Certain tags on the event type indicate the specific behavior of the > associated System Log events: > > > * oie-only: This event type is only available in Okta Identity Engine enabled > orgs > * event-hook-eligible: This event type is eligible for use with an event hook > * changeDetails: This event type may include the changeDetails object within > an associated target All Releases 2024.11.0 2024.10.1 2024.10.0 2024.09.3 2024.09.0 2024.08.3 2024.08.1 2024.08.0 2024.07.2 2024.07.0 2024.06.2 2024.06.1 2024.06.0 2024.05.1 2024.05.0 2024.04.2 2024.03.2 2024.03.0 2024.02.8 2024.02.2 2024.02.1 2024.01.2 2023.12.2 2023.12.0 2023.11.0 2023.10.1 2023.10.0 2023.09.0 2023.08.0 2023.07.2 2023.06.1 2023.06.0 2023.04.1 2023.04.0 2023.03.0 2023.02.2 2023.02.0 2023.01.2 2023.01.0 2022.12.0 2022.11.2 2022.11.1 2022.11.0 2022.10.2 2022.10.0 2022.08.0 2022.07.0 2022.06.2 2022.06.0 2022.05.3 2022.05.1 2022.05.0 2022.04.3 2022.04.2 2022.02.1 2022.02.0 2021.12.0 2021.11.0 2021.10.2 2021.10.1 2021.10.0 2021.09.1 2021.08.0 2021.07.1 2021.07.0 2021.05.1 2021.04.2 2021.03.2 2021.02.2 2021.02.1 2021.01.2 2021.01.1 2021.01.0 2020.12.2 2020.12.0 2020.10.4 2020.09.4 2020.09.3 2020.09.1 2020.08.4 2020.08.0 2020.07.1 2020.06.3 2020.06.1 2020.05.1 2020.05.0 2020.03.0 2020.02.0 2020.01.0 2019.12.0 2019.11.0 2019.09.0 2019.08.3 2019.08.0 2019.07.1 2019.07.0 2019.05.4 2019.05.0 2019.04.2 2019.04.0 2019.03.4 2019.03.3 2019.03.1 2019.03.0 2019.02.3 2019.02.2 2019.02.1 2019.01.2 2019.01.1 2018.47 2018.43 2018.42 2018.37 2018.36 2018.35 2018.32 2018.28 2018.25 2018.23 2018.22 2018.15 2018.13 2018.10 2018.08 2018.06 2018.05 2018.04 2018.03 2018.01 2017.52 2017.51 2017.50 2017.49 2017.48 2017.47 2017.45 2017.44 2017.43 2017.39 2017.33 2017.32 2017.29 2017.28 2017.27 2017.25 2017.24 2017.22 2017.20 2017.19 2017.15 2017.11 2017.06 2017.02 2017.01 2016.51 2016.50 2016.48 2016.45 2016.39 2016.33 2016.29 2016.27 2016.24 2016.20 2016.18 2016.15 2016.14 2016.13 2016.12 2016.11 2016.10 2016.09 2016.06 2016.05 2016.04 2016.02 2015.47 2014.25 2014.18 2011.01 Found 999 matches ACCESS.REQUEST.CANCEL Access request canceled. Can be used to audit access to an Okta resource or to trigger downstream automation that depends on request cancellation. Okta Identity Governance API can be used to get more details about the canceled request. accessevent-hook-eligible Since: 2023.06.0 ACCESS.REQUEST.CONDITION.ACTIVATE Access request condition activated. Can be used to audit access request condition to an Okta resource or to trigger downstream automation that depends on access request condition activation. Okta Identity Governance API can be used to get more details about the activated access request condition. accessevent-hook-eligible Since: 2024.03.0 ACCESS.REQUEST.CONDITION.CREATE Access request condition created. Can be used to audit access request condition to an Okta resource or to trigger downstream automation that depends on access request condition creation. Okta Identity Governance API can be used to get more details about the created access request condition. accessevent-hook-eligible Since: 2024.03.0 ACCESS.REQUEST.CONDITION.DEACTIVATE Access request condition deactivated. Can be used to audit access request condition to an Okta resource or to trigger downstream automation that depends on access request condition deactivation. Okta Identity Governance API can be used to get more details about the deactivated access request condition. accessevent-hook-eligible Since: 2024.03.0 ACCESS.REQUEST.CONDITION.DELETE Access request condition deleted. Can be used to audit access request condition to an Okta resource or to trigger downstream automation that depends on access request condition deletion. Okta Identity Governance API can be used to get more details about the deleted access request condition. accessevent-hook-eligible Since: 2024.03.0 ACCESS.REQUEST.CONDITION.INVALIDATE Access request condition invalidated. Can be used to audit access request condition to an Okta resource or to trigger downstream automation that depends on access request condition invalidation. Okta Identity Governance API can be used to get more details about the invalidated access request condition. accessevent-hook-eligible Since: 2024.03.0 ACCESS.REQUEST.CONDITION.UPDATE Access request condition updated. Can be used to audit access request condition to an Okta resource or to trigger downstream automation that depends on access request condition update. Okta Identity Governance API can be used to get more details about the updated access request condition. accessevent-hook-eligible changeDetails Since: 2024.03.0 ACCESS.REQUEST.CREATE Access request created. Can be used to audit access to an Okta resource or to trigger downstream automation that depends on request creation. Okta Identity Governance API can be used to get more details about the created request. accessevent-hook-eligible Since: 2022.11.0 ACCESS.REQUEST.REJECT Access request rejected. Can be used to audit access to an Okta resource or to trigger downstream automation that depends on request rejection. Okta Identity Governance API can be used to get more details about the rejected request. accessevent-hook-eligible Since: 2024.05.0 ACCESS.REQUEST.RESOLVE Access request resolved. Can be used to audit access to an Okta resource or to trigger downstream automation that depends on request resolution. Okta Identity Governance API can be used to get more details about the resolved request. accessevent-hook-eligible Since: 2022.11.0 ACCESS.REQUEST.SEQUENCE.CREATE Access request sequence created. Can be used to audit the approval sequence and when it was created and what was defined within the sequence to verify the approvals required. Okta Identity Governance API can be used to get more details about the created access request sequence. accessevent-hook-eligible changeDetails Since: 2024.10.0 ACCESS.REQUEST.SEQUENCE.DELETE Access request sequence deleted. Can be used to audit the approval sequence and when it was deleted and what was defined within the sequence to verify the approvals required. Okta Identity Governance API can be used to get more details about the deleted access request sequence. accessevent-hook-eligible changeDetails Since: 2024.10.0 ACCESS.REQUEST.SEQUENCE.UPDATE Access request sequence updated. Can be used to audit the approval sequence and when it was updated and what was defined within the sequence to verify the approvals required. Okta Identity Governance API can be used to get more details about the updated access request sequence. accessevent-hook-eligible changeDetails Since: 2024.10.0 ACCOUNT.ORG.ADD Org is added to an Aerial account. Triggered when an org is added to an Aerial account. This event is fired in both the Aerial org and the added target org. account-service Since: 2023.10.1 ACCOUNT.ORG.DELETE.CANCEL Org deletion request is cancelled. Triggered when the deletion request is cancelled. This event is fired in the Aerial org. The recovered org will be in the target. account-service Since: 2024.02.2 ACCOUNT.ORG.DELETE.REQUEST Org is requested to be deleted. Triggered when a org is requested to be deleted. This event is fired in the Aerial org. The user or API client who requested the delete will be the actor and the org to be deleted will be in the target. account-service Since: 2024.02.2 ACCOUNT.ORG.PRODUCT.UPDATE Products are updated on an org. Triggered when Products are updated on an org. This event is fired only in the Aerial org. account-service Since: 2023.10.1 ACCOUNT.ORG.STATUS.UPDATE Org status is updated. Triggered when the status of an org is updated. This event is fired only in the Aerial org. account-service Since: 2023.10.1 ANALYTICS.FEEDBACK.PROVIDE An admin has provided feedback on a detection Okta provided which indicated a change in user or session risk. This can be used to monitor feedback provided by admins in response to Okta determined changes in risk. This event is fired when an admin chooses to provide feedback on a detection event in the admin console. See also: Identity Threat Protection with Okta AI Event Types risksecurity Since: 2023.10.0 ANALYTICS.REPORTS.EXPORT.DOWNLOAD A user has downloaded an export file that Okta has generated for a report available in the admin console. This event may be used to identify access by a user to a report data set from Okta. This may be useful to audit access to report data for security investigations, compliance audits, and evaluation of the utility of a report within the Org. This event only indicates that a user has downloaded the export file. The user that downloaded it may not be the user that requested generation of the export file. See analytics.reports.export.request and analytics.reports.export.generate for related actions. Since: 2022.05.1 ANALYTICS.REPORTS.EXPORT.GENERATE Okta has generated an export file for a report available in the admin console. This event may be used to identify whether Okta successfully generated the export file that a user requested for a report. This event is primarily useful for troubleshooting if a report fails to generate. This event does not indicate whether a user downloaded the report file. See analytics.reports.export.request and analytics.reports.export.download for related actions. Since: 2022.05.1 ANALYTICS.REPORTS.EXPORT.REQUEST A user has requested that Okta generate an export file for a report available in the admin console. This event may be used to identify a request by a user to export a report data set from Okta. This may be useful to audit access to report data for security investigations, compliance audits, and evaluation of the utility of a report within the Org. This event only indicates that a user requested the export. It does not indicate that an export file was successfully generated by Okta nor that the export file was accessed by a user. See analytics.reports.export.generate and analytics.reports.export.download for those actions. Since: 2022.05.1 APP.ACCESS_REQUEST.APPROVER.APPROVE Request to access an app was approved by an administrator-defined approver. app-instance-requestevent-hook-eligible Since: 2017.43 APP.ACCESS_REQUEST.APPROVER.DENY Request to access an app was denied by an administrator-defined approver. app-instance-requestevent-hook-eligible Since: 2017.43 APP.ACCESS_REQUEST.DELETE Request to access an app was deleted by an administrator. app-instance-requestevent-hook-eligible Since: 2017.43 APP.ACCESS_REQUEST.DENY Request to access an app was denied after at least one approver denied the request. app-instance-requestevent-hook-eligible Since: 2017.43 APP.ACCESS_REQUEST.EXPIRE Request to access an app expired by the system due to lack of approver action. app-instance-requestevent-hook-eligible Since: 2017.43 APP.ACCESS_REQUEST.GRANT Request to access an app was granted after all approvers approved the request. app-instance-requestevent-hook-eligible Since: 2017.43 APP.ACCESS_REQUEST.REQUEST Request to access an app was performed by a user. app-instance-requestevent-hook-eligible Since: 2017.43 APP.AD.API.USER_IMPORT.ACCOUNT_LOCKED Active Directory user account set to locked following profile update: user is locked in active directory. ad-app Since: 2016.10 APP.AD.API.USER_IMPORT.WARN.SKIPPED_CONTACT.ATTRIBUTE_INVALID_VALUE Skipping import of contact due to invalid attribute. Please consult with your Active Directory admin if you believe this contact should be imported. ad-app Since: 2015.47 APP.AD.API.USER_IMPORT.WARN.SKIPPED_USER.ATTRIBUTE_INVALID_VALUE Skipping import of user due to an invalid AD attribute. ad-app Since: 2015.47 APP.AD.API.USER_IMPORT.WARN.SKIPPED_USER.MISSING_REQUIRED_ATTRIBUTE Skipping import of user due to a required AD attribute being null. ad-app Since: 2011.01 APP.APP_INSTANCE.CSR.GENERATE Certificate signing request (CSR) generated. app Since: 2017.15 APP.APP_INSTANCE.CSR.PUBLISH Certificate signing request (CSR) published. app Since: 2017.15 APP.APP_INSTANCE.CSR.REVOKE Certificate signing request (CSR) revoked. app Since: 2017.15 APP.APP_INSTANCE.PROVISION_SYNC_JOB.COMPLETED Fired when a provision sync job has successfully completed. This can be used to confirm that a provision sync job has finished running and is no longer processing users. When fired, this event contains details about number of users processed in the job. Related events include app.app_instance.provision_sync_job.started and app.app_instance.provision_sync_job.failed. adminappuser-provision Since: 2019.08.3 APP.APP_INSTANCE.PROVISION_SYNC_JOB.FAILED Fired when a provision sync job has failed. This can be used to identify when a provision sync job has failed. When fired, this event contains information about the reason the provision sync job failed. Related events include app.app_instance.provision_sync_job.started and app.app_instance.provision_sync_job.completed. adminappuser-provision Since: 2019.08.3 APP.APP_INSTANCE.PROVISION_SYNC_JOB.STARTED Fired when a provision sync job has successfully started. This can be used to confirm that a provision sync job has successfully started. Related events include app.app_instance.provision_sync_job.completed and app.app_instance.provision_sync_job.failed. adminappuser-provision Since: 2019.08.3 APP.AUDIT_REPORT.DOWNLOAD Application access report downloaded. app Since: 2017.52 APP.AUDIT_REPORT.DOWNLOAD.LOCAL.ACTIVE Application access report downloaded. app Since: 2017.52 APP.AUDIT_REPORT.DOWNLOAD.LOCAL.DEPROV Recent unassignments report downloaded. app Since: 2017.52 APP.AUDIT_REPORT.DOWNLOAD.ROGUE.REPORT Rogue report downloaded. app Since: 2017.52 APP.GENERIC.UNAUTH_APP_ACCESS_ATTEMPT User attempted unauthorized access to app. app Since: 2016.06 APP.INBOUND_DEL_AUTH.LOGIN_SUCCESS Successful inbound delegated authentication request for user. delegated-auth Since: 2016.18 APP.KERBEROS_RICH_CLIENT.ACCOUNT_NOT_FOUND Kerberos based rich client authentication failed: Could not find Office 365 app user for the AD user with principal id. appkerberos-rich-client Since: 2017.50 APP.KERBEROS_RICH_CLIENT.INSTANCE_NOT_FOUND Kerberos based rich client authentication failed: Unknown app instance id. appkerberos-rich-client Since: 2017.50 APP.KERBEROS_RICH_CLIENT.MULTIPLE_ACCOUNTS_FOUND Kerberos based rich client authentication failed: Multiple users with username found. appkerberos-rich-client Since: 2017.50 APP.KERBEROS_RICH_CLIENT.USER_AUTHENTICATION_SUCCESSFUL Kerberos based rich client authentication successful for Office 365 user. appkerberos-rich-client Since: 2017.52 APP.KEYS.CLONE Application signing key cloned. app Since: 2017.25 APP.KEYS.GENERATE New signing key generated. app Since: 2017.25 APP.KEYS.ROTATE Application signing key rotated. app Since: 2017.25 APP.LDAP.PASSWORD.CHANGE.FAILED Password change failed. ldap-app Since: 2014.18 APP.OAUTH2.ADMIN.CONSENT.GRANT Administrator consent granted for scope. This event can be used to track when an administrator grants consent to a client to request a specific scope. This event is fired when an admin grants consent. oauth2oauth2-as-runtimeoauth2-org-as Since: 2019.12.0 APP.OAUTH2.ADMIN.CONSENT.REVOKE Administrator consent revoked for scope. This event can be used to track when an administrator revokes consent to a client to request a specific scope. This event is fired when an admin revokes consent. oauth2oauth2-as-runtimeoauth2-org-as Since: 2019.12.0 APP.OAUTH2.API_RESOURCE.CREATE OAuth2 API Resource is created. Manage and audit lifecycle events of API resources. Administrators are made aware that a new API resource is getting created under Authorization servers. oauth2oauth2-api-resource Since: 2022.04.2 APP.OAUTH2.API_RESOURCE.DELETE OAuth2 API Resource is deleted. Manage and audit lifecycle events of API resources. Administrators are made aware that a new API resource is getting deleted under Authorization servers. oauth2oauth2-api-resource Since: 2022.04.2 APP.OAUTH2.API_RESOURCE.UPDATE OAuth2 API Resource is updated. Manage and audit lifecycle events of API resources. Administrators are made aware that a new API resource is getting updated under Authorization servers. oauth2oauth2-api-resource Since: 2022.04.2 APP.OAUTH2.AS.AUTHORIZE OAuth2 authorization request. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.AUTHORIZE.CODE OAuth2 authorization code request. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.AUTHORIZE.IMPLICIT.ACCESS_TOKEN OAuth2 authorization implicit access token request. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.AUTHORIZE.IMPLICIT.ID_TOKEN OAuth2 authorization implicit ID token request. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.AUTHORIZE.SCOPE_DENIED Some of the requested scopes were denied by the policy. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.CONSENT.GRANT User granted consent to app. event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.CONSENT.REVOKE Consent revoked. event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.CONSENT.REVOKE.IMPLICIT.AS All consent revoked for authorization server. event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.CONSENT.REVOKE.IMPLICIT.CLIENT All consent revoked for client. event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.CONSENT.REVOKE.IMPLICIT.SCOPE All consent revoked for scope. event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.CONSENT.REVOKE.IMPLICIT.USER Consent for all scopes revoked for user. event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.CONSENT.REVOKE.USER All consent revoked for user. event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.CONSENT.REVOKE.USER.CLIENT User consent revoked for client. event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.EVALUATE.CLAIM Claim evaluation for OAuth 2.0 token. This event is triggered when the OAuth 2.0 authorization server's claim evaluation process can't be completed and fails. This event is useful when detecting misconfigured claims. Recorded details include the requester's ID, the client ID, the user ID, and the claims that couldn't be evaluated. This verification ensures that access tokens are granted only to requests that fully comply with established security policies, thus safeguarding access to protected resources. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.INTERACT.INTERACTION_CODE Fired when interaction code is generated by OIE. This event can be used by administrators to audit interaction_code generation, and troubleshoot why the IdX transaction has failed. When fired, this event contains hashed values of the interaction_code and interaction_handle, as well as information about the client to which they were issued. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2021.01.0 APP.OAUTH2.AS.INTERACT.INTERACTION_HANDLE Fired when interaction handle is generated by OIE. This event can be used by administrators to detect if additional interaction is required and an interaction handle has been issued. When fired this event contains interaction handle hash and the client to which it was issued. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2021.01.0 APP.OAUTH2.AS.KEY.ROLLOVER Custom Authorization Server token signing key rolled over. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.TOKEN.DETECT_REUSE Detect one-time refresh token attempted reuse. This event can be used by administrators to detect and audit attempted reuse of one-time refresh tokens. When fired this event contains information about the user, client to which the refresh token was minted, and the hash of the refresh tokens. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2020.09.3 APP.OAUTH2.AS.TOKEN.GRANT OAuth2 token request. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.TOKEN.GRANT.ACCESS_TOKEN OAuth 2.0 access token is granted. This event is triggered within OAuth 2.0 frameworks when an app successfully grants an access token to a user or service. The event occurs post-authentication and authorization, marking the final step in accessing protected resources. Use this event as a comprehensive audit trail for issued tokens. The event captures details such as the client ID, subject ID, token attributes (for example: scope, validity period), and the grant type used. This information helps with security audits, ensuring compliance with access policies and troubleshooting authorization flows. Specifically, variations in token attributes and grant type offer insights into the security posture and operational efficiency of OAuth 2.0 implementations. While this event primarily signifies successfully issued tokens, the event details are helpful in many areas. They help flag potential misuse of token grants or anomalies in token attributes. The event details also help facilitate a prompt response to deviations from established security practices. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.TOKEN.GRANT.DEVICE_SECRET Grant an OAuth2 device_secret for the Native SSO flow. This event adds tracking to let admins know when Native SSO is being used to protect desktop or mobile apps. When fired this event contains the device secret id which administrators can use to correlate with single logout events across native desktop apps. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2021.04.2 APP.OAUTH2.AS.TOKEN.GRANT.ID_TOKEN OAuth 2.0 ID token is granted. This event occurs when an OAuth 2.0 authorization server grants an ID token to a client after successful authentication. The ID token, which encapsulates the user's identity information, verifies the user's identity to the client app. Recorded details include the client ID, user ID, token issuance time, and claims associated with the user's identity. You can use this data for security audits, enabling precise tracking of user identity verification across apps. The issuance of an ID token follows established protocols for secure authentication. This ensures that sensitive user information is transmitted securely between the authorization server and the client. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.TOKEN.GRANT.REFRESH_TOKEN OAuth2 refresh token is granted. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AS.TOKEN.REVOKE OAuth2 token revocation request. oauth2oauth2-as-runtimeoauth2-custom-as Since: 2016.14 APP.OAUTH2.AUTHORIZE OIDC authorization request. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.AUTHORIZE.CODE OIDC authorization code request. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.AUTHORIZE.IMPLICIT.ACCESS_TOKEN OIDC authorization implicit access token request. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.AUTHORIZE.IMPLICIT.ID_TOKEN OIDC authorization implicit ID token request. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.CLIENT.LIFECYCLE.ACTIVATE Activate OAuth client. oauth2oauth2-clientoauth2-client-lifecycle Since: 2017.24 APP.OAUTH2.CLIENT.LIFECYCLE.CREATE Create OAuth client. oauth2oauth2-clientoauth2-client-lifecycle Since: 2017.24 APP.OAUTH2.CLIENT.LIFECYCLE.DEACTIVATE Deactivate OAuth client. oauth2oauth2-clientoauth2-client-lifecycle Since: 2017.24 APP.OAUTH2.CLIENT.LIFECYCLE.DELETE Delete OAuth client. oauth2oauth2-clientoauth2-client-lifecycle Since: 2017.24 APP.OAUTH2.CLIENT.LIFECYCLE.UPDATE Update OAuth client. oauth2oauth2-clientoauth2-client-lifecycle Since: 2017.24 APP.OAUTH2.CLIENT.PRIVILEGE.GRANT An OAuth 2.0 client app's admin privileges changed. This can be used to audit the provisioning of admin privileges for OAuth 2.0 client apps. When fired, this event contains information about the type of admin privileges the OAuth 2.0 client app currently has. Related events include: APP_OAUTH2_CLIENT_PRIVILEGE_REVOKE. event-hook-eligibleoauth2oauth2-client Since: 2023.04.1 APP.OAUTH2.CLIENT.PRIVILEGE.REVOKE All privileges for OAuth 2.0 client app were revoked. This can be used to audit the deprovisioning of admin privileges from OAuth 2.0 client apps. When fired, this event indicates the OAuth 2.0 client app has no more admin privileges. All of OAuth 2.0 client app's privileges were revoked. Related events include: APP_OAUTH2_CLIENT_PRIVILEGE_GRANT. event-hook-eligibleoauth2oauth2-client Since: 2023.04.1 APP.OAUTH2.CLIENT.READ_CLIENT_SECRET Read OAuth client's secret(s). Use this event to verify that an OAuth client's secret(s) have been read when the client is returned in certain API responses. For example, an admin might use this event to audit if a client's secrets were read when using the client credentials management API. When fired, this event indicates that an OAuth client's secrets were read. The targets array may include references to multiple client secrets. oauth2oauth2-client Since: 2024.08.1 APP.OAUTH2.CLIENT_ID_RATE_LIMIT_WARNING Fired when requests from a single client id has consumed majority of an org's rate limit on the OAuth2 endpoint. This event can be used by admins to discover and deactivate a rogue client. The admin is able to manage the client via the Syslog UI. When fired, this event contains information about the responsible client id. As of release, this event is fired when a single client id consumes 90% of an org's OAuth2 rate limit; this threshold is subject to change. oauth2oauth2-client Since: 2019.04.2 APP.OAUTH2.CONSENT.GRANT User granted consent to app. This event can be used to identify the org AS consent grant. When fired, the event contains information about the successful consent grant by org AS. oauth2oauth2-as-runtimeoauth2-org-as Since: 2021.10.2 APP.OAUTH2.CREDENTIALS.LIFECYCLE.ACTIVATE OAuth client credentials (either client secret or JWK) is added for an application. Use this event to find out if an application has a new client secret or private/public key that has been added. This could be used to audit changes made to client credentials. oauth2oauth2-clientoauth2-client-credentials-lifecycle Since: 2022.05.3 APP.OAUTH2.CREDENTIALS.LIFECYCLE.CREATE OAuth client credentials (either client secret or JWK) is activated for an application. Use this event to find out if an application has activated a new client secret or private/public key. This could be used to audit changes made to client credentials. oauth2oauth2-clientoauth2-client-credentials-lifecycle Since: 2022.05.3 APP.OAUTH2.CREDENTIALS.LIFECYCLE.DEACTIVATE OAuth client credentials (either client secret or JWK) is deactivated for an application. Use this event to find out if an application has an existing client secret or private/public key that has been deactivated. This could be used to audit changes made to client credentials. oauth2oauth2-clientoauth2-client-credentials-lifecycle Since: 2022.05.3 APP.OAUTH2.CREDENTIALS.LIFECYCLE.DELETE OAuth client credentials (either client secret or JWK) is deleted for an application. Use this event to find out if an application has an existing client secret or private/public key that has been deleted. This could be used to audit changes made to client credentials. oauth2oauth2-clientoauth2-client-credentials-lifecycle Since: 2022.05.3 APP.OAUTH2.INTERACT.INTERACTION_CODE Fired when interaction code is generated by OIE. This event can be used by administrators to audit interaction_code generation, and troubleshoot why the IdX transaction has failed. When fired, this event contains hashed values of the interaction_code and interaction_handle, as well as information about the client to which they were issued. oauth2oauth2-as-runtimeoauth2-org-as Since: 2021.01.0 APP.OAUTH2.INTERACT.INTERACTION_HANDLE Fired when interaction handle is generated by OIE. This event can be used by administrators to detect if additional interaction is required and an interaction handle has been issued. When fired this event contains interaction handle hash and the client to which it was issued. oauth2oauth2-as-runtimeoauth2-org-as Since: 2021.01.0 APP.OAUTH2.INVALID_CLIENT_CREDENTIALS Multiple requests with invalid client credentials for client id. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.KEY.ROLLOVER Org Authorization Server token signing key rolled over. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.SIGNON User performed OIDC single sign on to app. oauth2oauth2-client Since: 2016.14 APP.OAUTH2.TOKEN.DETECT_REUSE Detect one-time refresh token attempted reuse. This event can be used by administrators to detect and audit attempted reuse of one-time refresh tokens. When fired this event contains information about the user, client to which the refresh token was minted, and the hash of the refresh tokens. oauth2oauth2-as-runtimeoauth2-org-as Since: 2020.09.3 APP.OAUTH2.TOKEN.GRANT OIDC token request. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.TOKEN.GRANT.ACCESS_TOKEN OIDC access token is granted. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.TOKEN.GRANT.ID_TOKEN OIDC id token is granted. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.TOKEN.GRANT.REFRESH_TOKEN OIDC refresh token is granted. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.TOKEN.REVOKE OIDC token revocation request. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.TOKEN.REVOKE.IMPLICIT.AS Tokens revoked for authorization server. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.TOKEN.REVOKE.IMPLICIT.CLIENT Tokens revoked for client. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.TOKEN.REVOKE.IMPLICIT.USER Tokens revoked for user. oauth2oauth2-as-runtimeoauth2-org-as Since: 2016.14 APP.OAUTH2.TRUSTED_SERVER.ADD Trusted authorization server is added. Administrators can use this event to debug and audit trusted authorization server operations. When fired, this event contains the authorization server IDs of the servers involved. event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as Since: 2023.02.0 APP.OAUTH2.TRUSTED_SERVER.DELETE Trusted authorization server is removed. Administrators can use this event to debug and audit trusted authorization server operations. When fired, this event contains the authorization server IDs of the servers involved. event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as Since: 2023.02.0 APP.OFFICE365.API.CHANGE.DOMAIN.FEDERATION.SUCCESS Successfully updated the domain federation from old settings to new settings. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.AD.USER User is assigned to more than one instance of Active Directory, could not set Immutable ID. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.CHECK.USER.EXISTS Could not determine status of Office 365 user, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.CREATE.USER Could not create user in Office 365, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.DEACTIVATE.USER Could not deactivate Office 365 user, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.DOWNLOAD.CUSTOM.OBJECTS Could not download group/role/license data for your Office 365 instance, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.DOWNLOAD.GROUPS Could not download all groups from your Office 365 instance, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.DOWNLOAD.USERS Could not download all users from your Office 365 instance, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.ENDPOINT.UNAVAILABLE Unable to reach the Office 365 endpoint. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GET.COMPANY.DIRSYNC.FAILURE Unable to read Office 365 directory sync for the company, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GET.COMPANY.DIRSYNC.STATUS.FAILURE Unable to provision user to Office 365, because 'Directory Sync' value in Azure Active Directory is unsupported. Please visit the Azure Active Directory portal and set 'Directory Sync' state to Activated and retry. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GET.COMPANY.DIRSYNC.STATUS.PENDING Unable to provision user to Office 365, because 'Directory Sync' value in Azure Active Directory not yet in Activated state. This may take up to 72 hours. Please visit the Azure Active Directory portal and retry when in Activated state. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GET.OBJECT.IDS.BY.GROUP.ID Could not get users by group id from your Office 365 instance, received error. office365-app Since: 2018.37 APP.OFFICE365.API.ERROR.GROUP.CREATE.FAILURE Could not create Office 365 group, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GROUP.CREATE.FAILURE.NAME.IN.USE Could not create Office 365 group because the name is already in use, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GROUP.DELETE.FAILURE Could not delete Office 365 group, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GROUP.MEMBERSHIP.UPDATE.ASSIGNMENT.FAILURE Could not update the Office 365 group membership because of an error assigning a user to the group, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GROUP.MEMBERSHIP.UPDATE.FAILURE Could not update the Office 365 group membership, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GROUP.MEMBERSHIP.UPDATE.GROUP.NOT.FOUND.FAILURE Could not update the Office 365 group membership because the group could not be found, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GROUP.MEMBERSHIP.UPDATE.REMOVAL.FAILURE Could not update the Office 365 group membership because of an error removing a user from the group, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GROUP.UPDATE.FAILURE Could not update Office 365 group, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.GROUP.UPDATE.FAILURE.NOT.FOUND Could not update Office 365 group because it was not found, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.IMPORT.PROFILE Could not import profile for Office 365 user, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.NO.ENDPOINTS.FOUND No Office 365 endpoint found to send our request. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.PUSH.PASSWORD Could not push password for Office 365 user, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.PUSH.PROFILE Could not push profile for Office 365 user, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.REACTIVATE.USER Could not reactivate Office 365 user, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.REMOVE.DOMAIN.FEDERATION.FAILURE Unable to remove the domain federation, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.REMOVE.DOMAIN.FEDERATION.FAILURE.ACCESS.DENIED Unable to remove the domain federation because the admin user is not authorized to perform the task. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.REMOVE.DOMAIN.FEDERATION.FAILURE.DOMAIN.NOT.FOUND Unable to remove the domain federation because the specified domain was not found. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.REVOKE.REFRESH.TOKEN Failed to revoke refresh tokens for user. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SET.COMPANY.DIRSYNC.FAILURE Unable to enable Office 365 directory sync for the company, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SET.COMPANY.DIRSYNC.STATUS.FAILURE Unable to enable Office 365 directory sync for the company, because 'Directory Sync' value in Azure Active Directory is unsupported. Please visit the Azure Active Directory portal and set 'Directory Sync' state to Activated. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SET.DOMAIN.FEDERATION.FAILURE Unable to setup the domain federation, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SET.DOMAIN.FEDERATION.FAILURE.ACCESS.DENIED Unable to setup the domain federation because the admin user is not authorized to perform the task. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SET.DOMAIN.FEDERATION.FAILURE.DOMAIN.DEFAULT Unable to setup the domain federation because the specified domain is the default domain. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SET.DOMAIN.FEDERATION.FAILURE.DOMAIN.NOT.FOUND Unable to setup the domain federation because the specified domain was not found. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SYNC.CONTACT Failed to sync contact, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SYNC.FINALIZE Failed to finalize export to Office 365, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SYNC.GROUP Failed to sync group, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SYNC.NOT.ACTIVATED Sync could not execute because Office 365 directory sync for the company not yet Activated. Sync will retry after a period of time. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SYNC.SET.ATTRIBUTE Failed to set attribute, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.SYNC.USER Failed to sync user, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.UNABLE.TO.CREATE.GRAPH.CLIENT An error occurred while creating the Azure Active Directory Graph API client. Please try the last operation again. If this error persists, please contact Okta support. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.VALIDATE.ADMIN.CREDS User does not have the Company Administrator role. Please try again with a user which has this role. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.VALIDATE.CREDS Could not validate your Office 365 credentials, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.VALIDATE.CREDS.UNKNOWN.EXCEPTION Could not communicate with Office 365 to validate your credentials, received error. appoffice365-app Since: 2017.01 APP.OFFICE365.API.ERROR.X-MS-FORWARDED-CLIENT-IP-HEADER.ABSENT X-MS-Forwarded-Client-IP header either empty or not found in the request. appoffice365-app Since: 2017.01 APP.OFFICE365.API.REMOVE.DOMAIN.FEDERATION.SUCCESS Successfully removed the domain federation. appoffice365-app Since: 2017.01 APP.OFFICE365.API.SET.DOMAIN.FEDERATION.SUCCESS Successfully set up the domain federation with new settings. appoffice365-app Since: 2017.01 APP.OFFICE365.API.SYNC.COMPLETE User sync completed. appoffice365-app Since: 2017.01 APP.OFFICE365.API.SYNC.HEARTBEAT.SENT Heartbeat sent to Microsoft Azure Active Directory. appoffice365-app Since: 2017.01 APP.OFFICE365.API.SYNC.JOB.COMPLETE Sync job completed. appoffice365-app Since: 2017.01 APP.OFFICE365.API.SYNC.JOB.COMPLETE.CONTACT Sync job completed. appoffice365-app Since: 2017.01 APP.OFFICE365.API.SYNC.JOB.COMPLETE.GROUP Sync job completed. appoffice365-app Since: 2017.01 APP.OFFICE365.API.SYNC.JOB.COMPLETE.USER Sync job completed. appoffice365-app Since: 2017.01 APP.OFFICE365.CLIENTPLATFORM.CONVERSION.JOB.PROCESSING.APP.INSTANCE Begin processing client access conversion for app instance. appoffice365-app Since: 2017.01 APP.OFFICE365.CLIENTPLATFORM.CONVERSION.JOB.SKIPPING.MIGRATION Skipping migration of client access rules for app instance. appoffice365-app Since: 2017.01 APP.OFFICE365.DIRSYNC.SKIPPING.CONFLICT-OBJECT Skipping sync of conflict object. appoffice365-app Since: 2017.01 APP.OFFICE365.DIRSYNC.SKIPPING.CRITICAL-SYSTEM-OBJECT Skipping sync of critical system object. appoffice365-app Since: 2017.01 APP.OFFICE365.DIRSYNC.SKIPPING.NON-SECURITY-GROUP-INVALID-MAIL Skipping sync of non security object with invalid mail. appoffice365-app Since: 2017.01 APP.OFFICE365.DIRSYNC.SKIPPING.RESERVED-ATTRIBUTE-VALUE Skipping sync of object with reserved attribute value. appoffice365-app Since: 2017.01 APP.OFFICE365.DIRSYNC.SKIPPING.SYSTEMMAILBOX Skipping sync of system mailbox object. appoffice365-app Since: 2017.01 APP.OFFICE365.DIRSYNC.SKIPPING.WITHOUT-NAME-AND-DISPLAYNAME Skipping sync of non security object without name and display name. appoffice365-app Since: 2017.01 APP.OFFICE365.ERROR.IMPORTING.USER An error occurred while importing user. appoffice365-app Since: 2017.01 APP.OFFICE365.GRAPH.API.ERROR.NO.MAILBOX.FOUND No MailBox found for Office 365 user. appoffice365-app Since: 2017.01 APP.OFFICE365.GRAPH.API.ERROR.RATE-LIMIT.EXCEEDED Rate limit exceeded for Microsoft Graph. appoffice365-app Since: 2017.01 APP.OFFICE365.GRAPH.API.ERROR.SERVICE.PRINCIPAL.CREATION.FAILED Failure while trying to create service principal. office365-app Since: 2017.01 APP.OFFICE365.GRAPH.API.ERROR.SERVICE.PRINCIPAL.MSGRAPH.AUTHENTICATION.FAILURE Failure while trying to create service principal due to a Mircrosoft Graph authentication issue. office365-app Since: 2017.01 APP.OFFICE365.SERVICE.PRINCIPAL.CLEANUP.JOB.COMPLETE End processing Office 365 service principal cleanup. appoffice365-app Since: 2017.01 APP.OFFICE365.SERVICE.PRINCIPAL.CLEANUP.JOB.INVALID.CREDENTIALS The admin username or password is invalid. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal. appoffice365-app Since: 2017.01 APP.OFFICE365.SERVICE.PRINCIPAL.CLEANUP.JOB.PROCESSING Begin performing Office 365 service principal cleanup. appoffice365-app Since: 2017.01 APP.OFFICE365.SERVICE.PRINCIPAL.CLEANUP.JOB.SKIPPING.MISSING.CREDS Skipping app instance during Office 365 service principal cleanup as it does not contain Office 365 admin user credentials. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal. appoffice365-app Since: 2017.01 APP.OFFICE365.SERVICE.PRINCIPAL.CLEANUP.JOB.SKIPPING.NO.SERVICE.PRINCIPAL Skipping app instance during Office 365 service principal cleanup as it does not have a service principal. appoffice365-app Since: 2017.01 APP.OFFICE365.SERVICE.PRINCIPAL.CLEANUP.JOB.UNABLE.TO.DELETE.SERVICE.PRINCIPAL Unable to automatically delete the Office 365 service principal. Please use the Azure Active Directory cmdlets to execute the command 'Remove-MsolServicePrincipal -AppPrincipalId' to manually cleanup the service principal. appoffice365-app Since: 2017.01 APP.OFFICE365.USER.DELETE.SUCCESS Successfully deleted the Office 365 user. appoffice365-app Since: 2017.01 APP.OFFICE365.USER.LIFECYCLE.ACTION.FAILED Unable to complete app user lifecycle action for AppUser. appoffice365-app Since: 2017.01 APP.OFFICE365.USER.REMOVE.LICENSES.SUCCESS Successfully removed all the licenses for the Office 365 user. appoffice365-app Since: 2017.01 APP.POLICY.SIGN_ON.UPDATE Update app sign on policy. This event is used to audit when an app sign on policy is updated. This event is fired when an admin updates an app's sign on policy and logs what was changed. policy Since: 2022.08.0 APP.RADIUS.AGENT.LISTENER.FAILED Radius agent listener failed. appradius Since: 2018.13 APP.RADIUS.AGENT.LISTENER.SUCCEEDED Radius agent listener succeeded. appradius Since: 2018.13 APP.RADIUS.AGENT.PORT_INACCESSIBLE Radius agent failed to listen on port. appradius Since: 2018.13 APP.RADIUS.AGENT.PORT_REACCESSIBLE Radius agent was able to listen on port again. appradius Since: 2018.13 APP.RADIUS.INFO_ACCESS.NO_PERMISSION No permission accessing any Radius app info. This event can be used to monitor and notify admins when some users who access radius app info have no permission. Fired when users who access radius app info have no permission. appradius Since: 2020.08.0 APP.RADIUS.INFO_ACCESS.PARTIAL_PERMISSION No permission accessing info for part of Radius apps. This event can be used to monitor and notify admins when some users who access radius app info have only partial permission. Fired when users who access radius app info have partial permission. appradius Since: 2020.08.0 APP.REALTIMESYNC.IMPORT.DETAILS.ADD_USER Real time sync added new User. app Since: 2014.25 APP.REALTIMESYNC.IMPORT.DETAILS.DELETE_USER Real time sync removed existing User. app Since: 2014.25 APP.REALTIMESYNC.IMPORT.DETAILS.UPDATE_USER Fired when a real time import includes an update to an existing user. This can be used to see details about the user updates included in a real time sync import. When fired, this event contains information about the type of update made, including whether or not a user was suspend or unsuspended. Related events include: app.realtimesync.import.details_add_user and app.realtimesync.import.details_delete_user. app Since: 2014.25 APP.REQUEST_NEW.NOTIFY A user sent an application request. Used to notify admins that a user made an application request from the Enduser Dashboard. The application request attempts to send an email to an admin with the user's request. This event only indicates that the request was made, not necessarily that the email was successfully delivered. Since: 2024.09.0 APP.RUM.CONFIG.VALIDATION.ERROR Error validating instance configuration. Can be used to identify configuration issues with remote user management. rum Since: 2018.42 APP.RUM.IS.API.ACCOUNT.ERROR RUM API account is not configured or empty. Can be used to identify RUM API account configuration issues. rum Since: 2018.42 APP.RUM.PACKAGE.THROWN.ERROR Errors during execution. Can be used to identify any errors during execution of remote user management. rum Since: 2018.42 APP.RUM.VALIDATION.ERROR Error during package validation. Can be used to identify validation issues with remote user management packages. rum Since: 2018.42 APP.SAML.SENSITIVE.ATTRIBUTE.UPDATE Fired when a SAML assertion contains a sensitive attribute, and that sensitive attribute has been updated (modified/added/deleted). This event does not fire when non-sensitive SAML attributes are updated. This can be used to audit that a sensitive attribute attached to an outbound SAML assertion has been correctly modified, added, or deleted. When fired, this event contains the specific attributes that have been modified, added, or deleted to/from the SAML assertion. Related events include: application.lifecycle.update. appcvd Since: 2019.01.1 APP.USER_MANAGEMENT Imported new or deleted existing member of an application group. app-user-management Since: 2016.04 APP.USER_MANAGEMENT.GROUPPUSH.MAPPING.CREATED.FROM.RULE A Group Push mapping to the group has been created from the rule. app Since: 2017.51 APP.USER_MANAGEMENT.GROUPPUSH.MAPPING.CREATED.FROM.RULE.ERROR.DUPLICATE A Group Push mapping to the group did not get created from rule because an existing mapping already existed. app Since: 2017.51 APP.USER_MANAGEMENT.GROUPPUSH.MAPPING.CREATED.FROM.RULE.ERROR.VALIDATION A Group Push mapping to the group did not get created from rule because of the validation error. app Since: 2017.51 APP.USER_MANAGEMENT.GROUPPUSH.MAPPING.CREATED.FROM.RULE.ERRORS A Group Push mapping to the group did not get created from rule. app Since: 2017.51 APP.USER_MANAGEMENT.GROUPPUSH.MAPPING.OKTA.USERS.IGNORED Okta users ignored while pushing group to AppInstance. appapp-user-management Since: 2018.03 APP.USER_MANAGEMENT.IMPORT.CSV.LINE.ERROR Error reading line from CSV. app Since: 2017.51 APP.USER_MANAGEMENT.PUSH_NEW_USER_SUCCESS Successfully pushed new user account to app. app Since: 2017.51 APP.USER_MANAGEMENT.UPDATE_FROM_MASTER_FAILED Could not apply import. app Since: 2017.51 APP.USER_MANAGEMENT.USER_GROUP_IMPORT.CREATE_FAILURE Failed to create group from app. appapp-user-management Since: 2018.03 APP.USER_MANAGEMENT.USER_GROUP_IMPORT.DELETE_SUCCESS Deleted the group from app. appapp-user-management Since: 2018.03 APP.USER_MANAGEMENT.USER_GROUP_IMPORT.UPDATE_FAILURE Failed to update group from app. appapp-user-management Since: 2018.03 APP.USER_MANAGEMENT.USER_GROUP_IMPORT.UPSERT_FAIL Failed to import the group from app. This event helps identify when a group is failed to be imported. Fired when we skip processing an import of a group. appapp-user-management Since: 2020.07.1 APP.USER_MANAGEMENT.USER_GROUP_IMPORT.UPSERT_SUCCESS Imported the group from app. appapp-user-management Since: 2018.03 APPLICATION.APPUSER.MAPPING.INVALID.EXPRESSION App user property mapping has invalid expressions. Can be used to identify invalid expressions. Note that a single event is fired for all invalid expressions. app Since: 2018.47 APPLICATION.CACHE.INVALIDATE Event fired when a app list cache is invalidated because a new app is created. Can be used to make sure App List cache is invalidated after a new app is created. invalidate-app-list-cache Since: 2018.42 APPLICATION.CONFIGURATION.DETECT_ERROR Application configuration error detected. app Since: 2016.13 APPLICATION.CONFIGURATION.DISABLE_DELAUTH_OUTBOUND Disable delegated authentication for app. app Since: 2016.13 APPLICATION.CONFIGURATION.DISABLE_FED_BROKER_MODE Disable Federation Broker Mode for app. app Since: 2017.24 APPLICATION.CONFIGURATION.ENABLE_DELAUTH_OUTBOUND Enable delegated authentication for app. app Since: 2016.13 APPLICATION.CONFIGURATION.ENABLE_FED_BROKER_MODE Enable Federation Broker Mode for app. app Since: 2017.24 APPLICATION.CONFIGURATION.IMPORT_SCHEMA Okta couldn't download application configuration. Can be used to identify when an app schema couldn't be downloaded from a remote application. Event fired when Okta couldn't download application-specific data from a remote app. This may happen when admin updates provisioning details. app-api Since: 2017.33 APPLICATION.CONFIGURATION.READ_CLIENT_SECRET A client secret in an MFA-only app has been read. Verify that a client secret in an MFA-only app has been read. This events indicates that a client secret in an MFA-only app has been read. agentapp Since: 2024.03.2 APPLICATION.CONFIGURATION.RESET_LOGO Reset app logo. app Since: 2016.13 APPLICATION.CONFIGURATION.UPDATE Okta couldn't verify api credentials. Can be used when Okta couldn't check the credentials by execution some custom, application dependent, set of requests. Okta fires this event to notify issues with credentials validation. Could be issues with proper permissions as well. app-api Since: 2017.33 APPLICATION.CONFIGURATION.UPDATE_API_CREDENTIALS_FOR_PASS_CHANGE Update API credentials due to user updating password. app Since: 2016.13 APPLICATION.CONFIGURATION.UPDATE_LOGO Change app logo. app Since: 2016.13 APPLICATION.CONFIGURATION.UPDATE_RATE_LIMITS Update rate limits for an OAuth App. This can be used to track the updates to rate limits for an OAuth application. When fired, this event contains details about the actor, who triggered the event, the OAuth app, for which the rate limit was updated, etc. Actual value change details can be found in debug data such as the old and new values. app Since: 2023.01.0 APPLICATION.INTEGRATION.API_QUERY Unable to query remote API. Can be used to determine when okta fails to query remote application. Okta fires this event for unspecified events which include remote api response processing. app-api Since: 2017.33 APPLICATION.INTEGRATION.AUTHENTICATION_FAILURE Error authenticating. Can be used when Okta couldn't authenticate with the provided credentials to a remote api. Okta fires this event when it couldn't access a remote api with provided credentials. app-api Since: 2017.33 APPLICATION.INTEGRATION.GENERAL_FAILURE Generic error occured. Can be used when there is some uncategorized error occurs. Okta fires this event for different unhandled exceptions. app-api Since: 2017.33 APPLICATION.INTEGRATION.RATE_LIMIT_EXCEEDED API rate limit exceeded. Can be used when Okta reaches api calls/minute rate limit. Okta fires this event when there are too many requests for a specific customer. app-api Since: 2017.33 APPLICATION.INTEGRATION.TRANSFER_FILES Unable to transfer files. Can be used when Okta fails to transfer files from one user to another. Okta fires this event when it fails to process user-to-user file transfers. app-api Since: 2017.33 APPLICATION.LIFECYCLE.ACTIVATE Activate application. appevent-hook-eligible Since: 2016.13 APPLICATION.LIFECYCLE.CREATE Create application. appevent-hook-eligible Since: 2016.13 APPLICATION.LIFECYCLE.DEACTIVATE Deactivate application. appevent-hook-eligible Since: 2016.13 APPLICATION.LIFECYCLE.DELETE Delete application. appevent-hook-eligible Since: 2016.13 APPLICATION.LIFECYCLE.UPDATE Update application. appevent-hook-eligible changeDetails Since: 2016.13 APPLICATION.POLICY.SIGN_ON.DENY_ACCESS Deny user access due to app sign on policy. When fired due to app assurance being evaluated as unsatisfiable (the policy requirements could not be satisfied by the users' current set of available authenticator enrollments), this event contains information about the user and the app that the user is trying to authenticate into. appevent-hook-eligible Since: 2016.13 APPLICATION.POLICY.SIGN_ON.RULE.CREATE Create rule for app sign on policy. app Since: 2016.13 APPLICATION.POLICY.SIGN_ON.RULE.DELETE Delete rule from app sign on policy. app Since: 2016.13 APPLICATION.POLICY.SIGN_ON.UPDATE Update app sign on policy. app changeDetails Since: 2016.13 APPLICATION.PROVISION.FIELD_MAPPING_RULE.CHANGE Event fired when field mapping rules modified. Can be used to make sure when custom mapping rules are modified. field-mapping-rule-modification Since: 2018.42 APPLICATION.PROVISION.GROUP.ADD Fired when Okta provisions a new group on a remote application. Can be used to identify when Okta provisions a group on a remote application. Event fired when the group provisioning failed for any reason. app-api Since: 2017.33 APPLICATION.PROVISION.GROUP.IMPORT Fired when Okta downloads a remote group. Can be used to identify when Okta tries to download remote group details. Event fired when Okta fails to reach the group detail from a remote application. app-api Since: 2017.33 APPLICATION.PROVISION.GROUP.REMOVE Fired when Okta removes a remote group. Can be used to identify when a group has been unassigned. Event fired when Okta failed to delete group from remote application. app-api Since: 2017.33 APPLICATION.PROVISION.GROUP.UPDATE Fired when Okta updates the user group. Can be used to identify when a group has been updated. Event fired when Okta fails to update a remote group for any reason. app-api Since: 2017.33 APPLICATION.PROVISION.GROUP.VERIFY_EXISTS Fired when group no longer exists on a remote application. Can be used to identify when a group no longer exists on a remote application. Event fired when group push enhancement enabled and there is no group found on update or delete. app-api Since: 2017.33 APPLICATION.PROVISION.GROUP_MEMBERSHIP.ADD Failed to assign a user to a group. Can be used when Okta failed to assign user to a group on remote application. Okta fires this event if there are any issues while provision a membership to a remote application. app-api Since: 2017.33 APPLICATION.PROVISION.GROUP_MEMBERSHIP.IMPORT Error while downloading memberships. Can be used when Okta failed to download users and groups relationships. Okta fires this event if there are any issues while importing a membership from a remote application. app-api Since: 2017.33 APPLICATION.PROVISION.GROUP_MEMBERSHIP.REMOVE Fired when there is an error while removing user(s) from group. Can be used when Okta failed to unassign user from a group on remote application. Okta fires this event when there are any issues while provision a membership to a remote application. app-api Since: 2017.33 APPLICATION.PROVISION.GROUP_MEMBERSHIP.UPDATE Fired when there is an error while updating user group membership for group. Can be used when Okta failed to push updated memberships to a remote application. Okta fires this event when couldn't update memberships on a remote application. Could be user removal/addition. app-api Since: 2017.33 APPLICATION.PROVISION.GROUP_PUSH.ACTIVATE_MAPPING Group push activated mappings. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.DEACTIVATE_MAPPING Group push deactivated mappings. Can be used to audit when a group push mapping is deactivated or to trigger downstream automation. The corresponding event type for activating a group push mapping is application.provision.group_push.activate_mapping. app Since: 2024.07.2 APPLICATION.PROVISION.GROUP_PUSH.DELETE_APPGROUP Group push deleted application group. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.MAPPING.AND.GROUPS.DELETED.RULE.DELETED An existing mapping and its target groups have been deleted because a mapping rule was deleted. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.MAPPING.APP.GROUP.RENAMED A mapped app group has been renamed because the source group was renamed. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.MAPPING.APP.GROUP.RENAMED.FAILED A mapped app group couldn't be renamed when the source group was renamed. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.MAPPING.CREATED A new mapping has been created. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.MAPPING.CREATED.FROM.RULE.WARNING.DUPLICATE.NAME A new mapping from a rule was not created due to a duplicate group name. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.MAPPING.CREATED.FROM.RULE.WARNING.DUPLICATE.NAME.TOBECREATED A new mapping from a rule was not created due to another mapping will be created that has the same user group name. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.MAPPING.CREATED.FROM.RULE.WARNING.UPSERTGROUP.DUPLICATE.NAME An upsert to a group caused group push rule re-evaluation. A new mapping from a rule was not created due to a duplicate group name. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.MAPPING.DEACTIVATED.SOURCE.GROUP.RENAMED An existing mapping has been deactivated because the source group was renamed. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.MAPPING.DEACTIVATED.SOURCE.GROUP.RENAMED.FAILED An existing mapping couldn't be deactivated when the source group was renamed. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.MAPPING.UPDATE.OR.DELETE.FAILED Group push mapping change failed and will be retried. Can be used to identify transient errors that may temporarily impact the group push mapping but likely do not require admin intervention. This event typically requires no action as the corresponding operation will be retried. Refer to application.provision.group_push.mapping.update.or.delete.failed for events that may require intervention. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.MAPPING.UPDATE.OR.DELETE.FAILED.WITH.ERROR Group push mapping change failed and cannot be retried. Can be used to identify group push mapping errors which may require admin intervention to address. Unlike the similarly named event, application.provision.group_push.mapping.update.or.delete.failed, when this event is fired the corresponding action that triggered it will not be retried by Okta and may indicate a configuration problem. For example, invalid authorization credentials with the target application due to an expired password or invalid access token. appevent-hook-eligible Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.PUSH_MEMBERSHIPS Group push pushed memberships. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.PUSHED A group was pushed to an app. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.REMOVED A group was removed from an app. app Since: 2017.29 APPLICATION.PROVISION.GROUP_PUSH.UPDATED A group was updated in an app. app Since: 2017.29 APPLICATION.PROVISION.INTEGRATION.CALL_API Application integration API called. app-api Since: 2016.15 APPLICATION.PROVISION.USER.ACTIVATE Activate user's application membership. app-api Since: 2016.14 APPLICATION.PROVISION.USER.DEACTIVATE Push user deactivation to external application. app-api Since: 2016.14 APPLICATION.PROVISION.USER.DEPROVISION Deprovision user from external application. app Since: 2016.14 APPLICATION.PROVISION.USER.IMPORT Deactivate user from external application. app-api Since: 2017.33 APPLICATION.PROVISION.USER.IMPORT_PROFILE Import profile from external application. app-api Since: 2017.33 APPLICATION.PROVISION.USER.PASSWORD Issue pushing user password to external application. app-api Since: 2017.33 APPLICATION.PROVISION.USER.PUSH Push new user to external application. app-api Since: 2016.14 APPLICATION.PROVISION.USER.PUSH_OKTA_PASSWORD Push user's Okta password to application. app Since: 2016.14 APPLICATION.PROVISION.USER.PUSH_PASSWORD Push user's password to application. app Since: 2016.14 APPLICATION.PROVISION.USER.PUSH_PROFILE Push user's profile to external application. app-api Since: 2016.14 APPLICATION.PROVISION.USER.REACTIVATE Push user reactivation in external application. app-api Since: 2016.14 APPLICATION.PROVISION.USER.SYNC Sync user in external application. appevent-hook-eligible Since: 2016.14 APPLICATION.PROVISION.USER.VERIFY_EXISTS Verify user exists in external application. app-api Since: 2016.14 APPLICATION.REGISTRATION_POLICY.LIFECYCLE.CREATE Create registration policy. app Since: 2017.52 APPLICATION.REGISTRATION_POLICY.LIFECYCLE.UPDATE Update registration policy. app Since: 2017.52 APPLICATION.USER_MEMBERSHIP.ADD Add user to application membership. event-hook-eligibleuser-provision Since: 2016.02 APPLICATION.USER_MEMBERSHIP.APPROVE User approved for application (assigned by not provisioned). user-provision Since: 2016.33 APPLICATION.USER_MEMBERSHIP.CHANGE_PASSWORD Change application password for user. appevent-hook-eligible Since: 2016.11 APPLICATION.USER_MEMBERSHIP.CHANGE_USERNAME Change user's application username. app Since: 2016.02 APPLICATION.USER_MEMBERSHIP.DEPROVISION User deprovisioned from application (was previously revoked). user-provision Since: 2016.33 APPLICATION.USER_MEMBERSHIP.PROVISION User provisioned to application (was previously approved). user-provision Since: 2016.33 APPLICATION.USER_MEMBERSHIP.REMOVE Remove user's application membership. event-hook-eligibleuser-provision Since: 2016.02 APPLICATION.USER_MEMBERSHIP.RESTORE Restore user assignment to an application. app Since: 2016.02 APPLICATION.USER_MEMBERSHIP.RESTORE_PASSWORD Restore user's password for an application. app Since: 2016.02 APPLICATION.USER_MEMBERSHIP.REVOKE User revoked from application (unassigned but not yet deprovisioned). user-provision Since: 2016.33 APPLICATION.USER_MEMBERSHIP.SHOW_PASSWORD Show user's password for application. app Since: 2016.02 APPLICATION.USER_MEMBERSHIP.UPDATE Updated user application property. appevent-hook-eligible Since: 2016.02 CERTIFICATION.CAMPAIGN.CLOSE Triggered when a campaign is closed. This event can be used by admins to audit Access Certification Review activity to understand when a Campaign Instance has transitioned into the closed state. This event is triggered when a Campaign is closed either by an admin or on the configured campaign end date. certificationevent-hook-eligible Since: 2022.02.1 CERTIFICATION.CAMPAIGN.CONTEXT.UPDATE Triggered when the customizable context settings are updated at org level. Can be used to audit customizable context settings changes in the system log as well as reports. This is triggered when the customizable context settings are updated at the org level. certificationevent-hook-eligible Since: 2024.06.1 CERTIFICATION.CAMPAIGN.CREATE Triggered when a new campaign is created. Can be used to audit campaign activity in the system log as well as reports. This is triggered by creating a new campaign. certification Since: 2021.07.1 CERTIFICATION.CAMPAIGN.DELETE Triggered when a campaign is deleted. Can be used to audit campaign activity in the system log as well as reports. This is triggered by deleting a campaign. certification Since: 2021.07.1 CERTIFICATION.CAMPAIGN.ITEM.DECIDE Triggered when a decision on the access to a resource is made. Can be used to audit the decision activity related to an item in a certification campaign, such as the access of a user to an application. The outcome.result field will be SUCCESS for a decision to approve or revoke and will be SKIPPED for a decision to delegate. This is triggered when a reviewer makes a decision on a campaign item, or at the end of a campaign if an item has not been reviewed. The result of the decision is included in the debugData (APPROVE, REVOKE, DELEGATE, NORESPONSE). certificationevent-hook-eligible Since: 2021.10.1 CERTIFICATION.CAMPAIGN.ITEM.REMEDIATE Triggered when the remediation is performed on the campaign item. Can be used to audit remediation activity in the system log as well as reports. This is triggered when the remediation is acted upon by reviewer. certificationevent-hook-eligible Since: 2021.10.0 CERTIFICATION.CAMPAIGN.LAUNCH Triggered when a campaign is launched. This event can be used by admins to audit Access Certification Review activity to understand when a Campaign Instance has transitioned into the Active state. This event is triggered when a Campaign starts and moves from scheduled to active. certificationevent-hook-eligible Since: 2022.02.1 CERTIFICATION.CAMPAIGN.UPDATE Triggered when a campaign is updated. Can be used to audit campaign activity in the system log as well as reports. This is triggered by updating a campaign. certification Since: 2021.07.1 CERTIFICATION.REMEDIATION.OPEN Triggered when the remediation state is open. Can be used to audit remediation activity in the system log as well as reports. This is triggered when the remediation state is open. certification Since: 2021.07.1 CORE.CONCURRENCY.ORG.LIMIT.VIOLATION Too many requests in flight. concurrency-limit Since: 2017.39 CORE.EL.EVALUATE Evaluate Expression Language. okta-el Since: 2017.20 CORE.USER_AUTH.IDP.X509.CRL_DOWNLOAD_FAILURE Failed to download CRL from the endpoint. x509-idp-auth Since: 2017.52 CREDENTIAL.REGISTER Fired when a credential is registered. This event fires when the registration of a credential is successful or fails. This can be used to audit that a credential has been successfully registered, and troubleshoot why a credential registration attempt has failed. user-factor Since: 2019.02.3 CREDENTIAL.REVOKE Fired when a credential is revoked. This event fires when the revocation of a credential is successful or fails. This can be used to audit that a credential has been successfully revoked, and troubleshoot why a credential revocation attempt has failed. user-factor Since: 2019.02.3 DEVICE.ASSURANCE.POLICY.ADD Add device assurance policy. Use this event to monitor when a device assurance policy is created. The name and platform of the new policy are included in the event. device-identityoie-only Since: 2024.08.3 DEVICE.ASSURANCE.POLICY.DELETE Delete device assurance policy. Use this event to monitor when a device assurance policy is deleted. The name of the deleted policy is included in the event. device-identityoie-only Since: 2024.08.3 DEVICE.ASSURANCE.POLICY.UPDATE Update device assurance policy. Use this event to monitor when a device assurance policy is updated, and what changed. The details of what is changed in the policy are included in the event. device-identityoie-only changeDetails Since: 2024.08.3 DEVICE.CHECK.ADD Add device check. Use this event to monitor when a custom device check is created. The platform, name, variable name, description, and query of the new device check are included in the event. device-identityoie-only Since: 2024.09.0 DEVICE.CHECK.DELETE Delete device check. Use this event to monitor when a device check is deleted. The name of the deleted device check is included in the event. device-identityoie-only Since: 2024.09.0 DEVICE.CHECK.UPDATE Update device check. Use this event to monitor when a device check is updated, and what changed. The details of what is changed in the device check are included in the event. device-identityoie-only changeDetails Since: 2024.09.0 DEVICE.CUSTOM_PUSH.SEND_NOTIFICATION Fired when a Push notification sent to a device for custom app. Used to log success and failure for the push notifications with relevant information to allow org developers to troubleshoot push configurations for custom push authenticator. Note that this event is fired whenever a Push is sent. custom-push Since: 2022.05.3 DEVICE.DESKTOP_MFA.CONFIGURATION.UPDATE Fired when a Desktop MFA configuration is updated by an admin. Admin can monitor who update the Desktop MFA configuration value. More details of configuration update in Target.changeDetails. device-mfaoie-only changeDetails Since: 2024.08.0 DEVICE.DESKTOP_MFA.ENROLLMENT.CREATE Fired when a Desktop MFA enrollment is registered to Okta Server. Admin can monitor which Okta user and device has enrolled with Desktop MFA. The registration happens after a user logs in a device with an online factor. device-mfaoie-only Since: 2024.08.0 DEVICE.DESKTOP_MFA.RECOVERY_PIN.GENERATE Fired when a device recovery PIN is generated by an admin. Admin can monitor who generates a device recovery PIN for which user and device. The event is fired even when the generation fails. device-mfaoie-only Since: 2024.08.0 DEVICE.DESKTOP_MFA.RECOVERY_PIN.ROTATE_SECRET Fired when a device rotates the device recovery PIN secret for Desktop MFA to Okta server. Admin can monitor if a rotation happens for the device recovery PIN secret of a user on a device. The rotation is supposed to happen every 7 days for each user on each device. device-mfaoie-only Since: 2024.08.0 DEVICE.ENROLLMENT.CREATE Enroll new device. This can be used by any admin to monitor when a new device is registered successfully for Okta Verify. The user must have below the max allowed devices and a valid device status (not suspended or deactivated).The targets field contains key details of the enrolled device including name, status, serialNumber, imei, meid, osVersion, osPlatform. which may be useful for identifying the device, tracking which device platforms and OS versions that enrolled in Okta Device Authenticator. device-identityevent-hook-eligibleoie-onlyuser Since: 2020.10.4 DEVICE.INTEGRATION.ENDPOINT_SECURITY.ACTIVATE Triggered when an admin adds an endpoint security device integration configuration. You can use the event to audit endpoint security device integration configuration status change. When triggered, the endpoint security device integration configuration has been activated for a device platform and the endpoint security device integration signals will be requested from devices. device-identityoie-onlyuser Since: 2024.08.0 DEVICE.INTEGRATION.ENDPOINT_SECURITY.DEACTIVATE Triggered when an admin deactivates an endpoint security device integration configuration. You can use the event to audit endpoint security device integration configuration status change. When triggered, the endpoint security device integration configuration has been deactivated for a device platform and the endpoint security device integration signals will be not be requested from devices. device-identityoie-onlyuser Since: 2024.08.0 DEVICE.LIFECYCLE.ACTIVATE Activate device. You can use the event to audit device status change. When triggered, the device can be suspended or deactivated. Also, a user can access protected resources from an active device if permitted by the App Sign-On policies applied to the resources. device-identityevent-hook-eligibleoie-onlyuser Since: 2021.07.1 DEVICE.LIFECYCLE.DEACTIVATE Deactivate device. You can use the event to audit device status change. When a device is deactivated, it can not be associated with any Okta Verify factor in the future. device-identityevent-hook-eligibleoie-onlyuser Since: 2021.07.1 DEVICE.LIFECYCLE.DELETE Delete device. You can use the event to audit device status change. When triggered, the device no longer appears in the Admin Console. device-identityevent-hook-eligibleoie-onlyuser Since: 2021.07.1 DEVICE.LIFECYCLE.SUSPEND Suspend device. You can use the event to audit device status change. When triggered, access to the device is temporarily paused for users such as contractors or employees who take a leave of absence. Only active devices can be suspended. If a device suspension fails, the cause may be that the device was not active and therefore cannot be suspended. device-identityevent-hook-eligibleoie-onlyuser Since: 2021.07.1 DEVICE.LIFECYCLE.UNSUSPEND Unsuspend device. You can use the event to audit device status change. When triggered, all Okta Verify factors associated with the device are unsuspended, and users can access protected resources from the device. device-identityevent-hook-eligibleoie-onlyuser Since: 2021.07.1 DEVICE.LOCAL_ACCOUNT.CREATE Fired when a user creates a local account on a device backed by Okta credentials. Will allow an admin to identify and audit which Okta users are creating local accounts on registered Okta device using Just-In-Time (JIT) local account creation feature. Note that the event is fired even when the account creation is unsuccessful. device-ssooie-only Since: 2024.06.2 DEVICE.PASSWORD_SYNC.AUTHENTICATION Fired when the OS tries to sync a local account password with an Okta password. Can be used to audit that a credential has been successfully registered, and troubleshoot why a credential registration attempt has failed. Note that the event is fired even when the password sync is unsuccessful. device-ssooie-only Since: 2023.06.1 DEVICE.PASSWORD_SYNC.ENROLLMENT.CREATE This event fires when Desktop Password Sync enrollment is successful or fails. Can be used to audit which users enrolled in Desktop Password Sync or troubleshoot why enrollment failed. Note that the event is fired even when the enrollment is unsuccessful. device-ssooie-only Since: 2023.06.1 DEVICE.PLATFORM.ADD Triggered when an admin adds a device management platform. You can use the event to audit device management platform status change. When triggered, the device management platform will be available to the org. device-identityoie-onlyuser Since: 2021.07.1 DEVICE.PLATFORM.DELETE Triggered when an admin deletes a device management platform. You can use the event to audit device management platform status change. When triggered, the device management platform no longer appears in the Admin Console. device-identityoie-onlyuser Since: 2021.07.1 DEVICE.PLATFORM.RENEW Triggered when a component of the device management platform is renewed, such as a registration authority used during SCEP flows. You can use the event to audit device management platform renewals. For example, auditing if and when a registration authority was renewed in order to continue being used during SCEP flows. This can be triggered automatically by our automated renewal systems when the device management platform component is within the renewal period. The renewed component will appear in the Admin Console. device-identityoie-only Since: 2021.07.1 DEVICE.PLATFORM.SECRET_KEY.RESET Triggered when an admin resets the secret key for a device management platform. You can use the event to audit device management platform secret key change. When triggered, the previous device management platform secret key is no longer valid. device-identityoie-onlyuser Since: 2024.08.0 DEVICE.PLATFORM.UPDATE Triggered when an admin updates a device management platform configuration. Also triggered when anRA configuration or SCEP challenge is updated in the CA Renewal Activation framework (triggered by admin or automated job). You can use the event to audit device management platform configuration change. An admin can update some fields in the device management platform configuration. Additionally the CA Renewalactivation framework can update RA Configurations or SCEP Challenges. device-identityoie-onlyuser Since: 2021.07.1 DEVICE.PLATFORM_SSO.KEYS.REGISTER A device registered public keys for Platform Single Sign-On (SSO). May be useful to troubleshoot failed PlatformSSO authentications or to identify unexpected key rotations. This event typically occurs as the result of an action in taken in an MDM profile. When new Device PlatformSSO keys are registered, a user must re-enroll into PlatformSSO. device-ssooie-only Since: 2024.08.0 DEVICE.PUSH.PROVIDER.CREATE Indicates that a new push notification service has been successfully created. The notification service enables push notification as an authentication option through Okta to a push provider such as the Apple Push Notification service or the Google Firebase Cloud Messaging service. You can use this event to verify when a notification service was created for a custom app. When triggered, a new push notification service appears in the Admin Console. oie-onlypush-provider Since: 2022.04.3 DEVICE.PUSH.PROVIDER.DELETE Indicates that a push notification service has been deleted. The notification service enables push notification as an authentication option through Okta to a push provider such as the Apple Push Notification service or the Google Firebase Cloud Messaging service. You can use this event to verify when a notification service was deleted for a custom app. When triggered, a push notification service is removed from the Admin Console. oie-onlypush-provider Since: 2022.04.3 DEVICE.PUSH.PROVIDER.UPDATE Indicates that a push notification service has been updated. The notification service enables push notification as an authentication option through Okta to a push provider such as the Apple Push Notification service or the Google Firebase Cloud Messaging service. You can use this event to verify when a notification service was updated for a custom app. When triggered, a push notification service is updated in the Admin Console. oie-onlypush-provider Since: 2022.04.3 DEVICE.SIGNALS.STATUS.TIMEOUT A registered device associated with at least one user session hasn't communicated with Okta within the required time interval. Use this event to find registered devices that have lost communication with Okta. This event contains the device unique identifier in the System Log actor object. You can use this information to find other related events. See also: Identity Threat Protection with Okta AI Event Types device-identityoie-only Since: 2023.11.0 DEVICE.TOKEN.ENROLLMENT.CREATE Okta Verify device enrollment token created with existing Okta Verify enrollment. Identifies an Okta verify device enrollment token which allows a user to enroll a new Okta Verify client on a different device. May be useful to evaluate the context under which an Okta Verify enrollment was authorized for the purpose of security investigation or analysis of user preference. The target specifies the existing Okta Verify enrollment which was used to authorize token creation. It does not specify whether the token was actually used to enroll a new device. Refer to the event type device.enrollment.create to identify newly enrolled Okta Verify clients. deviceoie-onlyuser Since: 2024.10.1 DEVICE.USER.ADD Add device to user. You can use the event to audit device user association activity. The event is triggered when a user adds a new account in Okta Verify. device-identityevent-hook-eligibleoie-onlyuser Since: 2021.07.1 DEVICE.USER.REMOVE Remove device from user. You can use the event to audit device user association activity. The device remains in the Universal Directory after the user is removed. device-identityevent-hook-eligibleoie-onlyuser Since: 2021.07.1 DIRECTORY.APP_USER_PROFILE.BOOTSTRAP Bootstrap application user profile. cvddirectory Since: 2016.12 DIRECTORY.APP_USER_PROFILE.UPDATE Update application user profile. cvddirectory Since: 2016.12 DIRECTORY.EXTERNAL.GROUP.MEMBERSHIP.ADD External API call to add user group membership in a directory. This event audits the directory integration API when it adds a user to a group in a directory. Note that the event is fired even when the API call is unsuccessful. ad-agentgroupuser Since: 2024.07.0 DIRECTORY.EXTERNAL.GROUP.MEMBERSHIP.REMOVE External API call to remove user group membership in a directory. This event audits the directory integration API when it removes a user from a group in a directory. Note that the event is fired even when the API call is unsuccessful. ad-agentgroupuser Since: 2024.07.0 DIRECTORY.LINKED_OBJECT.CREATE An admin can create a linked object that is related to user profiles. This event may be used to identify when a linked object is created, and who created the linked object. This may be useful for admins to validate why a change in the user profile has happened. While linked object creation does not trigger or happen as a result of another event, it is overall related to custom property update, creation and deletion. This event only indicates the creation of a linked object. See directory.linked_object.delete for deletion of linked objects. cvddirectory Since: 2022.11.1 DIRECTORY.LINKED_OBJECT.DELETE An admin can delete a linked object that is related to user profiles. This event may be used to identify when a linked object is deleted, and who deleted the linked object. This may be useful for admins to validate why a change in the user profile has happened. While linked object creation does not trigger or happen as a result of another event, it is overall related to custom property update, creation and deletion. This event only indicates the deletion of a linked object. See directory.linked_object.create for creation of linked objects. cvddirectory Since: 2022.11.1 DIRECTORY.MAPPING.UPDATE Update universal directory mappings. cvddirectory Since: 2016.12 DIRECTORY.NON_DEFAULT_USER_PROFILE.CREATE Create non-default universal directory user profile. This can be used to audit that a new non-default universal directory user profile has been created. When fired, this event contains the name and id of the newly created user profile. cvddirectory Since: 2019.04.2 DIRECTORY.USER_PROFILE.BOOTSTRAP Bootstrap universal directory user profile. cvddirectory Since: 2016.12 DIRECTORY.USER_PROFILE.UPDATE Update universal directory user profile directory.user_profile.update. cvddirectory Since: 2016.12 EVENT_HOOK.ACTIVATED Triggered when an event hook has been activated. Used to notify admins that an event hook has been activated. When triggered, this events contains information about the activated event hook. event-hook Since: 2019.03.4 EVENT_HOOK.CREATED Triggered when an event hook has been created. Used to notify admins that an event hook has been created. When triggered, this events contains information about the created event hook. event-hook Since: 2019.03.4 EVENT_HOOK.DEACTIVATED Triggered when an event hook has been deactivated. Used to notify admins that an event hook has been deactivated. When triggered, this events contains information about the deactivated event hook. event-hook Since: 2019.03.4 EVENT_HOOK.DELETED Triggered when an event hook has been deleted. Used to notify admins that an event hook has been deleted. When triggered, this events contains information about the deleted event hook. event-hook Since: 2019.03.4 EVENT_HOOK.DELIVERY Triggered when an event hook delivery fails. Used to identify when an event hook from Okta is not successfully delivered to the configured endpoint. Note that the event is triggered only when the delivery is unsuccessful. event-hook Since: 2019.04.0 EVENT_HOOK.UPDATED Triggered when an event hook has been updated. Used to notify admins that an event hook has been updated. When triggered, this events contains information about the updated event hook. event-hook Since: 2019.03.4 EVENT_HOOK.VERIFIED Triggered when attempting to verify an event hook. Used to notify admins about the outcome of event hook endpoint URL verification. Note that the event is fired even when the verification is unsuccessful. event-hook Since: 2019.03.4 GROUP.APPLICATION_ASSIGNMENT.ADD Add assigned application to group. event-hook-eligiblegroup Since: 2016.06 GROUP.APPLICATION_ASSIGNMENT.REMOVE Remove assigned application from group. event-hook-eligiblegroup Since: 2016.05 GROUP.APPLICATION_ASSIGNMENT.SKIP_ASSIGNMENT_RECONCILE No Description group Since: 2017.51 GROUP.APPLICATION_ASSIGNMENT.UPDATE Update assigned application in group. event-hook-eligiblegroup Since: 2016.13 GROUP.LIFECYCLE.CREATE Create Okta group. This can be used to make sure an Okta group is successfully created. Event fired when an Okta group is successfully created. event-hook-eligiblegroup Since: 2019.11.0 GROUP.LIFECYCLE.DELETE Delete Okta group. This can be used to make sure an Okta group is successfully deleted. Event fired when an Okta group is successfully deleted. event-hook-eligiblegroup Since: 2019.11.0 GROUP.PRIVILEGE.GRANT Group's admin privilege granted. This can be used to audit the provisioning of admin privileges for groups. When fired, this event contains information about the type of admin privileges the group currently has, and what entity sources the group. The group granted privileges can be an Okta sourced group, and AD-sourced group, or an LDAP-sourced group Related events include: GROUP_PRIVILEGE_REVOKE. event-hook-eligiblegroup Since: 2019.03.0 GROUP.PRIVILEGE.REVOKE Group's admin privilege revoked. This can be used to audit the deprovisioning of admin privileges from groups. When fired, this event indicates the group has no more admin privileges. All of group's privileges were revoked. Related events include: GROUP_PRIVILEGE_GRANT. event-hook-eligiblegroup Since: 2019.03.0 GROUP.PROFILE.UPDATE Okta group profile updated. Events of this type can be used by an IT administrator who wants to trigger an Okta Workflow to provision groups into downstream systems. The utility of the Event type is for Provisioning use cases to downstream systems.A classic example of this is a customer who uses Okta for Office 365 LCM, and wants to push a distribution list from Okta to Office 365. event-hook-eligiblegroup Since: 2021.03.2 GROUP.USER_MEMBERSHIP.ADD Add user to group membership. event-hook-eligiblegroup Since: 2016.02 GROUP.USER_MEMBERSHIP.REMOVE Remove user from group membership. event-hook-eligiblegroup Since: 2016.02 GROUP.USER_MEMBERSHIP.RULE.ADD_EXCLUSION Add user to group membership exclusion rule. group Since: 2017.51 GROUP.USER_MEMBERSHIP.RULE.DEACTIVATED No Description group Since: 2017.51 GROUP.USER_MEMBERSHIP.RULE.ERROR group membership rule is in error state. group Since: 2017.51 GROUP.USER_MEMBERSHIP.RULE.EVALUATION No Description group Since: 2017.51 GROUP.USER_MEMBERSHIP.RULE.INVALIDATE Invalidate group membership rule. group Since: 2017.51 GROUP.USER_MEMBERSHIP.RULE.TRIGGER Trigger group membership rule. group Since: 2017.51 IAM.POLICY.CONFIGURATION.UPDATE IAM policy configuration update. Use this event to track and audit updates to IAM policy configuration for the org. This event contains information about the IAM policy configuration updates for an org. admin-roleevent-hook-eligible changeDetails Since: 2024.11.0 IAM.RESOURCESET.BINDINGS.ADD Admin role assignment is created. This event can be used to track and audit when a new admin role assignment is created. When fired this event contains information about the new user or group admin assignments for roles associated with the resource set. admin-roleevent-hook-eligible Since: 2021.02.2 IAM.RESOURCESET.BINDINGS.DELETE Admin assignment is deleted. This event can be used to track and audit when an admin role assignment is deleted. When fired this event contains information about the deleted user or group admin assignments for roles associated with the resource set. admin-roleevent-hook-eligible Since: 2021.02.2 IAM.RESOURCESET.CREATE Resource set is created. This event can be used to track and audit when a resource set is created. When fired this event contains information about the resources contained in the resource set that is created. admin-roleevent-hook-eligible Since: 2021.02.2 IAM.RESOURCESET.DELETE Resource set is deleted. This event can be used to track and audit when a resource set is deleted. When fired this event contains information about the resources contained in the resource set that is deleted. admin-roleevent-hook-eligible Since: 2021.02.2 IAM.RESOURCESET.RESOURCES.ADD Resources are added to a resource set. This event can be used to audit the resources added to a resource set. When fired this event contains information about the resources added to the resource set. admin-roleevent-hook-eligible Since: 2021.02.2 IAM.RESOURCESET.RESOURCES.DELETE Resources are deleted from a resource set. This event can be used to audit the resources deleted from a resource set. When fired this event contains information about the resources deleted from the resource set. admin-roleevent-hook-eligible Since: 2021.02.2 IAM.RESOURCESET.RESOURCES.UPDATE Resources updated in a resource set. Used this event to audit resources updated in a resource set. This event contains information about resources that were updated in a resource set. admin-roleevent-hook-eligible changeDetails Since: 2024.09.0 IAM.RESOURCESET.UPDATE Resource set update. Use this event to track and audit when a resource set was updated. This event contains information about the updated name and description of the resource set. admin-roleevent-hook-eligible changeDetails Since: 2024.09.3 IAM.ROLE.CREATE Custom admin role is created. This event can be used to track and audit when a custom admin role is created. When fired this event contains information about the permissions contained in the role that is created. admin-roleevent-hook-eligible Since: 2021.02.2 IAM.ROLE.DELETE Custom admin role is deleted. This event can be used to track and audit when a custom admin role is deleted. When fired this event contains information about the permissions contained in the role that is deleted. admin-roleevent-hook-eligible Since: 2021.02.2 IAM.ROLE.PERMISSION.CONDITIONS.ADD Conditions added to a permission in Okta. Use this event to evaluate impact on admin privileges as their scope might be impacted. This event is triggered when a condition is added to a role-based permission in Okta. A condition on a permission allows super admins to implement finer grained authorizations for stricter security postures. The event can be accompanied with other events for permissions such as iam.role.permissions.add. admin-roleevent-hook-eligible Since: 2022.12.0 IAM.ROLE.PERMISSION.CONDITIONS.DELETE Conditions deleted from a permission in Okta. Use this event to evaluate impact on admin privileges as their scope might be impacted. This event is triggered when a condition is deleted from a role-based permission in Okta. A condition on a permission allows super admins to implement finer grained authorizations for stricter security postures. The event can be accompanied with other events for permissions such as iam.role.permissions.delete. admin-roleevent-hook-eligible Since: 2022.12.0 IAM.ROLE.PERMISSIONS.ADD Permissions are added to a custom admin role. This event can be used to audit the permissions added to a custom admin role. When fired this event contains information about the permissions added to the role. admin-roleevent-hook-eligible Since: 2021.02.2 IAM.ROLE.PERMISSIONS.DELETE Permissions are deleted from a custom admin role. This event can be used to audit the permissions deleted from a custom admin role. When fired this event contains information about the permissions deleted from the role. admin-roleevent-hook-eligible Since: 2021.02.2 IAM.ROLE.UPDATE Custom admin role update. Use this event to track and audit when a custom admin role was updated. This event contains information about the updated name and description of the role. admin-roleevent-hook-eligible changeDetails Since: 2024.09.3 INLINE_HOOK.ACTIVATED Triggered when an inline hook in activated. Used to identify when an inline hook lifecycle status was changed to activated. When triggered, this events contains information about the activated inline hook. inline-hook Since: 2019.01.2 INLINE_HOOK.CREATED Triggered when an inline hook has been created. Used to notify admins that an inline hook has been created. When triggered, this events contains information about the created inline hook. inline-hook Since: 2019.01.2 INLINE_HOOK.DEACTIVATED Triggered when an inline hook is deactivated. Used to identify when an inline hook lifecycle status was changed to deactivated. When triggered, this events contains information about the deactivated inline hook. inline-hook Since: 2019.01.2 INLINE_HOOK.DELETED Triggered when an inline hook has been deleted. Used to notify admins that an inline hook has been deleted. When triggered, this events contains information about the deleted inline hook. inline-hook Since: 2019.01.2 INLINE_HOOK.EXECUTED Triggered when an inline hook has been executed. Used to notify admins about the outcome of execution of an inline hook. Note that the event is fired when the execution is unsuccessful. event-hook-eligibleinline-hook Since: 2019.01.2 INLINE_HOOK.RESPONSE.PROCESSED Triggered after Okta has finished processing response from an inline hook. Used to notify admins about the outcome of processing response from an inline hook. Note that the event is fired even when the processing is unsuccessful. inline-hook Since: 2019.01.2 INLINE_HOOK.UPDATED Triggered when an inline hook has been modified. Used to notify admins that an inline hook has been updated. When triggered, this events contains information about the updated inline hook. inline-hook Since: 2019.01.2 INLINE_HOOK.VERIFIED Triggered when attempting to verify an inline hook. Used to notify admins about the outcome of inline hook endpoint URL verification. Note that the event is fired even when the verification is unsuccessful. inline-hook Since: 2019.01.2 INTEGRATION.API_SERVICE.LIFECYCLE.AUTHORIZE Authorize API service integration. This event is triggered when an admin authorized an OAuth 2.0 service app from the Okta Integration Network (OIN) to access the Okta org (tenant) using Okta management APIs. An API service integration is an integration to an OAuth 2.0 service app available from the Okta Integration Network (OIN). appintegration Since: 2023.02.2 INTEGRATION.API_SERVICE.LIFECYCLE.REVOKE Revoke API service integration. This event is triggered when an admin revoked API access from an OAuth 2.0 service app to the Okta org. An API service integration is an integration to an OAuth 2.0 service app available from the Okta Integration Network (OIN). appintegration Since: 2023.02.2 MASTER_APPLICATION.USER_MEMBERSHIP.ADD User provisioned to app. uncategorized Since: 2018.06 MIM.COMMAND.GENERIC.ACKNOWLEDGED No Description mim Since: 2016.13 MIM.COMMAND.GENERIC.CANCELLED No Description mim Since: 2016.13 MIM.COMMAND.GENERIC.DELEGATED No Description mim Since: 2016.13 MIM.COMMAND.GENERIC.ERROR No Description mim Since: 2016.13 MIM.COMMAND.GENERIC.NEW No Description mim Since: 2016.13 MIM.COMMAND.GENERIC.NOTNOW No Description mim Since: 2016.13 MIM.COMMAND.IOS.ACKNOWLEDGED No Description mim Since: 2016.13 MIM.COMMAND.IOS.CANCELLED No Description mim Since: 2016.13 MIM.COMMAND.IOS.ERROR No Description mim Since: 2016.13 MIM.COMMAND.IOS.FORMATERROR No Description mim Since: 2016.13 MIM.COMMAND.IOS.NEW No Description mim Since: 2016.13 MIM.CREATEENROLLMENT.ANDROID No Description mim Since: 2016.39 MIM.CREATEENROLLMENT.IOS No Description mim Since: 2016.39 MIM.CREATEENROLLMENT.OSX No Description mim Since: 2016.39 MIM.CREATEENROLLMENT.UNKNOWN No Description mim Since: 2016.39 MIM.CREATEENROLLMENT.WINDOWS No Description mim Since: 2016.39 MIM.STREAMDEVICESAPPLISTCSVDOWNLOAD No Description mim Since: 2016.39 MIM.STREAMDEVICESCSVDOWNLOAD No Description mim Since: 2016.39 NETWORK_ZONE.RULE.DISABLED No Description network-zone Since: 2016.12 OAUTH2.AS.ACTIVATED Authorization server is activated. oauth2oauth2-as-lifecycle Since: 2017.22 OAUTH2.AS.CREATED Authorization server is created. oauth2oauth2-as-lifecycle Since: 2016.50 OAUTH2.AS.DEACTIVATED Authorization server is deactivated. oauth2oauth2-as-lifecycle Since: 2017.22 OAUTH2.AS.DELETED Authorization server is deleted. oauth2oauth2-as-lifecycle Since: 2016.50 OAUTH2.AS.UPDATED Authorization server is updated. oauth2oauth2-as-lifecycle Since: 2016.50 OAUTH2.CLAIM.CREATED OAuth2 claim is created. oauth2oauth2-claim Since: 2016.50 OAUTH2.CLAIM.DELETED OAuth2 claim is deleted. oauth2oauth2-claim Since: 2016.50 OAUTH2.CLAIM.UPDATED OAuth2 claim is updated. oauth2oauth2-claim Since: 2016.50 OAUTH2.SCOPE.CREATED OAuth2 scope is created. oauth2oauth2-scope Since: 2016.50 OAUTH2.SCOPE.DELETED OAuth2 scope is deleted. oauth2oauth2-scope Since: 2016.50 OAUTH2.SCOPE.UPDATED OAuth2 scope is updated. oauth2oauth2-scope Since: 2016.50 OMM.APP.VPN.SETTINGS.CHANGED No Description omm Since: 2018.01 OMM.APP.WIFI.SETTINGS.CHANGED No Description omm Since: 2018.01 OMM.APP.EAS.CERT_BASED.SETTINGS.CHANGED No Description omm Since: 2018.01 OMM.APP.EAS.DISABLED No Description omm Since: 2018.01 OMM.APP.EAS.SETTINGS.CHANGED No Description omm Since: 2018.01 OMM.CMA.CREATED No Description omm Since: 2018.01 OMM.CMA.DELETED No Description omm Since: 2018.01 OMM.CMA.UPDATED No Description omm Since: 2018.01 OMM.ENROLLMENT.CHANGED No Description omm Since: 2018.01 ORG.NOT_CONFIGURED_ORIGIN.REDIRECTION.USAGE Using untrusted origin for redirection. adminorg Since: 2017.44 PAM.AD_CONNECTION.CREATE This event is triggered after an Active Directory Connection is created for discovering servers. pam Since: 2022.02.0 PAM.AD_CONNECTION.DELETE This event is triggered after an Active Directory Connection is deleted. pam Since: 2022.02.0 PAM.AD_CONNECTION.UPDATE This event is triggered after an Active Directory Connection is updated. pam Since: 2022.02.0 PAM.AD_TASK_SETTINGS.CREATE This event is triggered after settings that are related to discovering servers in an Active Directory connection are created. pam Since: 2022.02.0 PAM.AD_TASK_SETTINGS.DELETE This event is triggered after settings that are related to discovering servers in an Active Directory connection are deleted. pam Since: 2022.02.0 PAM.AD_TASK_SETTINGS.UPDATE This event is triggered after settings that are related to discovering servers in an Active Directory connection are updated. pam Since: 2022.02.0 PAM.AD_TASK_SETTINGS.UPDATE_SCHEDULE This event is triggered after the schedule for discovering Active Directory servers is updated. pam Since: 2022.02.0 PAM.AD_USER_SYNC_TASK_SETTINGS.ACTIVATE This event is triggered after the settings for discovering Active Directory users in an Active Directory connection is activated. Use this event to monitor activation of AD User Sync Task Settings objects. This event contains reference to an AD User Sync Task Settings object. pam Since: 2023.06.1 PAM.AD_USER_SYNC_TASK_SETTINGS.CREATE This event is triggered after settings that are related to discovering users in an Active Directory connection are created. Use this event to monitor creation of AD User Sync Task Settings objects. This event contains reference to an AD User Sync Task Settings object. pam Since: 2023.06.1 PAM.AD_USER_SYNC_TASK_SETTINGS.DEACTIVATE This event is triggered after the settings for discovering Active Directory users in an Active Directory connection is deactivated. Use this event to monitor deactivation of AD User Sync Task Settings objects. This event contains reference to an AD User Sync Task Settings object. pam Since: 2023.06.1 PAM.AD_USER_SYNC_TASK_SETTINGS.DELETE This event is triggered after the settings for discovering Active Directory users in an Active Directory connection is deleted. Use this event to monitor deletion of AD User Sync Task Settings objects. This event contains reference to an AD User Sync Task Settings object. pam Since: 2023.06.1 PAM.AD_USER_SYNC_TASK_SETTINGS.UPDATE This event is triggered after settings that are related to discovering users in an Active Directory connection are updated. Use this event to monitor update of AD User Sync Task Settings objects. This event contains reference to an AD User Sync Task Settings object. pam Since: 2023.06.1 PAM.AD_USER_SYNC_TASK_SETTINGS.UPDATE_SCHEDULE This event is triggered after the schedule for discovering Active Directory users in an Active Directory connection is updated. Use this event to monitor schedule update of AD User Sync Task Settings objects. This event contains reference to an AD User Sync Task Settings object. pam Since: 2023.06.1 PAM.APIKEY.DELETE This event is triggered after a service user's API key is deleted. pam Since: 2022.02.0 PAM.APIKEY.ROTATE This event is triggered after a service user's API key is rotated. pam Since: 2022.02.0 PAM.AUTH_TOKEN.ISSUE This event is triggered when an ASA client has been authenticated and is issued an authentication token with elevated capabilities. pam Since: 2022.02.0 PAM.BILLING_CONTACT.CREATE This event is triggered after a billing contact is created for an ASA team. This event is only applicable to legacy ASA customers. pam Since: 2022.02.0 PAM.CLIENT.ASSIGN This event is triggered after an ASA client is assigned to an ASA user. pam Since: 2022.02.0 PAM.CLIENT.ENROLL This event is triggered after an ASA client is enrolled with ASA. pam Since: 2022.02.0 PAM.CLIENT.REMOVE This event is triggered after an ASA client is removed from a team. pam Since: 2022.02.0 PAM.CLIENT.STATE.UPDATE This event is triggered after the state of an ASA client is updated. pam Since: 2022.02.0 PAM.CLIENT_ENROLLMENT_POLICIES.CREATE This event is triggered after an ASA client enrollment policy is created. pam Since: 2022.02.0 PAM.CLIENT_ENROLLMENT_POLICIES.DELETE This event is triggered after an ASA client enrollment policy is deleted. pam Since: 2022.02.0 PAM.CLIENT_ENROLLMENT_POLICIES.UPDATE This event is triggered after an ASA client enrollment policy is updated. pam Since: 2022.02.0 PAM.CLIENT_ENROLLMENT_POLICY_TOKEN.DELETE This event is triggered after an ASA client enrollment token is deleted. pam Since: 2022.02.0 PAM.CLIENT_ENROLLMENT_POLICY_TOKEN.ROTATE This event is triggered after an ASA client enrollment token is rotated. pam Since: 2022.02.0 PAM.CLOUD_ACCOUNT.CREATE This event is triggered after a project cloud account is created for importing servers into ASA. pam Since: 2022.02.0 PAM.CLOUD_ACCOUNT.DELETE This event is triggered after a cloud account has been removed from a project. pam Since: 2022.02.0 PAM.CLOUD_ACCOUNT.UPDATE This event is triggered after a cloud account, which is used for importing servers into ASA, is updated. pam Since: 2022.02.0 PAM.ENTITLEMENT_SUDO.ADD_TO_PROJECT This event is triggered after a sudo entitlement object is added to a project. pam Since: 2022.02.0 PAM.ENTITLEMENT_SUDO.CREATE This event is triggered after a sudo entitlement object is created. pam Since: 2022.02.0 PAM.ENTITLEMENT_SUDO.REMOVE This event is triggered after a sudo entitlement object is removed. pam Since: 2022.02.0 PAM.ENTITLEMENT_SUDO.REMOVE_FROM_PROJECT This event is triggered after a sudo entitlement object is removed from a project. pam Since: 2022.02.0 PAM.ENTITLEMENT_SUDO.UPDATE This event is triggered after a sudo entitlement object is updated. pam Since: 2022.02.0 PAM.GATEWAY.CREATE This event is triggered after an ASA gateway is created. pam Since: 2022.02.0 PAM.GATEWAY.DELETE This event is triggered after an ASA gateway is deleted. pam Since: 2022.02.0 PAM.GATEWAY.SETUP_TOKEN.CREATE This event is triggered after a gateway setup token is created. pam Since: 2022.02.0 PAM.GATEWAY.SETUP_TOKEN.DELETE This event is triggered after a gateway setup token is deleted. pam Since: 2022.02.0 PAM.GATEWAY.SETUP_TOKEN.UPDATE This event is triggered after a gateway setup token is updated. pam Since: 2022.02.0 PAM.GATEWAY.UPDATE This event is triggered after settings are updated on an ASA gateway. pam Since: 2022.02.0 PAM.GATEWAY_CREDS.ISSUE This event is triggered after the gateway issues credentials for a server. pam Since: 2022.02.0 PAM.GROUP.BULK_MEMBERSHIP_CHANGE This event is triggered after the members belonging to an ASA group were updated in bulk by a SCIM driver. pam Since: 2022.02.0 PAM.GROUP.CREATE This event is triggered after an ASA group is created. pam Since: 2022.02.0 PAM.GROUP.DELETE This event is triggered after an ASA group is deleted. pam Since: 2022.02.0 PAM.INCOMING_FEDERATION.APPROVE This event is triggered when an ASA team admin from another team has approved a request to federate identities identities from their team to this team. Only applicable to legacy ASA customers. pam Since: 2022.02.0 PAM.INCOMING_FEDERATION.REQUEST This event is triggered after an ASA team admin submits a request to federate identities from a different team to their team. This event is only applicable to legacy ASA customers. pam Since: 2022.02.0 PAM.MEMBER.ADD This event is triggered after a user is added to an ASA group. pam Since: 2022.02.0 PAM.MEMBER.REMOVE This event is triggered after a user is removed from an ASA group. pam Since: 2022.02.0 PAM.OFFLINE_DISABLED_EVENT This event is triggered after disconnected mode is disabled for a group. pam Since: 2022.02.0 PAM.OFFLINE_ENABLED_EVENT This event is triggered after disconnected mode is enabled for a group. pam Since: 2022.02.0 PAM.OFFLINE_GROUP.SECRETS.ROTATE This event is triggered after disconnected mode credentials are rotated for a group. pam Since: 2022.02.0 PAM.OUTGOING_FEDERATION.APPROVE This event is triggered when an ASA team admin from this team has approved a request to federate identities from this team to another team. Only applicable to legacy ASA customers. pam Since: 2022.02.0 PAM.PASSWORD.CHANGE This event is triggered after a user password changed. This event is only applicable to legacy ASA customers. pam Since: 2022.02.0 PAM.PASSWORD.RESET This event is triggered after a user password reset request is submitted. This event is only applicable to legacy ASA customers. pam Since: 2022.02.0 PAM.PERMISSION.CHANGE This event is triggered after group permissions are updated. pam Since: 2022.02.0 PAM.PREAUTHORIZATION.CREATE This event is triggered after a preauthorization is created. pam Since: 2022.02.0 PAM.PREAUTHORIZATION.UPDATE This event is triggered after a preauthorization is updated. pam Since: 2022.02.0 PAM.PROJECT.ADD_GROUP This event is triggered after a group is added to a project. pam Since: 2022.02.0 PAM.PROJECT.CREATE This event is triggered after a Project is created. For ASA, this event only contains the Project name. For Okta Privileged Access, this event contains the Project name and the associated Resource Group. pam Since: 2022.02.0 PAM.PROJECT.DELETE This event is triggered after a Project is deleted. For ASA, this event only contains the Project name. For Okta Privileged Access, this event contains the Project name and the associated Resource Group. pam Since: 2022.02.0 PAM.PROJECT.REMOVE_GROUP This event is triggered after a group is removed from a project. pam Since: 2022.02.0 PAM.PROJECT.UPDATE This event is triggered after a Project is updated. Only applicable for Okta Privileged Access. This event contains the Project name and the associated Resource Group. pam Since: 2023.04.0 PAM.PROJECT_GROUP_SELECTOR.UPDATE This event is triggered after server selectors for a group assigned to a project are updated. pam Since: 2022.02.0 PAM.RESOURCE.CHECKIN.END This event is triggered when a resource's checkin process completes or fails to complete. Monitor 'FAILED' outcomes of this event to identify resources that may be unavailable for checkout due to an incomplete checkin. This event contains details of the original checkout and, if a failure occurred, the reason why the checkin failed. pam Since: 2024.05.1 PAM.RESOURCE.CHECKIN.START This event is triggered when a previously checked out resource has its checkin process started. Use this event to identify when a user's exclusive access to a resource has ended. This event contains details of the original checkout and the user who checked it in. pam Since: 2024.05.1 PAM.RESOURCE.CHECKOUT This event is triggered when a resource is checked out. Use this event to identify the exclusive access to resources. This event contains details of the resource and the user who checked it out. pam Since: 2024.05.1 PAM.RESOURCE_GROUP.CREATE This event is triggered after a Resource Group is created. Monitor this event to be notified when new teams in your Okta org begin using Okta Privileged Access. Only applicable for Okta Privileged Access. This event defines when a Resource Administrator has created a new Resource Group to manage resources. pam Since: 2023.04.0 PAM.RESOURCE_GROUP.DELETE This event is triggered after a Resource Group is deleted. Monitor this event to be notified when a team in your Okta org stops managing access to a resource. Only applicable for Okta Privileged Access. This event defines when a Resource Administrator deleted a Resource Group. pam Since: 2023.04.0 PAM.RESOURCE_GROUP.UPDATE This event is triggered after a Resource Group is updated. Monitor this event to be notified when Resource Group settings change. Only applicable for Okta Privileged Access. This event defines when a Resource Administrator has modified the settings for a Resource Group. pam Since: 2023.04.0 PAM.SECRET.CREATE This event is triggered when a Secret, such as a password, stored in the Okta Privileged Access Vault is created. Use this event to identify the creation of a Secret. For example, creating a Secret at an unusual time or outside of a standard process may be of interest to security analysts. Each event of this type references the name of the related Secret and an Actor. The Actor is the User that created the Secret. pam Since: 2023.12.0 PAM.SECRET.DELETE This event is triggered when a Secret, such as a password, stored in the Okta Privileged Access Vault is deleted. Use this event to identify the deletion of an existing Secret. For example, deleting a Secret at an unusual time or outside of a standard process may be of interest to security analysts. Each event of this type references the name of the related Secret and an Actor. The Actor is the User that deleted the Secret. pam Since: 2023.12.0 PAM.SECRET.REVEAL This event is triggered when the contents of a Secret, such as a password, is revealed to a user. Use this event to identify the access of a Secret. For example, accessing a Secret at an unusual time or outside of a standard process may be of interest to security analysts. Each event of this type references the name of the related Secret and an Actor. The Actor is the User that revealed the Secret. pam Since: 2023.12.0 PAM.SECRET.UPDATE This event is triggered when a Secret, such as a password, stored in the Okta Privileged Access Vault is updated. Use this event to identify an update to an existing Secret. For example, updating a Secret at an unusual time or outside of a standard process may be of interest to security analysts. Each event of this type references the name of the related Secret and an Actor. The Actor is the User that updated the Secret. pam Since: 2023.12.0 PAM.SECRET_FOLDER.CREATE This event is triggered after a Secret Folder is created. Secret Folders are containers used to organize and store Secrets. Use this event to identify the creation of a Secret Folder. For example, creating a Secret Folder at an unusual time or outside of a standard process may be of interest to security analysts. Each event of this type references the name of the related Secret Folder and an Actor. The Actor is the User that created the Secret Folder. pam Since: 2023.12.0 PAM.SECRET_FOLDER.DELETE This event is triggered after a Secret Folder is deleted. Secret Folders are containers used to organize and store Secrets. Use this event to identify the deletion of an existing Secret Folder. For example, deleting a Secret Folder at an unusual time or outside of a standard process may be of interest to security analysts. Each event of this type references the name of the related Secret Folder and an Actor. The Actor is the User that deleted the Secret Folder. pam Since: 2023.12.0 PAM.SECRET_FOLDER.UPDATE This event is triggered after a Secret Folder is updated. Secret Folders are containers used to organize and store Secrets. Use this event to identify an update to an existing Secret Folder. For example, updating a Secret Folder at an unusual time or outside of a standard process may be of interest to security analysts. Each event of this type references the name of the related Secret Folder and an Actor. The Actor is the User that updated the Secret Folder. pam Since: 2023.12.0 PAM.SECURITY_POLICY.CREATE This event is triggered after a Security Policy is created. Use this event to determine when Security Administrators create new Security Policies. Only applicable for Okta Privileged Access. This event contains the Principals associated with the Security Policy and the number of rules in the policy. pam Since: 2023.04.0 PAM.SECURITY_POLICY.DELETE This event is triggered after a Security Policy is deleted. Use this event to indicate that a policy that was previously in place is no longer active and end user access to resources may be changed. Only applicable for Okta Privileged Access. This event contains the Principals associated with the Security Policy and the number of rules in the policy. pam Since: 2023.04.0 PAM.SECURITY_POLICY.EVALUATE This event is triggered when an operation requires a Security Policy evaluation. Use this event to understand how Security Policies are utilized to control access to resources. Currently, this event is only triggered when a user isn't authorized to perform an operation due to existing Security Policies. pam Since: 2023.12.0 PAM.SECURITY_POLICY.UPDATE This event is triggered after a Security Policy is updated. Use this event to determine when Security Administrators update Security Policies and to identify important changes made to policies. Only applicable for Okta Privileged Access. This event contains the Principals associated with the Security Policy and the number of rules in the policy. pam Since: 2023.04.0 PAM.SERVER.ENROLL This event is triggered after a server running the Okta ASA agent has enrolled with ASA. pam Since: 2022.02.0 PAM.SERVER.REASSIGN This event is triggered after a server is reassigned from one project to another. pam Since: 2022.02.0 PAM.SERVER.REMOVE This event is triggered after a server is removed from the ASA inventory. pam Since: 2022.02.0 PAM.SERVER.SSH_LOGIN This event is triggered after a user performs an SSH login to a server. pam Since: 2022.02.0 PAM.SERVER_ACCOUNT.DISCOVERED This event is triggered after a server account is first discovered by the Server Agent. Only applicable for Okta Privileged Access. This event contains the name of the discovered account and the associated server. pam Since: 2023.04.0 PAM.SERVER_ACCOUNT.PASSWORD_CHANGE.INITIATED This event is triggered after a password rotation is requested for a local server account. Use this event to verify that the password settings are being correctly applied to your servers. This event contains the name of the local server account being modified and the associated server. pam Since: 2023.04.0 PAM.SERVER_ACCOUNT.PASSWORD_CHANGE.OUT_OF_BAND This event is triggered after a server account password is altered via a method other than scheduled rotation. You MUST monitor this event to ensure that unauthorized users are not attempting to reset local server account passwords in an attempt to gain access to servers. Only applicable for Okta Privileged Access. This event contains the modified server account and the associated server. pam Since: 2023.04.0 PAM.SERVER_ACCOUNT.PASSWORD_CHANGE.UPDATE This event is triggered after a server reports an attempt to perform a password rotation. The outcome.result field contains either 'SUCCESS' or 'FAILURE' and should be monitored to detect any password rotation errors. Only applicable for Okta Privileged Access. This event contains the name of the local server account, the associated server, and indicates if the rotation was successful. pam Since: 2023.04.0 PAM.SERVER_ACCOUNT.UPDATE This event is triggered after a discovered server account is updated. Use this event to observe how often the system updates server accounts. Only applicable for Okta Privileged Access. This event contains the name of the updated account and the associated server. pam Since: 2023.04.0 PAM.SERVER_LABELS.UPDATE This event is triggered after server labels are updated. pam Since: 2022.02.0 PAM.SERVICE.CREATE This event is triggered after a service bound to a service user is created on a server. pam Since: 2022.02.0 PAM.SERVICE.REMOVE This event is triggered after a service is removed from a server. pam Since: 2022.02.0 PAM.SERVICE_ACCOUNT.ASSIGN Assign a service account to a resource group project. Use this event to determine when a service account has been brought under active management in Okta Privileged Access. This event contains the resource group and project IDs to which the service account was assigned. pam Since: 2024.10.1 PAM.SERVICE_ACCOUNT.CREATE Create a service account in Okta Privileged Access. Use this event to verify when a service account has successfully created in Okta Privileged Access. The creation request can only be initiated via Universal Directory. For Universal Directory accounts, the outcome result can be SUCCESS or FAILURE. For third-party app service account, the outcome result can be SUCCESS, FAILURE, or DEFERRED. pam Since: 2024.10.1 PAM.SERVICE_ACCOUNT.DELETE Delete a service account in Okta Privileged Access. Use this event to verify when a service account has successfully deleted in Okta Privileged Access. The deletion request can only be initiated via Universal Directory. The outcome result can be SUCCESS or FAILURE. pam Since: 2024.10.1 PAM.SERVICE_ACCOUNT.PASSWORD.REVEAL Reveal password for a service account in Okta Privileged Access. Use this event to identify for which account the Okta Privileged Access user revealed the password. Contains the details on the user access method the user used to reveal the password. pam Since: 2024.10.1 PAM.SERVICE_ACCOUNT.PASSWORD.UPDATE Update password for a service account in Okta Privileged Access. Use this event to identify for which account the Okta Privileged Access user updated the password. Contains the details on the user access method the user used to update the password. pam Since: 2024.10.1 PAM.SERVICE_ACCOUNT.PASSWORD_ROTATION.END Indicates password rotation completion event. Use this event to determine the final status of a password rotation for a given service account. The outcome result can be SUCCESS, FAILURE or DEFERRED, based on settings and retry mechanisms in Okta Privileged Access. pam Since: 2024.10.1 PAM.SERVICE_ACCOUNT.PASSWORD_ROTATION.START Initiate password rotation for a service account. Use this event to determine when password rotation for a given service account has begun. The outcome result can be SUCCESS or FAILURE. The outcome reason can be ASSIGNMENT, FORCED, CHECKIN or SCHEDULED, based on the password rotation trigger. pam Since: 2024.10.1 PAM.SERVICE_ACCOUNT.UPDATE Update a service account's details in Okta Privileged Access. Use this event to verify when a service account has successfully updated in Okta Privileged Access. The update request can only be initiated via Universal Directory. The outcome result can be SUCCESS or FAILURE. pam Since: 2024.10.1 PAM.SUDO_COMMAND_BUNDLE.CREATE This event is triggered after a sudo command bundle is created. Use this event to determine when Resource Administrators create a new Sudo Command Bundle. Only applicable for Okta Privileged Access. This event defines when a Resource Administrator has created a new sudo command bundle. pam Since: 2023.06.1 PAM.SUDO_COMMAND_BUNDLE.DELETE This event is triggered after a sudo command bundle is deleted. Use this event to determine when Resource Administrators delete an existing Sudo Command Bundle. Only applicable for Okta Privileged Access. This event defines when a Resource Administrator has deleted a sudo command bundle. pam Since: 2023.06.1 PAM.SUDO_COMMAND_BUNDLE.UPDATE This event is triggered after a sudo command bundle is updated. Use this event to determine when Resource Administrators update an existing Sudo Command Bundle. Only applicable for Okta Privileged Access. This event defines when a Resource Administrator has updated a new sudo command bundle. pam Since: 2023.06.1 PAM.TEAM.CREATE This event is triggered after a team is created in ASA. pam Since: 2022.02.0 PAM.TEAM_GROUP_ATTRIBUTE.CREATE This event is triggered after team-level group attributes are created. pam Since: 2022.02.0 PAM.TEAM_GROUP_ATTRIBUTE.DELETE This event is triggered after team-level group attributes are deleted. pam Since: 2022.02.0 PAM.TEAM_GROUP_ATTRIBUTE.UPDATE This event is triggered after team-level group attributes are updated. pam Since: 2022.02.0 PAM.TEAM_INVITATION.CREATE This event is triggered after an invitation to join a team is sent. This event is only applicable to legacy ASA customers. pam Since: 2022.02.0 PAM.TEAM_PROJECT_GROUP_ATTRIBUTE.CREATE This event is triggered after project-level group attribute overrides are created. pam Since: 2022.02.0 PAM.TEAM_PROJECT_GROUP_ATTRIBUTE.DELETE This event is triggered after project-level group attribute overrides are deleted. pam Since: 2022.02.0 PAM.TEAM_PROJECT_GROUP_ATTRIBUTE.UPDATE This event is triggered after project-level group attribute overrides are updated. pam Since: 2022.02.0 PAM.TEAM_PROJECT_USER_ATTRIBUTE.CREATE This event is triggered after project-level user attribute overrides are created. pam Since: 2022.02.0 PAM.TEAM_PROJECT_USER_ATTRIBUTE.DELETE This event is triggered after project-level user attribute overrides are deleted. pam Since: 2022.02.0 PAM.TEAM_PROJECT_USER_ATTRIBUTE.UPDATE This event is triggered after project-level user attribute overrides are updated. pam Since: 2022.02.0 PAM.TEAM_SETTINGS.UPDATE This event is triggered after team settings are updated. pam Since: 2022.02.0 PAM.TEAM_USER_ATTRIBUTE.CREATE This event is triggered after team-level user attributes are created. pam Since: 2022.02.0 PAM.TEAM_USER_ATTRIBUTE.DELETE This event is triggered after team-level user attributes are deleted. pam Since: 2022.02.0 PAM.TEAM_USER_ATTRIBUTE.UPDATE This event is triggered after team-level user attributes are updated. pam Since: 2022.02.0 PAM.UNBOUND_CLIENT.ENROLL This event is triggered after an ASA client is enrolled by using the 'sft fleet enroll' command. pam Since: 2022.02.0 PAM.UNMANAGED_SERVER.CREATE This event is triggered after a server is created in ASA directly through the API and not by an ASA agent installation. pam Since: 2022.02.0 PAM.USER.CREATE This event is triggered after a user is created in ASA. pam Since: 2022.02.0 PAM.USER.REMOVE This event is triggered after a user is removed from ASA. pam Since: 2022.02.0 PAM.USER.UPDATE This event is triggered after a user is updated in ASA. pam Since: 2022.02.0 PAM.USER_CREDS.ISSUE This event is triggered when an Okta user is authorized and initiates a connection to a server protected by Okta. pam Since: 2022.02.0 PERSONAL.ADMIN.CONFIGURATION.UPDATE Okta personal app migration flag is updated. Triggered when app migration is updated on an Org. This event is fired when admin toggle app migration in org. okta-personal Since: 2024.02.8 PERSONAL.USER.APP_MIGRATION.EXPORT Personal apps exported from workforce org to personal org. Triggered when personal apps exported from workforce org. This event is fired when user export apps to personal org. okta-personal Since: 2024.02.8 PKI.CA.ADD Triggered when an admin creates an Okta CA (ROOT or Intermediate certs) or uploads a 3rd party certificate chain. You can use the event to audit the Okta CA or 3rd party certificate authority status change. When triggered, the Okta CA or 3rd party certificate authority will appear in the Admin Console. device-identityoie-onlyuser Since: 2021.07.1 PKI.CA.DELETE Triggered when an admin deletes a 3rd party certificate chain. You can use the event to audit the 3rd party certificate authority status change. When triggered, the 3rd party certificate authority is no longer available to the org. device-identityoie-onlyuser Since: 2021.07.1 PKI.CA.RENEW Triggered when one or more certificates that belong to a certificate authority are renewed. Use to audit certificate renewals that belong to a certificate authority. You can also use it as a notification to download the renewed certificates. When triggered, this event includes the old certificates and the new certificate replacements. device-identityoie-only Since: 2024.05.1 PKI.CERT.BIND Triggered when a certificate is bound to a device. You can use the event to audit certificate device binding relationship. When triggered, the device appears in the Admin Console as managed device. device-identityoie-onlyuser Since: 2021.09.1 PKI.CERT.CRL_DOWNLOAD_FAILURE A failure outcome indicates that there was an issue downloading the Certificate Revocation List (CRL) from the URL specified in the certificate and may require action to address it. When an administrator observes a pki.cert.lifecycle.crl_download_failure event with a failure outcome they should ensure that the CRL endpoint is up and running properly and has not been changed by the issuing Certificate Authority (CA). When fired, this event will include the URL of the CRL that is having an issue along with a corresponding HTTP error code. device-identityoie-only Since: 2023.07.2 PKI.CERT.ISSUE Device Trust certificate issuance. device-trust-cert-distribution-and-binding Since: 2017.45 PKI.CERT.LIFECYCLE.ACTIVATE Triggered when a certificate marked as hold is removed from the CRL or when renewed Okta CA certificates marked as inactive are activated. You can use the event to audit certificate lifecycle change. When an admin activates/unsuspends a device, the certificate associated with the device is activated when used in the next Okta Verify flow. Additionally when an admin or activation job activates an inactive certificate it can then be used to issue client certificates in SCEP. device-identityoie-onlyuser Since: 2021.09.1 PKI.CERT.LIFECYCLE.DELETE Triggered when a certificate is deleted as a result of an admin deleting the binding device. You can use the event to audit certificate lifecycle change. When triggered, the certificate no longer appears in the Admin Console. device-identityoie-onlyuser Since: 2021.09.1 PKI.CERT.LIFECYCLE.HOLD Triggered when a certificate is temporarily on hold and appears on CRL. You can use the event to audit certificate lifecycle change. A certificate on hold can be activated after it is removed from CRL. device-identityoie-onlyuser Since: 2021.09.1 PKI.CERT.LIFECYCLE.REVOKE Triggered when a certificate is revoked and appears on CRL. You can use the event to audit certificate lifecycle change. Once revoked, a certificates can not be activated. device-identityoie-onlyuser Since: 2021.09.1 PKI.CERT.LIFECYCLE.SUSPEND Triggered when a certificate is suspended as a result of an admin deactivating the binding device. You can use the event to audit certificate lifecycle change. When triggered, the certificate can not be used to send the management hint. device-identityoie-onlyuser Since: 2021.09.1 PKI.CERT.RENEW Triggered when a Device Trust certificate is renewed. device-trust-cert-distribution-and-binding Since: 2017.45 PKI.CERT.REVOKE Device Trust certificate revocation. device-trust-cert-distribution-and-binding Since: 2017.45 PLUGIN.DOWNLOADED Plugin downloaded. plugin Since: 2016.48 PLUGIN.SCRIPT_STATUS Status information from script execution. plugin Since: 2016.48 POLICY.AUTH_REEVALUATE.ACTION Invocation of a post auth session action. This event is triggered when Okta logs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation. This event is triggered when Okta logs a user out of their configured apps or runs a Workflow in response to an authentication or global session policy violation. See also: Identity Threat Protection with Okta AI Event Types policysecuritysession Since: 2024.07.2 POLICY.AUTH_REEVALUATE.ENFORCE Evaluation of a post auth session. This event is triggered when a post auth session evaluation occurs. This event is triggered when a post auth session evaluation occurs. See also: Identity Threat Protection with Okta AI Event Types policysecuritysession Since: 2024.07.2 POLICY.AUTH_REEVALUATE.FAIL Auth policy re-evaluation has occurred and has resulted in a policy violation. Can be used to identify which user, apps, and session were involved in a policy violation event. Event fired when continuing access evaluation results in failure. See also: Identity Threat Protection with Okta AI Event Types event-hook-eligiblepolicysecuritysession Since: 2023.09.0 POLICY.CONTINUOUS_ACCESS.ACTION Deprecated: Continuous Access policy action invocation. Signal that an action associated with a continuous access policy evaluation has been invoked. Event fired when an action associated with a continuous access policy evaluation has been invoked. See the event type policy.auth_reevaluate.action that replaces this deprecated event. See also: Identity Threat Protection with Okta AI Event Types policysecuritysession Since: 2023.09.0 POLICY.CONTINUOUS_ACCESS.EVALUATE Deprecated: Evaluation of Continuous Access Policy. Signal that continuous access policy has been evaluated for a session which has failed CAE. Event fired when continuous access policy has been evaluated for a session which has failed CAE. See the event type policy.auth_reevaluate.enforce that replaces this deprecated event. See also: Identity Threat Protection with Okta AI Event Types policysecuritysession Since: 2023.09.0 POLICY.ENTITY_RISK.ACTION Entity Risk policy action invocation. Signal that an action associated with an entity risk policy evaluation has been invoked. Event fired when an action associated with an entity risk policy evaluation has been invoked. See also: Identity Threat Protection with Okta AI Event Types policysecuritysession Since: 2023.09.0 POLICY.ENTITY_RISK.EVALUATE Evaluation of Entity Risk policy. Signal that entity risk policy has been evaluated for an entity for which we have received a risk change event. Event fired when entity risk policy has been evaluated for an entity for which a risk change event was generated. See also: Identity Threat Protection with Okta AI Event Types policysecuritysession Since: 2023.09.0 POLICY.EVALUATE_SIGN_ON Okta evaluated sign-on policies in order to determine if the user attempting to access a resource meets the defined assurance criteria. Identifies the policy rule evaluated during an authentication flow. This may be useful to confirm that policy rule has been configured as intended, or to identify why a user is unable to access a resource such as an application. The possible outcomes of this event are ALLOW(user is authenticated to access the resource), CHALLENGE(additional verification is required for user to access the resource), and DENY(user is denied from accessing the resource). For Okta Identity Engine (OIE), a single policy.evaluate_sign_on event may include the evaluation result of Okta global session policy and authentication policy. For Okta Classic Engine, the evaluation result of Okta sign-on policy and app sign-on policy will be recorded in individual policy.evaluate_sign_on events. policy Since: 2017.11 POLICY.EXECUTE.USER.START Start execution of policy for user. policy Since: 2018.15 POLICY.LIFECYCLE.ACTIVATE Activate policy. event-hook-eligiblepolicy Since: 2016.14 POLICY.LIFECYCLE.CREATE Create policy. policy Since: 2016.14 POLICY.LIFECYCLE.DEACTIVATE Deactivate policy. event-hook-eligiblepolicy Since: 2016.14 POLICY.LIFECYCLE.DELETE Delete policy. policy Since: 2016.14 POLICY.LIFECYCLE.OVERWRITE Overwrite policy. policy Since: 2017.45 POLICY.LIFECYCLE.UPDATE Update policy. event-hook-eligiblepolicy changeDetails Since: 2016.14 POLICY.MAPPING.CREATE Create policy mapping. This event is used to audit when a policy is mapped to a resource. This event is fired when a policy is mapped to a resource. The isPreviousPolicy attribute within the Policy Targets' Details denotes whether or not it was the previous or new policy being mapped. policy Since: 2021.12.0 POLICY.RULE.ACTION.EXECUTE Scheduled execution of policy rule action. policy Since: 2018.15 POLICY.RULE.ACTIVATE Activate policy rule. event-hook-eligiblepolicy Since: 2016.14 POLICY.RULE.ADD Add policy rule. event-hook-eligiblepolicy Since: 2016.14 POLICY.RULE.DEACTIVATE Deactivate policy rule. event-hook-eligiblepolicy Since: 2016.14 POLICY.RULE.DELETE Delete policy rule. event-hook-eligiblepolicy Since: 2016.14 POLICY.RULE.INVALIDATE Invalidate policy rule. policy Since: 2016.14 POLICY.RULE.UPDATE Update policy rule. event-hook-eligiblepolicy Since: 2016.14 POLICY.SCHEDULED.EXECUTE Scheduled execution of policy. policy Since: 2018.15 SCHEDULED_ACTION.USER_SUSPENSION.CANCELED Canceled scheduled user suspension. uncategorized Since: 2017.32 SCHEDULED_ACTION.USER_SUSPENSION.COMPLETED Completed scheduled user suspension. uncategorized Since: 2017.32 SCHEDULED_ACTION.USER_SUSPENSION.SCHEDULED Scheduled user suspension. uncategorized Since: 2017.32 SCHEDULED_ACTION.USER_SUSPENSION.UPDATED Updated scheduled user suspension. uncategorized Since: 2017.32 SECURITY.ATTACK_PROTECTION.SETTINGS.UPDATE Triggered when settings to protect against password-based attacks are updated. Useful for monitoring potential intrusion if the change was not planned. Covered features include Require possession factor before password during MFA and Block suspicious password attempts from unknown devices. mfasecurity changeDetails Since: 2024.08.0 SECURITY.AUTHENTICATOR.LIFECYCLE.ACTIVATE Fired when an admin activates an authenticator for the org. This event can be used to identify who activated an authenticator and which authenticator was activated. When fired, this event contains information about the authenticator type that was activated and the actor who activated the authenticator. Authenticator activation occurs when an authenticator is added. Related events include security.authenticator.lifecycle.deactivate. authenticatorevent-hook-eligibleoie-only Since: 2020.06.3 SECURITY.AUTHENTICATOR.LIFECYCLE.CREATE Fired when an admin creates an authenticator for the org. This event can be used to identify who created an authenticator and which authenticator was created. The actor specifies the user that created the authenticator and the target specifies the authenticator name and the id. This event could also contain some authenticator specific information. Authenticator creation occurs when an authenticator is added. Related events include security.authenticator.lifecycle.update. authenticatorevent-hook-eligibleoie-only Since: 2022.06.0 SECURITY.AUTHENTICATOR.LIFECYCLE.DEACTIVATE Fired when an admin deactivates an authenticator for the org. This event can be used to identify who deactivated an authenticator and which authenticator was deactivated. When fired, this event contains information about the authenticator type that was deactivated and the actor who deactivated the authenticator. Authenticator deactivation occurs when an authenticator is removed. Related events include security.authenticator.lifecycle.activate. authenticatorevent-hook-eligibleoie-only Since: 2020.06.3 SECURITY.AUTHENTICATOR.LIFECYCLE.UPDATE Fired when an admin updates an authenticator in the org. This event can be used to identify who updated an authenticator and which authenticator was updated. The actor specifies the user that updated the authenticator and the target specifies the authenticator name and the ID. There may be a second target with details of any authenticator method updates. This event could also contain authenticator specific information. Authenticator update occurs when an authenticator is edited. Related events include security.authenticator.lifecycle.create. authenticatorevent-hook-eligibleoie-only Since: 2022.06.0 SECURITY.BEHAVIOR.SETTINGS.CREATE Behavior settings create. This can also be used to identify when a behavior setting is created. When fired, this event contains information about a created setting. behavior-settings Since: 2019.07.0 SECURITY.BEHAVIOR.SETTINGS.DELETE Behavior settings delete. This can also be used to identify when a behavior setting has been deleted. When fired, this event contains information about a delete setting. behavior-settings Since: 2019.07.0 SECURITY.BEHAVIOR.SETTINGS.UPDATE Behavior settings update. This can also be used to identify when a behavior setting has been changed. When fired, this event contains information about a updated setting. behavior-settings Since: 2019.07.0 SECURITY.BREACHED_CREDENTIAL.DETECTED A credential, such as a password, which is associated with a known breach was used during an authentication flow. Used to identify users for whom credential rotation or other risk mitigation is necessary. The actor is the user with the breached credential. For Identity Engine, a target will indicate the specific credential associated with the breach. The outcome for this event will always be SUCCESS with a severity level of WARN. If breached credential protection is enabled, auser.session.clear will also be fired. These two events can be correlated by the Request ID. accountevent-hook-eligiblesecurityuser Since: 2024.04.2 SECURITY.DEVICE.ADD_REQUEST_BLACKLIST_POLICY Added request blacklist to request blacklist policies. devicesecurity Since: 2018.08 SECURITY.DEVICE.REMOVE_REQUEST_BLACKLIST_POLICY Removed request blacklist from request blacklist policies. devicesecurity Since: 2018.08 SECURITY.DEVICE.TEMPORARILY_DISABLE_BLACKLISTING Temporarily disabling blacklisting. devicesecurity Since: 2018.05 SECURITY.EVENTS.PROVIDER.ACTIVATE Activate a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is activated.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the activated security events provider. security Since: 2024.08.0 SECURITY.EVENTS.PROVIDER.CREATE Create a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is created.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the created security events provider. security Since: 2024.08.0 SECURITY.EVENTS.PROVIDER.DEACTIVATE Deactivate a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is deactivated.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the deactivated security events provider. security Since: 2024.08.0 SECURITY.EVENTS.PROVIDER.DELETE Delete a security events provider. Appears when an authorized security events provider, such as the Shared Signals Framework (SSF) transmitter, is deleted.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the deleted security events provider. security Since: 2024.08.0 SECURITY.EVENTS.PROVIDER.RECEIVE_EVENT Appears when a security events provider submits a valid event for each known detection. The event helps admins debug or monitor SSF provider submissions. The event contains debug context data about the provider's risk report. See also: Identity Threat Protection with Okta AI Event Types Since: 2022.10.0 SECURITY.EVENTS.PROVIDER.UPDATE Update a security events provider. Appears when an update is made to an authorized security events provider,such as the Shared Signals Framework (SSF) transmitter.This event helps admins troubleshoot issues with the delivery of security events to Okta. When fired, this event contains information about the updated security events provider. security Since: 2024.08.0 SECURITY.EVENTS.TRANSMITTER.CREATE Create security events transmitter. Appears when a specific security events transmitter, such as the Shared Signals Framework (SSF) transmitter, is created. This event helps admins troubleshoot issues with event delivery to security event receivers. This event contains configuration details of the created security events transmitter. security Since: 2024.08.0 SECURITY.EVENTS.TRANSMITTER.DELETE Delete security events transmitter. Appears when a specific security events transmitter, such as the Shared Signals Framework (SSF) transmitter, is deleted. This event helps admins troubleshoot issues with event delivery to security events receivers. This event contains configuration details of the deleted security events transmitter. security Since: 2024.08.0 SECURITY.EVENTS.TRANSMITTER.UPDATE Update security events transmitter. Appears when there is an update to a specific security events transmitter, such as the Shared Signals Framework (SSF) transmitter. This event helps admins troubleshoot issues with event delivery to security events receivers. This event contains configuration details of the updated security events transmitter. security Since: 2024.08.0 SECURITY.REQUEST.BLOCKED Security request blocked. security Since: 2018.32 SECURITY.SESSION.DETECT_CLIENT_ROAMING Roaming session detected for user. securitysession Since: 2017.28 SECURITY.THREAT.CONFIGURATION.UPDATE Fired when a ThreatInsight configuration has been updated. This can be used to identify when an existing ThreatInsight configuration has been updated. An update can be updating the action or the excluded zones. When fired, this event contains information about who made the update to the configuration. threat-insight-configuration Since: 2019.07.0 SECURITY.THREAT.DETECTED Request from an IP identified as malicious by Okta ThreatInsight. This can be used to monitor and act on credential based attacks (such as Brute Force, Password Spray) on your organization. The reasons why the request was classified as malicious can be found in the outcome.reason field. The outcome.result field will be 'ALLOW', 'DENY' or 'RATE_LIMIT' based on whether Okta Threat Insight is configured in log mode or log and enforce mode, where 'ALLOW' means the request continued, 'DENY' means the request was blocked and 'RATE_LIMIT' means we protected your org from exceeding your rate limit by not allowing suspicious activity to count towards your rate limit. securitythreat-insight Since: 2019.02.2 SECURITY.TRUSTED_ORIGIN.ACTIVATE A trusted origin is activated. When an event is emitted upon the activation of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is activated. event-hook-eligibletrusted-origins changeDetails Since: 2024.05.0 SECURITY.TRUSTED_ORIGIN.CREATE A trusted origin is created. When an event is emitted upon the creation of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is created. event-hook-eligibletrusted-origins Since: 2024.05.0 SECURITY.TRUSTED_ORIGIN.DEACTIVATE A trusted origin is deactivated. When an event is emitted upon the deactivation of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is deactivated. event-hook-eligibletrusted-origins changeDetails Since: 2024.05.0 SECURITY.TRUSTED_ORIGIN.DELETE A trusted origin is deleted. When an event is emitted upon the deletion of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is deleted. event-hook-eligibletrusted-origins Since: 2024.05.0 SECURITY.TRUSTED_ORIGIN.UPDATE A trusted origin is updated. When an event is emitted upon the modification of a trusted origin, customers can monitor these events and take remedial action. Event is triggered when a trusted origin is updated. event-hook-eligibletrusted-origins Since: 2024.05.0 SECURITY.VOICE.ADD_COUNTRY_BLACKLIST Fired when a country has been added to the voice call blacklist. This can be used to identify when a country has been blacklisted for voice call. When fired, this event contains information about the country that was added to the blacklist.Related events include security.voice.remove_country_blacklist. securityvoice Since: 2019.03.3 SECURITY.VOICE.REMOVE_COUNTRY_BLACKLIST Fired when a country has been removed from the voice call blacklist. This can be used to identify when a country has been removed from voice call blacklist. When fired, this event contains information about the country that was removed from the blacklist.Related events include security.voice.add_country_blacklist. securityvoice Since: 2019.03.3 SECURITY.ZONE.MAKE_BLACKLIST Added IPs to blacklist zone. network-zonesecurity Since: 2017.06 SECURITY.ZONE.REMOVE_BLACKLIST Removed IPs from blacklist zone. network-zonesecurity Since: 2017.06 SELF_SERVICE.DISABLED Self-service disabled for app. self-service Since: 2017.48 SELF_SERVICE.ENABLED Self-service enabled for app. self-service Since: 2017.48 SUPPORT.ORG.UPDATE Okta has updated the configuration or data within the Org. This can be used to identify modifications to an Org which are the result of an action by an Okta staff member. Such actions are typically taken in response to a customer request, such as request to enable an Early Access feature. In some cases, these actions may be the result of a review initiated by Okta, such as a review in response to a production service alert. See the supportAction object within the debugContext.debugData objection for more information about the type of update. support-audit Since: 2022.06.2 SUPPORT.ORG.VIEW Okta has viewed a page which contains customer data. This can be used to identify an action taken by an Okta staff member in the support tool which resulted in a view of customer data. Such actions are typically taken in response to a customer request, such as in the process of investigating an issue raised through a support case. In some cases, these actions may be the result of a review initiated by Okta, such as a review in response to a production service alert. See the supportAction object within the debugContext.debugData objection for more information about the type of update. support-audit Since: 2022.06.2 SYSTEM.AGENT.AD.CONFIG_CHANGE_DETECTED A monitored variable in an AD agent configuration file has changed. This can be used to audit that a customer's AD agent configuration file has changed. This event occurs when a monitored variable in an AD agent configuration file has changed. ad-agent changeDetails Since: 2024.09.0 SYSTEM.AGENT.AD.CONNECT Connect AD agent to Okta. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.CREATE Create AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.DEACTIVATE Deactivate AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.DELETE Delete AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.IMPORT_OU Perform import OU by AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.IMPORT_USER Perform import user by AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.INVOKE_DIR Perform directory invoke command by AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.REACTIVATE Reactivate AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.READ_CONFIG Perform config read by AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.READ_DIRSYNC Perform dirsync read by AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.READ_LDAP Perform LDAP read by AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.READ_SCHEMA Perform schema read by AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.READ_TOPOLOGY Directory agent performed topology import operation. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.REALTIMESYNC Perform RealTimeSync by AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.RESET_USER_PASSWORD Perform user password reset by AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.START Start AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.UNLOCK_USER_ACCOUNT Perform unlock user account by AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.UPDATE Update AD agent configuration. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.UPDATE_USER User Auth and Update. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.UPGRADE Upgrade AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.UPLOAD_IWA_LOG Fired when an AD agent has fetched and uploaded IWA agent log file. This event fires when the log file upload is successful or fails. This can be used to audit that logs files are being fetched successfully, have been uploaded successfully, and troubleshoot why an IWA log upload has failed. When fired, this event indicates whether a log file upload has been successful or failed. This event also indicates whether the event was initiated by the Okta system or a user. Related events: none, all debugging context is included in this event. ad-agent Since: 2019.02.1 SYSTEM.AGENT.AD.UPLOAD_LOG Upload AD agent log. ad-agent Since: 2016.20 SYSTEM.AGENT.AD.WRITE_LDAP Perform LDAP write by AD agent. ad-agent Since: 2016.20 SYSTEM.AGENT.AUTO_UPDATE Fired when an individual agent auto-update succeeds or fails. Confirms a successful agent auto-update, or provides troubleshooting information when the agent auto-update is unsuccessful. Indicates when an agent auto-update is successful or unsuccessful. ad-agentagent-pool Since: 2021.10.0 SYSTEM.AGENT.CONNECTOR.CONNECT Connect connector agent to Okta. connector-agent Since: 2016.20 SYSTEM.AGENT.CONNECTOR.DEACTIVATE Deactivate connector agent. connector-agent Since: 2016.20 SYSTEM.AGENT.CONNECTOR.DELETE Delete connector agent. connector-agent Since: 2016.20 SYSTEM.AGENT.CONNECTOR.REACTIVATE Reactivate connector agent. connector-agent Since: 2016.20 SYSTEM.AGENT.LDAP.CHANGE_USER_PASSWORD Perform change user password by LDAP agent. ldap-app Since: 2016.20 SYSTEM.AGENT.LDAP.CREATE_USER_JIT Perform create user JIT by LDAP agent. ldap-app Since: 2016.20 SYSTEM.AGENT.LDAP.DISCONNECT Disconnect LDAP agent from Okta. ldap-app Since: 2016.20 SYSTEM.AGENT.LDAP.REALTIMESYNC Fired when LDAP Delegated Authentication is used to sign in and a user profile is updated using RealTimeSync action. Can be used by admins to identify user profile changes resulting from corresponding changes in the LDAP directory. The previous name for this event was system.agent.ad.realtimesync. ldap-app Since: 2022.02.0 SYSTEM.AGENT.LDAP.RECONNECT Reconnect LDAP agent to Okta. ldap-app Since: 2016.20 SYSTEM.AGENT.LDAP.RESET_USER_PASSWORD LDAP agent performed a password reset. ldap-app Since: 2016.20 SYSTEM.AGENT.LDAP.UNLOCK_USER_ACCOUNT LDAP agent performed account unlock for User. ldap-app Since: 2016.45 SYSTEM.AGENT.LDAP.UPDATE_USER Fired when LDAP Delegated Authentication is used to sign in and a user profile is updated. Can be used by admins to identify user profile changes resulting from corresponding changes in the LDAP directory. The previous name for this event was system.agent.ad.update_user. ldap-app Since: 2021.10.0 SYSTEM.AGENT.LDAP.UPDATE_USER_PASSWORD Perform update user password by LDAP agent. ldap-app Since: 2016.20 SYSTEM.AGENT.REGISTER Agent was registered. This event indicates that an agent (such as Okta Provisioning Agent, Okta RSA SecurID Agent, and so on) has been successfully registered with the Okta org. This also provides a signal to all admins of the Okta org that a new agent was registered, which improves the overall security posture. This event can be used to track the deployment and integration of Okta agents across an org's infrastructure. This information can be useful for security audits, compliance reporting, and managing the overall Okta ecosystem. agent Since: 2024.07.2 SYSTEM.AGENT_POOLS.AUTO_UPDATE Fired when the status of an agent pool auto-update is changed. Confirms an agent pool auto-update status change and provides troubleshooting information. Indicates when the status of an agent pool auto-update is changed. ad-agentagent-pool Since: 2021.10.0 SYSTEM.API_TOKEN.CREATE Create API token. This event occurs when a new unscoped API token is generated within the system. The unscoped API token grants authenticated access to the system's API for automated tasks or integration purposes. Event log details include the token ID, the user, or service it was created for, and the time of creation. This information helps maintain a secure API access framework by allowing administrators to track token issuance. Administrators can also enforce least privilege access and promptly identify any unauthorized token creation. event-hook-eligibletoken Since: 2016.12 SYSTEM.API_TOKEN.ENABLE Enable API token. token Since: 2016.12 SYSTEM.API_TOKEN.REVOKE Revoke API token. event-hook-eligibletoken Since: 2016.12 SYSTEM.API_TOKEN.UPDATE An API token has been updated. This event can be used to identify a change to an existing API token, such as a change to the applicable rate limits for the token. Details of the change can be found in the debugData. This event does not change whether the token is valid for use, for actions that impact validity see system.api_token.enable and system.api_token.revoke. token Since: 2022.07.0 SYSTEM.BETA.FEATURE.ENABLE Fired when an admin has enabled a BETA feature. This can be used to understand the status of the BETA Feature and identify who has enabled it for an org. When fired, this event contains information about the enabled BETA Feature, as well as the admin who enabled it. adminself-service-feature-managementsystem Since: 2019.07.1 SYSTEM.BILLING.SMS_USAGE_SENT Indicates that a report for SMS usage was sent to the billing system. adminbilling Since: 2018.36 SYSTEM.BRAND.CREATE This event is fired when the brand resource is created. Developer and org admins can use this event to identify when the brand resource was created. The event contains information about the created brand. admin Since: 2023.01.0 SYSTEM.BRAND.DELETE This event is fired when a brand resource is deleted. Developer and org admins can use this event to identify when a brand resource was deleted. The event contains information about a deleted brand. admin Since: 2023.01.0 SYSTEM.BRAND.UPDATE This event is fired when the brand resource is updated. Developer and org admins can use this event to identify when the brand resource was updated. The event contains information regarding specific updates made to brand like "customPrivacyPolicyUrl". admin Since: 2021.08.0 SYSTEM.CAPTCHA.CREATE A captcha instance is created for Sign-in Widget. Indicates when a captcha instance was created. This event is fired when org admin creates a captcha instance. captchasystem Since: 2021.05.1 SYSTEM.CAPTCHA.DELETE A captcha instance is deleted. Indicates when a captcha instance was deleted. This event is fired when org admin deletes a captcha instance. captchasystem Since: 2021.05.1 SYSTEM.CAPTCHA.UPDATE A captcha instance is updated. Indicates when a captcha instance was updated. This event is fired when org admin updates a captcha instance. captchasystem Since: 2021.05.1 SYSTEM.CLIENT.CONCURRENCY_RATE_LIMIT.NOTIFICATION Notify when too many requests in flight for client. This can be used to notify whenever there are too many concurrent requests from a client without enforcing any violation. When fired, this event contains information about the request such as client, device and ip details. system Since: 2020.09.4 SYSTEM.CLIENT.CONCURRENCY_RATE_LIMIT.VIOLATION Too many requests in flight for client. This can be used to track if there are too many concurrent requests from a client. When fired, this event contains information about the request such as client, device and ip details. system Since: 2020.06.1 SYSTEM.CLIENT.RATE_LIMIT.NOTIFICATION Notify when client rate limits are exceeded. This can be used to notify whenever a client is exceeding its rate limit without enforcing any violation. When fired, this event contains information about the request such as client, device and ip details. system Since: 2020.09.4 SYSTEM.CLIENT.RATE_LIMIT.VIOLATION Client rate limit violation. This can be used to track if a client is exceeding its rate limit. When fired, this event contains information about the request such as client, device and ip details. system Since: 2020.06.1 SYSTEM.CSV.IMPORT_USER Import of user from CSV is skipped. Informs when import of a user from CSV has been skipped due to reasons such as missing required attributes or unknown unique identifier. This event is logged when import of a user is skipped during CSV directory import workflow for on-premises systems using Okta provisioning agent. system Since: 2018.28 SYSTEM.CUSTOM_ERROR.DELETE Custom error page is deleted. Can be used to identify when an admin has deleted the custom error page. Event fired when the custom error page is deleted. admin Since: 2023.01.0 SYSTEM.CUSTOM_ERROR.UPDATE Custom error page is updated. Can be used to identify when an admin has customized the error page. Event fired when the error page is successfully updated. admin Since: 2020.12.0 SYSTEM.CUSTOM_SIGNIN.DELETE Custom sign-in page is deleted. Can be used to identify when an admin has deleted the custom sign-in page. Event fired when custom sign-in page is deleted. admin Since: 2023.01.0 SYSTEM.CUSTOM_SIGNIN.UPDATE Custom sign-in page is updated. Can be used to identify when an admin has customized the sign-in page. Event fired when custom sign-in page is updated. admin Since: 2020.12.0 SYSTEM.CUSTOM_SIGNOUT.UPDATE Custom sign-out page is updated. Admin has updated the custom sign-out page. Event fired when custom sign-out page is updated. admin Since: 2023.01.0 SYSTEM.CUSTOM_URL_DOMAIN.CERT_RENEW Okta managed certificates for custom domain are renewed. Can be used to identify when okta managed certificate renewal batch job has renewed certificates for custom domain. When fired, the event contains information about the domain name and certificate source type. system Since: 2021.11.0 SYSTEM.CUSTOM_URL_DOMAIN.CERT_UPLOAD Custom domain certificates are uploaded by an admin or generated by Okta. Can be used to identify when custom domain certificates are uploaded by an admin or generated by Okta. When fired, the event contains information about the domain name and certificate source type. adminsystem Since: 2020.12.0 SYSTEM.CUSTOM_URL_DOMAIN.DELETE Custom domain is deleted. Can be used to identify when an admin has deleted their custom domain. When fired, the event contains information about the domain name that was deleted. admin Since: 2021.11.0 SYSTEM.CUSTOM_URL_DOMAIN.INITIATE Custom domain setup is initiated. Admin has initiated custom domain setup by inputting their custom domain for DNS verification. When fired, the event contains information about the domain name, certificate source type and domain validation status. admin Since: 2020.12.0 SYSTEM.CUSTOM_URL_DOMAIN.UPDATE Custom domain brand association is updated. Admin has updated the custom domain association with the brand. When fired, the event contains the domain name, certificate source type, domain validation status and information about the brand it is associated with. admin Since: 2023.01.0 SYSTEM.CUSTOM_URL_DOMAIN.VERIFY Verify custom domain ownership. Identifies whether an admin has succeeded or failed to verify the ownership of the domain name. When fired, the event contains information about the domain name, certificate source type and domain validation status. admin Since: 2020.12.0 SYSTEM.DIRECTORY.DEBUGGER.EXTEND Extend Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access extension. When fired, this event contains information about Directory Debugger access extension. agent Since: 2019.09.0 SYSTEM.DIRECTORY.DEBUGGER.GRANT Grant Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access grants to Okta support. When fired, this event contains information about Directory Debugger access grant. agent Since: 2019.09.0 SYSTEM.DIRECTORY.DEBUGGER.QUERY_EXECUTED A read-only query executed against AD/LDAP instance by Okta support using the Directory Debugger tool. This can be used to audit the queries executed by Okta support using Directory Debugger. When fired, this event contains information about Directory Debugger query. agent Since: 2019.09.0 SYSTEM.DIRECTORY.DEBUGGER.REVOKE Revoke Directory Debugger access for Okta support. This can be used to audit the Directory Debugger access revoke. When fired, this event contains information about Directory Debugger access revoke. agent Since: 2019.09.0 SYSTEM.DR.FAILBACK The Enhanced Disaster Recovery (EDR) failback operation for the org domains were initiated. Triggered when the Enhanced Disaster Recovery (EDR) failback operation for the org domains were initiated. This event is fired when the Enhanced Disaster Recovery (EDR) failback operation for the org domains were initiated. If failback is successful, the outcome for this event will be SUCCESS. If failback is not successful, the outcome for this event will be FAILURE. dr Since: 2024.09.0 SYSTEM.DR.FAILOVER The Enhanced Disaster Recovery (EDR) failover operation for the org domains were initiated. Triggered when the Enhanced Disaster Recovery (EDR) failover operation for the org domains were initiated. This event is fired when the Enhanced Disaster Recovery (EDR) failover operation for the org domains were initiated. If failover is successful, the outcome for this event will be SUCCESS. If failover is not successful, the outcome for this event will be FAILURE. dr Since: 2024.09.0 SYSTEM.EMAIL.ACCOUNT_UNLOCK.SENT_MESSAGE Send self-service account unlock email. email Since: 2016.13 SYSTEM.EMAIL.CHALLENGE_FACTOR_REDEEMED This event indicates that a user completed an email factor challenge. This can be used to identify when a credential sent in an email to a user has been redeemed (the link was clicked or the code was entered). When fired, this event contains information about the result. Success if successful or error reasons should be present for failure cases (e.g. incorrect code, timeout, expired, etc.). The event also contains a debugData with the action (the link was clicked or the code was entered). email Since: 2019.07.0 SYSTEM.EMAIL.DELIVERY An email's delivery status was updated. Used to notify admins of a bounced or dropped email. For certain bounce events, the context information may be lost by the email provider(s) due to email server communication delays. Such delayed bounce events will not appear in syslog. As of the 2022.08.0 release, this is also used to identify other email events e.g. delivered, deferred. See the event debugData for help identifying a remediation, such as updating an incorrect email address. emailevent-hook-eligible Since: 2022.05.0 SYSTEM.EMAIL.MFA_ENROLL_NOTIFICATION.SENT_MESSAGE MFA enrollment notification email sent. Used to notify admins MFA enrollment notification email has been sent. email Since: 2019.01.1 SYSTEM.EMAIL.MFA_RESET_NOTIFICATION.SENT_MESSAGE MFA reset notification email sent. Used to notify admins MFA reset notification email has been sent. email Since: 2019.01.1 SYSTEM.EMAIL.NEW_DEVICE_NOTIFICATION.SENT_MESSAGE New device signin notification email sent. email Since: 2016.13 SYSTEM.EMAIL.PASSWORD_RESET.SENT_MESSAGE Send self-service password reset email. email Since: 2016.13 SYSTEM.EMAIL.SEND_FACTOR_VERIFY_MESSAGE An email was sent to a user for verification. Used to notify admins that an email was sent to a user for verification. When fired, this event contains information about the token lifetime in the debugData. email Since: 2019.07.0 SYSTEM.EMAIL.TEMPLATE.CREATE This event is fired when a custom email template is created. Developers and Org Admins can use this to identify when a default email template has been overridden with a new template. The event details can be used to identify the template type and template engine. Usually this event will precede "system.email.template.update" or "system.email.template.delete" events. adminemail Since: 2021.07.0 SYSTEM.EMAIL.TEMPLATE.DELETE This event is fired when a custom email template is deleted. Developers and Org Admins can use this to identify when a custom email template has been deleted to fall back to default template. The event details can be used to identify the template type and template engine. Usually this event will follow "system.email.template.create" or "system.email.template.update" events. adminemail Since: 2021.07.0 SYSTEM.EMAIL.TEMPLATE.SETTINGS_CHANGED This event is fired when the settings for an email template is changed. Developers and Org Admins can use this to identify when an email template setting has been changed. When fired, this event contains information about the email template and settings that were changed. adminemail Since: 2022.05.0 SYSTEM.EMAIL.TEMPLATE.UPDATE This event is fired when a custom email template has been updated. Developers and Org Admins can use this to identify when a custom email template has been updated. The event details can be used to identify the template type and template engine. Usually this event will follow "system.email.template.create" and precede "system.email.template.delete" events. adminemail Since: 2020.03.0 SYSTEM.EMAIL_DOMAIN.CREATE Email domain is created. Admin has initiated email domain setup by inputting their domain details for DNS verification. When fired, the event contains information about the domain name, display name, user name, brand id and validation status. admin Since: 2023.01.0 SYSTEM.EMAIL_DOMAIN.DELETE Email domain is deleted. Can be used to identify when an admin has deleted their email domain. When fired, the event contains information about the email domain that was deleted. admin Since: 2023.01.0 SYSTEM.EMAIL_DOMAIN.UPDATE Email domain is updated. Admin has updated the email domain. When fired, the event contains information about the email domain that was updated. admin Since: 2023.01.0 SYSTEM.EMAIL_DOMAIN.VERIFY Verify email domain. Identifies whether an admin has succeeded or failed to verify the email domain. When fired, the event contains information about the email domain that is being verified. admin Since: 2023.01.0 SYSTEM.FEATURE.DISABLE Fired when self service features are requested to be disabled by admins. Use to determine who enabled the features and any limitations the features have. When fired, this event contains information about the requested features, their names and lifecycle state, the admin who made the change, and any possible limitations associated with the features. Related events include 'system.feature.enable'. adminself-service-feature-managementsystem Since: 2019.05.0 SYSTEM.FEATURE.EA_AUTO_ENROLL Fired when an org has subscribed to or unsubscribed from EA Feature Auto Enroll. This can be used to understand the status of EA Feature Auto Enroll subscription and identify who has made changes to the subscription. When fired, this event contains information about the status of EA Feature Auto enroll subscription, as well as the admin who made any subscription changes. adminself-service-feature-managementsystem Since: 2019.03.1 SYSTEM.FEATURE.ENABLE Fired when self service features are requested to be enabled by admins. Use to determine who enabled the features and any limitations the features have. When fired, this event contains information about the requested features, their names and lifecycle state, the admin who made the change, and any possible limitations associated with the features. Related events include 'system.feature.disable'. adminself-service-feature-managementsystem Since: 2019.05.0 SYSTEM.HOOK.KEY.CREATED Create a new hook key. This event can be used to identify when an admin created a new hook key. When triggered, this events contains information about the created hook key. hook-key Since: 2022.10.2 SYSTEM.HOOK.KEY.DELETED Delete a hook key. This event can be used to identify when an admin deleted a hook key. When triggered, this events contains information about the deleted hook key. hook-key Since: 2022.10.2 SYSTEM.HOOK.KEY.UPDATED Update a hook key. This event can be used to identify when an admin updated a hook key. When triggered, this events contains information about the updated hook key. hook-key Since: 2022.10.2 SYSTEM.IDENTITY_SOURCES.BULK_DELETE Upload bulk delete data. Loads bulk data into an Identity Source Session for deactivation in Okta for an identity source. This event can be used to track the deactivations of user profiles in Okta from the custom identity source. identity-sources Since: 2024.08.0 SYSTEM.IDENTITY_SOURCES.BULK_UPSERT Upload bulk upsert data. Loads bulk data into an Identity Source Session for inserting or updating user profiles in Okta for an identity source. This event can be used to track the insertions and updates of Okta user profiles from the custom identity source. identity-sources Since: 2024.08.0 SYSTEM.IDP.KEY.CREATE Fired when a new Identity provider key credential is created. This can be used to audit that a new identity provider key credential has been created. When fired, this event indicates a new X.509 certificate credential is added to the IdP key store. event-hook-eligibleidp Since: 2023.12.2 SYSTEM.IDP.KEY.DELETE Fired when an Identity provider key credential is deleted. This can be used to audit that an identity provider key credential has been deleted. When fired, this event indicates a X.509 certificate credential by kid is deleted if it isn't currently being used by an active or inactive IdP. event-hook-eligibleidp Since: 2023.12.2 SYSTEM.IDP.KEY.UPDATE Fired when an Identity provider key credential is updated. This can be used to audit that an identity provider key credential has been updated. When fired, this event indicates a X.509 certificate credential is updated in the IdP key store. event-hook-eligibleidp Since: 2023.12.2 SYSTEM.IDP.LIFECYCLE.ACTIVATE Fired when an Identity provider is activated. This can be used to audit that an identity provider has been activated. When fired, this event indicates an Identity provider was activated. This event also indicates the type of the identity provider that was activated. event-hook-eligibleidp Since: 2020.09.1 SYSTEM.IDP.LIFECYCLE.CREATE Fired when a new Identity provider is created. This can be used to audit that a new identity provider has been created. When fired, this event indicates an Identity provider was successfully created. This event also indicates the type of the identity provider that was created. event-hook-eligibleidp Since: 2020.09.1 SYSTEM.IDP.LIFECYCLE.DEACTIVATE Fired when an Identity provider is deactivated. This can be used to audit that an identity provider has been deactivated. When fired, this event indicates an Identity provider has been deactivated. This event also indicates the type of the identity provider that was deactivated. event-hook-eligibleidp Since: 2020.09.1 SYSTEM.IDP.LIFECYCLE.DELETE Fired when an Identity provider is deleted. This can be used to audit that an identity provider has been deleted. When fired, this event indicates an Identity provider was deleted. This event also indicates the type of the identity provider that was deleted. event-hook-eligibleidp Since: 2020.09.1 SYSTEM.IDP.LIFECYCLE.READ_CLIENT_SECRET Fired when Identity provider(s) with a client secret is read. This can be used to audit that identity provider(s) with a client secret has been read. When fired, this event indicates one or more Identity providers with a client secret was read. event-hook-eligibleidp Since: 2020.12.2 SYSTEM.IDP.LIFECYCLE.UPDATE Fired when an Identity provider is updated. This can be used to audit that an identity provider configuration has been updated. When fired, this event indicates an Identity provider configuration was updated. This event also indicates the type of the identity provider that was updated. event-hook-eligibleidp changeDetails Since: 2020.09.1 SYSTEM.IMPORT.CLEAR.UNCONFIRMED.USERS.SUMMARY Clear Unconfirmed Imported Users. Can be used for clearing unconfirmed imported users from last import result. Note that a single event is fired for clearing unconfirmed imported users instead of fire delete event on each user. app Since: 2019.01.1 SYSTEM.IMPORT.COMPLETE Import process complete. event-hook-eligibleimportsystem Since: 2016.14 SYSTEM.IMPORT.COMPLETE_BATCH Batch import process complete. importsystem Since: 2016.14 SYSTEM.IMPORT.CUSTOM_OBJECT.COMPLETE Import of custom objects completed. importsystem Since: 2016.14 SYSTEM.IMPORT.CUSTOM_OBJECT.CREATE Create custom object triggered by import process. importsystem Since: 2016.14 SYSTEM.IMPORT.CUSTOM_OBJECT.DELETE Delete custom object triggered by import process. importsystem Since: 2016.14 SYSTEM.IMPORT.CUSTOM_OBJECT.UPDATE Update custom object triggered by import process. importsystem Since: 2016.14 SYSTEM.IMPORT.DOWNLOAD.COMPLETE Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. importsystem Since: 2020.01.0 SYSTEM.IMPORT.DOWNLOAD.START Fired at the start of the download objects phase, when the objects (users, groups, devices) to be imported are being downloaded from the system of record. This can be used to determine when an import has started, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the download objects phase, when the objects (users, groups, devices) to be imported are being downloaded from the system of record. importsystem Since: 2020.01.0 SYSTEM.IMPORT.GROUP.COMPLETE Import of groups completed. importsystem Since: 2016.14 SYSTEM.IMPORT.GROUP.CREATE Create group triggered by import process. event-hook-eligibleimportsystem Since: 2016.14 SYSTEM.IMPORT.GROUP.DELETE Remove group triggered by import process. event-hook-eligibleimportsystem Since: 2016.14 SYSTEM.IMPORT.GROUP.START Start importing groups from refreshing AppGroups. importsystem Since: 2016.14 SYSTEM.IMPORT.GROUP.UPDATE Update group triggered from import process. importsystem Since: 2016.14 SYSTEM.IMPORT.GROUP_MEMBERSHIP.COMPLETE Import of application group members completed. importsystem Since: 2016.14 SYSTEM.IMPORT.IMPLICIT_DELETION.COMPLETE Fired upon completion of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. importsystem Since: 2020.01.0 SYSTEM.IMPORT.IMPLICIT_DELETION.START Fired at the start of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the implicit deletion phase, when Okta checks for the deletion of users, groups, and custom objects. importsystem Since: 2020.01.0 SYSTEM.IMPORT.IMPORT_PROFILE Import user profile triggered by import process. importsystem Since: 2016.14 SYSTEM.IMPORT.IMPORT_PROVISIONING_INFO Import provisioning info triggered by import process. importsystem Since: 2016.14 SYSTEM.IMPORT.MEMBERSHIP_PROCESSING.COMPLETE Fired upon completion of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. importsystem Since: 2020.01.0 SYSTEM.IMPORT.MEMBERSHIP_PROCESSING.START Fired at the start of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the membership processing phase, when Okta checks which groups users being imported into Okta should be added to/removed from. importsystem Since: 2020.01.0 SYSTEM.IMPORT.OBJECT_CREATION.COMPLETE Fired upon completion of the object creation phase, when the first batch of objects is created/updated. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the object creation phase, when the first batch of objects is created/updated. importsystem Since: 2020.01.0 SYSTEM.IMPORT.OBJECT_CREATION.START Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the completion of the download objects phase, when the objects (users, groups, devices) to be imported have been downloaded from the system of record. importsystem Since: 2020.01.0 SYSTEM.IMPORT.ROADBLOCK Import roadblock triggered due to exceeded threshold. event-hook-eligibleimportsystem Since: 2016.14 SYSTEM.IMPORT.ROADBLOCK.RESCHEDULE_AND_RESUME The affected import from AppInstance has been rescheduled. All other imports will resume. importsystem Since: 2017.19 SYSTEM.IMPORT.ROADBLOCK.RESUME The affected import from AppInstance has been canceled. All other imports will resume. importsystem Since: 2017.19 SYSTEM.IMPORT.ROADBLOCK.UPDATED Fired when an import roadblock (aka, Import Safeguard) has been updated. This event can be used to identify when an admin updated the Max Import Unassignment roadblock setting, and what the setting was updated to. This event includes details on what the roadblock was updated to and who made the change. importsystem Since: 2019.11.0 SYSTEM.IMPORT.SCHEDULE Import process was scheduled. This event can be used to track when import jobs were triggered, which helps with audit trails. This event may also be useful when troubleshooting a failed import, as it indicates the time at which the process was first triggered and the user or application that invoked the import. Import is a multi-stage process which may import users, groups, and group memberships. Each stage has corresponding events in the system log. For example 'system.import.user.start' indicates beginning of user import process. app Since: 2024.07.2 SYSTEM.IMPORT.SESSION.CANCELLED Cancel an import session. This event can be used to identify when an admin cancel import session. This event includes details when the import session be canceled. importsystem Since: 2022.10.0 SYSTEM.IMPORT.SESSION.CREATED Create a new import session. This event can be used to identify when an admin start new import session. This event includes details when the import process be created. importsystem Since: 2022.10.0 SYSTEM.IMPORT.SESSION.EXPIRED Expired an import session. This event can be used to identify when the session is expired. This event includes details when the session is expired. importsystem Since: 2022.10.0 SYSTEM.IMPORT.SESSION.TRIGGERED Triggered an import session to start importing. This event can be used to identify when an admin trigger the import job from an open session. This event includes details when the import process be triggered. importsystem Since: 2022.10.0 SYSTEM.IMPORT.START import started. event-hook-eligibleimportsystem Since: 2016.14 SYSTEM.IMPORT.USER.COMPLETE Import of user completed. importsystem Since: 2016.14 SYSTEM.IMPORT.USER.CREATE Create user triggered by import process. importsystem Since: 2016.14 SYSTEM.IMPORT.USER.DELETE Delete user triggered by import process. importsystem Since: 2016.14 SYSTEM.IMPORT.USER.MATCH Assign user triggered by import process with callback. This event can be used to alter the matching result for a given imported user. This event is fired when the matching result is altered by the synchronous callback. importsystem Since: 2018.43 SYSTEM.IMPORT.USER.START Start importing users triggered import process. importsystem Since: 2016.14 SYSTEM.IMPORT.USER.SUSPEND Suspend user triggered by import process. importsystem Since: 2016.24 SYSTEM.IMPORT.USER.UNSUSPEND Unsuspend user triggered by import process. importsystem Since: 2016.24 SYSTEM.IMPORT.USER.UNSUSPEND_AFTER_CONFIRM No Description importsystem Since: 2016.24 SYSTEM.IMPORT.USER.UPDATE Update user triggered by import process. importsystem Since: 2016.14 SYSTEM.IMPORT.USER.UPDATE_USER_LIFECYCLE_FROM_MASTER Update user status triggered by import process. importsystem Since: 2016.24 SYSTEM.IMPORT.USER_CSV.COMPLETE Bulk Import users from CSV is completed. Informs when bulk user import from CSV has been completed. This event is logged when bulk user import from CSV has completed with the outcome as success or failure. When fired, this event also contains debug context about the number of users added/updated/unchanged or with errors. admincsv-uploaduser-import Since: 2021.01.2 SYSTEM.IMPORT.USER_CSV.START Bulk Import of users from CSV is started. Informs when bulk import of users from CSV has been attempted to be uploaded. This event is logged when bulk user import from CSV has started and is a precursor to user.lifecycle.create; user.lifecycle.activate events. admincsv-uploaduser-import Since: 2021.01.2 SYSTEM.IMPORT.USER_MATCH.CONFIRM Import user matching assignment confirmed. This event can be used to track when the confirmation of user matching assignments was triggered on the Import page, which helps with audit trails. This event may also be useful when troubleshooting incorrect user matches. After users are imported from the app, they're matched and assigned with existing Okta users on the basis of Name, Username, and Email. The assignment confirmation is a manual step, needing admin intervention. app Since: 2024.07.2 SYSTEM.IMPORT.USER_MATCH.UNIGNORE Assignment was unignored. This event indicates that a user match, which was previously marked to be ignored during imports, has been reactivated for consideration. It's important for tracking changes in user matching policies and decisions during the import process. This event can be of critical importance for auditing purposes, especially when investigating why certain user accounts were matched or updated after being ignored in previous imports. It helps maintain the accuracy and integrity of user data by ensuring that valid matches are not permanently overlooked. app Since: 2024.07.2 SYSTEM.IMPORT.USER_MATCH.UPDATE Assignment was modified. This event can be used to track when an assignment was modified. This may also be useful when troubleshooting incorrect user assignments. After users are imported from the app, they're matched and assigned with existing Okta users on the basis of Name, Username, and Email. Assignments can be modified by the admin through a manual intervention. app Since: 2024.07.2 SYSTEM.IMPORT.USER_MATCHING.COMPLETE Fired upon completion of the user matching phase, when Okta attempts to match imported users to existing Okta users. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired upon completion of the user matching phase, when Okta attempts to match imported users to existing Okta users. importsystem Since: 2020.01.0 SYSTEM.IMPORT.USER_MATCHING.START Fired at the start of the user matching phase, when Okta attempts to match imported users to existing Okta users. This can be used to determine the progress of an import, as well as to monitor to trigger processes that should run concurrently with the import. Fired at the start of the user matching phase, when Okta attempts to match imported users to existing Okta users. importsystem Since: 2020.01.0 SYSTEM.IWA.CREATE Create IWA agent. iwasystem Since: 2016.13 SYSTEM.IWA.GO_OFFLINE IWA going offline. iwasystem Since: 2016.13 SYSTEM.IWA.GO_ONLINE IWA going online. iwasystem Since: 2016.13 SYSTEM.IWA.PROMOTE_PRIMARY Promote IWA agent to primary. iwasystem Since: 2016.13 SYSTEM.IWA.REMOVE Remove IWA agent. iwasystem Since: 2016.13 SYSTEM.IWA.UPDATE Update IWA agent. iwasystem Since: 2016.13 SYSTEM.IWA.USE_DEFAULT No primary IWA app found. Using default login. iwasystem Since: 2016.13 SYSTEM.IWA_AGENTLESS.AUTH Agentless IWA authentication. iwasystem Since: 2018.22 SYSTEM.IWA_AGENTLESS.AUTH_AFTER_REDIRECT Fired after redirection from Agentless DSSO failure. This can be used to track the start of a subsequent authentication request after Agentless DSSO fails. This can also be used for end-to-end tracking of an ADSSO failure to the subsequent authentication it is redirected to by searching for the common stateTokenHash. When fired, this event contains the stateTokenHash which will be common before and after the redirection occurs. iwasystem Since: 2022.11.2 SYSTEM.IWA_AGENTLESS.REDIRECT Fired when an Agentless DSSO authentication request is redirected to an onprem IWA authentication or the default login page. This can be used to identify when an agentless authentication request resulted in a redirect to an onprem IWA or default login page. This can also be used to identify the potential cause of the redirect. When fired, this event identifies the cause of the redirection. When a custom error page is defined, a redirect event is not always generated when a redirection occurs. iwasystem Since: 2019.05.4 SYSTEM.IWA_AGENTLESS.UPDATE Update to agentless IWA. iwasystem Since: 2018.22 SYSTEM.IWA_AGENTLESS.USER.NOT_FOUND Fired when a user could not be found during Agentless DSSO authentication, resulting in an authentication failure. This can be used to identify when an agentless authentication request resulted in a failure. The failure could be due to the user not being found in Okta, Okta not being able to connect to AD, or the user not being found in AD. This can also be used to identify the potential cause of the failure. When fired, this event contains information about the potential cause of the failure. iwasystem Since: 2019.08.0 SYSTEM.IWA_AGENTLESS_KERBEROS.UPDATE Fires when a Kerberos realm settings is updated by an admin. This event fires when the update is successful or fails. This can be used to audit Kerberos realm setting, and troubleshoot why Kerberos authentication failed. When fired, this event indicates whether Kerberos realm setting update has been successful or failed. This event also indicates the initiator of the event and the current setting for Kerberos Realm. Related events: none, all debugging context is included in this event. iwasystem Since: 2019.05.4 SYSTEM.LDAPI.ADMIN_LIMIT_EXCEEDED This event indicates that an administrative limit was exceeded when processing an LDAP interface operation. It can be used to audit and debug failures caused by exceeding an administrative limit. This event may occur periodically when an LDAP operation results in a large number of corresponding actions in the Okta directory. These errors are often temporary and will subside when Okta has processed the actions. Contact Okta support if you see such errors consistently over the course of a day or more. ldapi Since: 2023.03.0 SYSTEM.LDAPI.BIND Fired when a user performs a BIND to LDAP Interface. Can be used to identify when a user attempted to perform an LDAP authentication for audit or debugging purposes. Note that the firing of this event is subject to LDAPi event filtering rules. ldapi Since: 2018.10 SYSTEM.LDAPI.SEARCH Fired when a user performs a SEARCH to LDAP Interface. Can be used to identify when a user attempted to perform a search on LDAP Interface for audit or debugging purposes. Note that the firing of this event is subject to LDAPi event filtering rules. ldapi Since: 2018.10 SYSTEM.LDAPI.UNBIND Fired when a user performs an UNBIND to LDAP Interface. Can be used to identify when a user attempted to end an LDAP Interface session for audit or debugging purposes. Note that the firing of this event is subject to LDAPi event filtering rules. ldapi Since: 2018.10 SYSTEM.LOG_STREAM.LIFECYCLE.ACTIVATE Log stream activated. This event can be used to track and audit when a user activates a log stream. When fired, this event indicates that a user activated a log stream configuration. event-hook-eligiblelog-stream Since: 2021.09.1 SYSTEM.LOG_STREAM.LIFECYCLE.CREATE Log stream created. This event can be used to track and audit when a user creates a log stream. When fired, this event indicates that a user created a log stream configuration. event-hook-eligiblelog-stream Since: 2021.09.1 SYSTEM.LOG_STREAM.LIFECYCLE.DEACTIVATE Log stream deactivated. This event can be used to track and audit when a user or Okta deactivates a log stream. When fired, this event indicates that a user or Okta deactivated a log stream configuration. event-hook-eligiblelog-stream Since: 2021.09.1 SYSTEM.LOG_STREAM.LIFECYCLE.DELETE Log stream deleted. This event can be used to track and audit when a user deletes a log stream. When fired, this event indicates that a user deleted a log stream configuration. event-hook-eligiblelog-stream Since: 2021.09.1 SYSTEM.LOG_STREAM.LIFECYCLE.UPDATE Log stream updated. This event can be used to track and audit when a user updates a log stream. When fired, this event indicates that a user updated a log stream configuration. event-hook-eligiblelog-stream Since: 2021.09.1 SYSTEM.MFA.FACTOR.ACTIVATE Activate a new authentication factor. Can be used to identify when an admin has enabled a new factor for authentication. When fired the event will contain details of which factor is enabled. adminmfa Since: 2021.01.1 SYSTEM.MFA.FACTOR.DEACTIVATE Deactivate MFA factor. Can be used to identify when an admin has disabled a factor for MFA. When fired the event will contain details of which factor is disabled. adminmfa Since: 2021.01.1 SYSTEM.OPERATION.CONCURRENCY_LIMIT.VIOLATION Operation concurrency limit violation. This can be used to track if there are too many concurrent operations of the given type. The operation type information is available in debugData. When fired, this event contains information about the operation such as its actor, type, scope and threshold details. OperationRateLimitType in debugData will indicate the category to which the concurrency limit is being applied (e.g. web_request), OperationRateLimitSubtype defines specific subtypes (e.g. ssws_token) and OperationRateLimitScope will indicate the scope of the rate limit (e.g. token). system Since: 2022.07.0 SYSTEM.OPERATION.RATE_LIMIT.VIOLATION Operation rate limit violation. This can be used to track if an operation is exceeding its rate limit. When fired, this event contains information about the operation such as actor, type, scope and threshold details. OperationRateLimitType in debugData will indicate the category to which the rate limit is being applied (e.g. authenticator_otp_verification), OperationRateLimitSubtype defines specific subtypes (e.g. Email Factor for authenticator_otp_verification) and OperationRateLimitScope will indicate the scope of the rate limit (e.g. user or org level). Formerly, this event was used to indicate blocked SMS/Call transactions, please see system.sms.send*/system.voice.send* for blocked transactions. system Since: 2020.12.0 SYSTEM.OPERATION.RATE_LIMIT.WARNING Operation rate limit warning. This can be used to track if an operation is approaching its rate limit. When fired, this event contains information about the operation such as actor, type, scope and threshold details. OperationRateLimitType in debugData will indicate the category to which the rate limit is being applied (e.g. authenticator_otp_verification), OperationRateLimitSubtype defines specific subtypes (e.g. Email, SMS or Voice call for authenticator_otp_verification type) and OperationRateLimitScope will indicate the scope of the rate limit (e.g. user or org level). system Since: 2021.01.2 SYSTEM.ORG.CAPTCHA.ACTIVATE Enable org-wide captcha support. Indicates when org-wide captcha support is enabled, for which pages and using which captcha instance. This event is fired when org admin enables org-wide captcha for any supported pages. captchasystem Since: 2021.05.1 SYSTEM.ORG.CAPTCHA.DEACTIVATE Disable org-wide captcha support. Indicates when org-wide captcha support is disabled. This event is fired when org admin disables org-wide captcha support for all pages. captchasystem Since: 2021.05.1 SYSTEM.ORG.LIFECYCLE.CREATE Org creation. system Since: 2016.51 SYSTEM.ORG.RATE_LIMIT.BURST Fired when burst rate limit capacity is activated. This can be used to identify when an API in the Org exceeds standard rate limits and the frequency with which the activities occur. This event is fired after a corresponding warning event. If usage continues on this API the risk is hitting a rate limit violation which will fire a corresponding violation event. The event contains a burst rate limit threshold which informs how much capacity is remaining before a violation occurs. system Since: 2022.02.0 SYSTEM.ORG.RATE_LIMIT.EXPIRATION.WARNING Rate limit approaching expiration date. system Since: 2018.35 SYSTEM.ORG.RATE_LIMIT.VIOLATION Rate limit violation. event-hook-eligiblesystem Since: 2017.02 SYSTEM.ORG.RATE_LIMIT.WARNING Rate limit warning. event-hook-eligiblesystem Since: 2017.02 SYSTEM.ORG.TASK.REMOVE Tasks removed. system Since: 2017.33 SYSTEM.PUSH.SEND_FACTOR_VERIFY_PUSH Fired when a Push notification is sent to a device. Used to notify admins when a push was sent to a user for verification. Note that this event is fired whenever a Push is sent. push Since: 2020.06.3 SYSTEM.SELF_SERVICE.CONFIGURATION.UPDATE Self-service for apps configuration updated. Identify changes to self-service application request settings which may allow a user to request to add an application to their end user dashboard. Self-service application requests are different than Okta Identity Governance (OIG) Access requests. See events beginning with access.request for events relevant to OIG Access requests. self-service changeDetails Since: 2024.08.0 SYSTEM.SMS.RECEIVE_STATUS Fired when receiving a status update on SMS message from provider. This event can be used by Org Admins to identify users that are/aren't getting one-time passcodes delivered successfully via SMS, provider status can be obtained from status field in debug data. For any system.sms.send_* event, there should be exactly one of this event. sms Since: 2020.08.4 SYSTEM.SMS.SEND_ACCOUNT_UNLOCK_MESSAGE Send self-service account unlock SMS message. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. smssystem Since: 2016.12 SYSTEM.SMS.SEND_FACTOR_VERIFY_MESSAGE Send second factor auth SMS. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. smssystem Since: 2016.12 SYSTEM.SMS.SEND_OKTA_PUSH_VERIFY_MESSAGE Send activate Okta Verify Push for mobile SMS. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. smssystem Since: 2016.12 SYSTEM.SMS.SEND_PASSWORD_RESET_MESSAGE Send self-service password reset SMS message. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. smssystem Since: 2016.12 SYSTEM.SMS.SEND_PHONE_VERIFICATION_MESSAGE Send phone verification SMS message. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. event-hook-eligiblesmssystem Since: 2016.12 SYSTEM.THEME.UPDATE This event is fired when the theme resource is updated. Developer and org admins can use this event to identify when and how the theme resource was updated. Event details can be used to identify changes made to theme assets including updates to theme hex codes, logo, background image, and favicon. This event also tracks which combination of theme assets was applied to end users pages such as the sign-in page, error pages, and email templates. admin Since: 2021.08.0 SYSTEM.VOICE.RECEIVE_STATUS Fired when receiving a status update on voice call from provider. This event can be used by Org Admins to identify users that are/aren't getting one-time passcodes delivered successfully via voice call, provider status can be obtained from status field in debug data. For any system.voice.send_* event, there should be exactly one of this event. voice Since: 2020.08.4 SYSTEM.VOICE.SEND_ACCOUNT_UNLOCK_CALL Send self-service account unlock call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. voice Since: 2017.44 SYSTEM.VOICE.SEND_CALL Send phone call. voice Since: 2017.44 SYSTEM.VOICE.SEND_MFA_CHALLENGE_CALL Send second factor auth call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. voice Since: 2017.44 SYSTEM.VOICE.SEND_PASSWORD_RESET_CALL Send self-service password reset call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. voice Since: 2017.44 SYSTEM.VOICE.SEND_PHONE_VERIFICATION_CALL Send phone verification call. As of the 2022.06.0 release this event is also used to identify transactions blocked by Okta, which is indicated by a "deny" outcome. Previously, the system.operation.rate_limit.violation was used to identify blocked transactions. Additionally, the method of generating the MobilePhone ID in the event has changed for Okta Classic. It has not changed for Okta Identity Engine. event-hook-eligiblevoice Since: 2017.44 TASK.LIFECYCLE.ACTIVATE Activated system task. task Since: 2018.15 TASK.LIFECYCLE.CREATE Created system task. task Since: 2018.15 TASK.LIFECYCLE.DEACTIVATE Deactivated system task. task Since: 2018.15 TASK.LIFECYCLE.DELETE Deleted system task. task Since: 2018.15 TASK.LIFECYCLE.UPDATE Updated system task. task Since: 2018.15 USER.ACCOUNT.EXPIRE_PASSWORD Fired when the user's Okta password is expired. This can be used to audit cases where a user's password is expired by an administrator. When fired, this event contains information about the user whose password was expired, whether a temporary password was created for the user, or if the user's sessions were revoked. accountuser Since: 2024.01.2 USER.ACCOUNT.LOCK Auto-lock user account for Okta. accountevent-hook-eligibleuser Since: 2016.02 USER.ACCOUNT.LOCK.LIMIT This event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password. accountuser Since: 2019.05.0 USER.ACCOUNT.PREFERENCE_UPDATE User preferences updated. This can be used for debugging and auditing purposes. These preferences live outside the user profile. accountuser Since: 2023.11.0 USER.ACCOUNT.PRIVILEGE.GRANT A User's admin privileges changed. This can be used to audit the provisioning of admin privileges for users. When fired, this event contains information about the type of admin privileges the user currently has. The list of current privileges contain both individually assigned roles as well as the ones granted to the user through their group membership. Related events include: USER_ACCOUNT_PRIVILEGE_REVOKE. event-hook-eligibleuser Since: 2016.15 USER.ACCOUNT.PRIVILEGE.REVOKE All of user's admin privilege revoked. This can be used to audit the deprovisioning of admin privileges from users. When fired, this event indicates the user has no more admin privileges. All of user's privileges were revoked including individually assigned roles as well as the ones granted to the user through their group membership. Related events include: USER_ACCOUNT_PRIVILEGE_GRANT. event-hook-eligibleuser Since: 2016.15 USER.ACCOUNT.REPORT_SUSPICIOUS_ACTIVITY_BY_ENDUSER User reported suspicious activity. This event is used to identify user account suspicious activity. event-based-trigger-eligibleevent-hook-eligibleuser Since: 2019.01.1 USER.ACCOUNT.RESET_PASSWORD Fired when the user's Okta password is reset. accountevent-hook-eligibleuser Since: 2016.15 USER.ACCOUNT.UNLOCK Auto-unlock user account for Okta. accountevent-hook-eligibleuser Since: 2016.15 USER.ACCOUNT.UNLOCK_BY_ADMIN User account unlock by admin. accountevent-hook-eligibleuser Since: 2016.15 USER.ACCOUNT.UNLOCK_FAILURE Failed to schedule unlock job for user. accountuser Since: 2018.23 USER.ACCOUNT.UNLOCK_TOKEN Issued recovery token for self-service account unlock. accountuser Since: 2017.47 USER.ACCOUNT.UPDATE_PASSWORD User update password for Okta. accountend-user-visibleevent-hook-eligibleuser Since: 2016.15 USER.ACCOUNT.UPDATE_PRIMARY_EMAIL User primary email updated. accountend-user-visibleuseruser-config Since: 2018.05 USER.ACCOUNT.UPDATE_PROFILE Update user profile for Okta. accountevent-hook-eligibleuseruser-config Since: 2016.02 USER.ACCOUNT.UPDATE_SECONDARY_EMAIL User secondary email updated. accountend-user-visibleuseruser-config Since: 2018.25 USER.ACCOUNT.UPDATE_USER_TYPE Fires when a user changes from one type to another. Can be used to audit when a user gets converted from a contractor to a full-time employee, for example. Data includes the old and new type ids. There may be an accompanying update_profile event if values were changed. accountuseruser-config Since: 2020.02.0 USER.ACCOUNT.USE_TOKEN Invalid self service recovery token used by user. accountuser Since: 2016.15 USER.AUTHENTICATION.AUTH Authenticate user. user Since: 2016.02 USER.AUTHENTICATION.AUTH_UNCONFIGURED_IDENTIFIER Fired after a user authenticates via a directory instance that is not the highest priority profile source for the user. This can be used to track users that are using an identifier to login which is different from the admin configured identifier for that user which might result in unexpected login results. When fired, this event will contain useful information about the user, the directory instance that was used to login the user, and the directory instance that should have been used instead. directoryuser Since: 2023.01.2 USER.AUTHENTICATION.AUTH_VIA_AD_AGENT Authenticate user with AD agent. directoryuser Since: 2016.18 USER.AUTHENTICATION.AUTH_VIA_IDP Authenticate user via IDP. event-hook-eligibleuser Since: 2016.18 USER.AUTHENTICATION.AUTH_VIA_LDAP_AGENT Authenticate user via LDAP agent. directoryuser Since: 2016.18 USER.AUTHENTICATION.AUTH_VIA_INBOUND_SAML Authenticate user via inbound SAML. user Since: 2016.27 USER.AUTHENTICATION.AUTH_VIA_INBOUND_DELAUTH Authenticate user via inbound delauth. user Since: 2016.02 USER.AUTHENTICATION.AUTH_VIA_IWA Authenticate user via IWA. user Since: 2016.02 USER.AUTHENTICATION.AUTH_VIA_MFA Authentication of user via MFA. For Okta Classic orgs, this event will only fire for second factor verifications, whereas for Identity Engine orgs, this event will fire for both primary and second factor verifications. event-hook-eligiblemfa Since: 2016.02 USER.AUTHENTICATION.AUTH_VIA_RADIUS Authentication of user via Radius. appradius Since: 2016.18 USER.AUTHENTICATION.AUTH_VIA_RICHCLIENT Authentication of a user via Rich Client. user Since: 2016.18 USER.AUTHENTICATION.AUTH_VIA_SOCIAL Authenticate user with social login. event-hook-eligibleuser Since: 2016.18 USER.AUTHENTICATION.AUTHENTICATE Authentication via device trust certificate. device-trust-authenticationevent-hook-eligibleuser Since: 2017.44 USER.AUTHENTICATION.DSSO_VIA_NON_PRIORITY_SOURCE Desktop Single Sign On (DSSO) authentication has been attempted using a profile source that is not the highest priority profile source for the given Okta user. This event may indicate a potential security risk as the highest priority profile source is often expected to be used in this flow. The presence of this event may be benign, or it may indicate an attempt to authenticate the user from a compromised Active Directory domain. The debugContext object in this event contains useful information regarding the Okta user, the prioritized profile source, and the profile source that was used in the DSSO attempt. directoryuser Since: 2024.03.0 USER.AUTHENTICATION.SLO User single logout out (SLO) from app. user Since: 2016.11 USER.AUTHENTICATION.SSO Fired when a user performs a single sign-on (SSO) to an app instance and contains the client details of the user. Can be used to identify when a user attempted to sign into an application for audit or debugging purposes. Note that the event is fired even when the sign-on is unsuccessful. event-hook-eligibleuser Since: 2016.11 USER.AUTHENTICATION.UNIVERSAL_LOGOUT This event is fired when an admin or system account triggers Universal Logout against an app instance. It contains the app instance details for which the Universal Logout API was fired. This event identifies when applications have had Universal Logout triggered for audit or debugging purposes. This event is only fired once. It's only fired for applications that have been configured for Universal Logout. You can configure it under Risk policy, Post Auth Session policy, or in an admin-initiated Clear User Session. See also: Identity Threat Protection with Okta AI Event Types event-hook-eligiblesessionuser Since: 2024.02.2 USER.AUTHENTICATION.UNIVERSAL_LOGOUT.SCHEDULED This event is fired when an admin manually triggers Universal Logout for a user. It contains context about the initiating request, such as where the request originated and how the Universal Logout endpoint was invoked. After Universal Logout is complete, the user.authentication.universal_logout event is fired, and you can correlate both events using the traceID. This event identifies the geolocation, IP address, and IP chain of the requesting entity. This event is only fired once. You can correlate this event with the user.authentication.universal_logout event using traceID. event-hook-eligiblesessionuser Since: 2024.06.0 USER.AUTHENTICATION.VERIFY Verify user identity. end-user-visibleuser Since: 2017.27 USER.BEHAVIOR.PROFILE.RESET User behavior profile reset. This event can be used to identify resets to a user behavior profiles, which may be helpful when troubleshooting unexpected behavior detection evaluations. This event is triggered when an administrator manually resets a user's behavior profile in the Admin Console. behavior-profileevent-hook-eligible Since: 2024.08.0 USER.CREDENTIAL.ENROLL Device Trust certificate enrollment. device-trust-cert-distribution-and-bindingevent-hook-eligibleuser Since: 2017.45 USER.IDENTITY_SNAPSHOT.ATTESTATION.CREATE Create identity snapshot attestation for a user. This event can be used by administrators to audit identity snapshot attestations minted for a user. The user and the application are in the event, signifying which user the attestation token is being minted for, and which application is requesting it. attestationuser Since: 2020.09.3 USER.IMPORT.PASSWORD Fired when a user has successfully logged in to Okta and an attempt to import their Password has been made. This can be used to understand if a user password import attempt was successful or if it failed. If the attempt failed, the password import will be tried again on a subsequent successful login. When fired, this event contains information about the import type, and whether or not the password import was successful. If the import is successful, it is safe to "clean up" that user from an external system. If the import failed, Okta will continue retrying the import during every successful authentication attempt until the password is successfully imported. Check the failure reason for details about whether any action is needed for the import to succeed. credentialevent-hook-eligibleimportuser Since: 2020.05.1 USER.LIFECYCLE.ACTIVATE Activate Okta user. event-hook-eligibleuser Since: 2016.13 USER.LIFECYCLE.CREATE Create Okta user. event-hook-eligibleuser Since: 2016.02 USER.LIFECYCLE.DEACTIVATE Deactivate Okta user. event-hook-eligibleuser Since: 2016.02 USER.LIFECYCLE.DELETE.COMPLETED Delete Okta user completed. user Since: 2016.29 USER.LIFECYCLE.DELETE.INITIATED Delete Okta user initiated. event-hook-eligibleuser Since: 2016.29 USER.LIFECYCLE.JIT.ERROR.READ_ONLY Failed to JIT create user. user Since: 2018.06 USER.LIFECYCLE.PASSWORD_MASS_EXPIRY Mass expire all users' passwords initiated. user Since: 2018.04 USER.LIFECYCLE.REACTIVATE Reactivate Okta user. event-hook-eligibleuser Since: 2016.13 USER.LIFECYCLE.SUSPEND Suspend Okta user. event-hook-eligibleuser Since: 2016.13 USER.LIFECYCLE.UNSUSPEND Unsuspend Okta user. event-hook-eligibleuser Since: 2016.13 USER.MFA.ATTEMPT_BYPASS Attempt bypass of factor. mfa Since: 2016.11 USER.MFA.FACTOR.ACTIVATE Activate factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for an MFA factor when it is activated. When fired, the event contains information about the MFA factor that has been activated, as well as the target user and the user activating the factor. For Identity Engine orgs, this event will fire when an authentication method is enrolled. end-user-visibleevent-hook-eligiblemfa Since: 2016.11 USER.MFA.FACTOR.DEACTIVATE Reset factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle status when a specific factor is permanently deactivated. When fired, the event contains information about the MFA factor that has been deactivated, as well as the target user and the user deactivating the factor. For Identity Engine orgs, this event will fire when an authentication method is unenrolled. end-user-visibleevent-hook-eligiblemfa Since: 2016.11 USER.MFA.FACTOR.RESET_ALL Reset all factors or authenticator enrollments for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle statuses when all MFA factors for a user are permanently deactivated. When fired, the event contains information about the target user for whom all factors have been deactivated, as well as the user resetting the factors. For Identity Engine orgs, this event contains information about a target user for whom all authenticator enrollments have been reset. event-hook-eligiblemfa Since: 2016.11 USER.MFA.FACTOR.SUSPEND Suspend factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle status when a factor is suspended, usually as a result of suspected compromise. When fired, the event contains information about the MFA factor that has been suspended, as well as the target user and the user suspending the factor. When unsuspended, related event user.mfa.factor.unsuspend will be fired. event-hook-eligiblemfaoie-only Since: 2020.09.4 USER.MFA.FACTOR.UNSUSPEND Unsuspend factor or authenticator enrollment method for user. Provides org admins with audit log and oversight utility for the change in MFA factor lifecycle status when a factor is reactivated from a state of suspension, after it has been determined that the authenticator is secure. When fired, the event contains information about the MFA factor that has been unsuspended, as well as the target user and the user reactivating the suspended factor. Before suspension, related event user.mfa.factor.suspend would have been fired. event-hook-eligiblemfaoie-only Since: 2020.09.4 USER.MFA.FACTOR.UPDATE Update factor for user. event-hook-eligiblemfa Since: 2016.11 USER.MFA.OKTA_VERIFY Verify user with Okta verify. mfa Since: 2016.11 USER.MFA.OKTA_VERIFY.DENY_PUSH User rejected Okta push verify. This event is triggered in classic V1 API calls. In OIE we use a generic event for factor verification failure: user.authentication.auth_via_mfa with reason INVALID_CREDENTIALS. mfa Since: 2018.03 USER.MFA.OKTA_VERIFY.DENY_PUSH_UPGRADE_NEEDED Rejected Okta push verify as Upgrade Needed. This can be used to audit events where Okta push verify was rejected as the app needed upgrade. Note that the event is fired when Okta Verify push is rejected. It is possible that the user might have chosen another factor and made successful login as well. mfa Since: 2020.05.0 USER.RISK.CHANGE Indicates a user's risk level has changed. This event can be used to monitor risk level changes for users. This event triggers when Okta determines that a user is associated with a change in risk activity or context. See also: Identity Threat Protection with Okta AI Event Types event-hook-eligiblerisksecurity Since: 2023.01.2 USER.RISK.DETECT Indicates a user risk was detected. This event can be used to monitor risk level detections for users. This event triggers when Okta detects that a user is associated with risk activity or context. See also: Identity Threat Protection with Okta AI Event Types event-hook-eligiblerisksecurity Since: 2024.06.1 USER.SESSION.ACCESS_ADMIN_APP User accessing Okta admin app. adminappsessionuser Since: 2016.14 USER.SESSION.CLEAR Clear user session. See also: Identity Threat Protection with Okta AI Event Types event-hook-eligiblesessionuser Since: 2016.15 USER.SESSION.CONTEXT.CHANGE User session context changed. This event indicates that the context in which the session is being used has changed significantly enough from the context in which the event was created, that re-evaluation of policy may be required. Often this indicates a security issue related to the session. event-hook-eligiblesessionuser Since: 2023.01.0 USER.SESSION.END User logout from Okta. See also: Identity Threat Protection with Okta AI Event Types event-hook-eligiblesessionuser Since: 2016.02 USER.SESSION.EXPIRE Expire user session. This event does not appear in the system logs unless the user explicitly signs out or the user session is revoked by an admin. sessionuser Since: 2016.15 USER.SESSION.IMPERSONATION.END End impersonation session. sessionuser Since: 2016.09 USER.SESSION.IMPERSONATION.EXTEND Extend impersonation session. sessionuser Since: 2016.09 USER.SESSION.IMPERSONATION.GRANT Enable impersonation grant. sessionuser Since: 2016.09 USER.SESSION.IMPERSONATION.INITIATE Initiate impersonation session. sessionuser Since: 2016.09 USER.SESSION.IMPERSONATION.REVOKE Revoke impersonation grant. sessionuser Since: 2016.09 USER.SESSION.START User login to Okta. end-user-visibleevent-hook-eligiblesessionuser Since: 2016.02 WORKFLOWS.USER.CONNECTION.CREATE This event can be used by any admin or security team member to monitor the creation of new connections for Workflows connectors. The target fields provide information on the user that created the connection, the application for which the connection was created, and the display name the user provided for the connection. Other connection lifecycle events include: workflows.user.connection.revoke, workflows.user.connection.reauthorize, and workflows.user.connection.delete. Note that this event only indicates if a connection was successfully added to the database, and does not distinguish whether or not that connection is valid. workflows Since: 2021.02.1 WORKFLOWS.USER.CONNECTION.DELETE This event can be used by any admin or security team member to monitor the deletion of existing Workflows connections. The target fields provide information on the user that deleted the connection, the application for which the connection was deleted, and the display name originally provided for the connection. Other connection lifecycle events include: workflows.user.connection.create, workflows.user.connection.reauthorize, and workflows.user.connection.revoke. Note that for OAuth connections this will often fire with the workflows.user.connection.revoke event. workflows Since: 2021.02.1 WORKFLOWS.USER.CONNECTION.REAUTHORIZE This event can be used by any admin or security team member to monitor the reauthorization of existing connections for Workflows connectors. Reauthorization can be used to retrieve a new access token or to change the credentials used by a connection. The target fields provide information on the user that reauthorized the connection, the application for which the connection was reauthorized, and the display name originally provided for the connection. Other connection lifecycle events include: workflows.user.connection.create, workflows.user.connection.revoke, and workflows.user.connection.delete. Note that this event only indicates if a user attempted to reauthorize a connection, and does not distinguish whether or not that reauthorization was successful. workflows Since: 2021.02.1 WORKFLOWS.USER.CONNECTION.REVOKE This event can be used by any admin or security team member to monitor when a token for a Workflows connection has been revoked in a third party service., and the event usually fires along with workflows.user.connection.delete. The target fields provide information on the user that revoked the connection, the application for which the connection was revoked, and the display name originally provided for the connection. Other connection lifecycle events include: workflows.user.connection.create, workflows.user.connection.reauthorize, and workflows.user.connection.delete. Note that this event only fires for connections where the service supplies an API endpoint for revoking tokens. Tokens that cannot be revoked via API must be managed manually in the third party application. workflows Since: 2021.02.1 WORKFLOWS.USER.DELEGATEDFLOW.RUN This event can be used by admins or security team members to monitor the execution of delegated flows in the Workflows platform from the Admin application. The actor field provides the Okta User ID of the user that ran the flow. The target fields provide context on the Workflows instance as well as the name and flow id of the executed flow. This event only indicates if the flow was successfully triggered and does not provide information about whether the flow encountered an error. See also: Identity Threat Protection with Okta AI Event Types workflows Since: 2022.06.0 WORKFLOWS.USER.EXECUTION_LOG_STREAM_CONNECTION.ACTIVATE Workflows admin activated execution log streaming for their org. Connections to a downstream HTTP endpoint (e.g. ingestion point to a SIEM) may be configured to stream execution logs for a Workflows org. Note that these logs only contain metadata about flow executions and not the I/O data processed in each execution. workflows Since: 2024.03.0 WORKFLOWS.USER.EXECUTION_LOG_STREAM_CONNECTION.DEACTIVATE Workflows admin deactivated execution log streaming for their org. Connections to stream Workflows execution logs may be shut off by a Workflows admin at any time. Note that deactivating an execution log streaming connection will also wipe its configuration details, including sensitive API credentials in headers. These details will need to be re-entered upon reactivation. workflows Since: 2024.03.0 WORKFLOWS.USER.EXECUTION_LOG_STREAM_CONNECTION.UPDATE Workflows admin updated the configuration of their org's execution log streaming connection. These changes may be related to the connection's destination URL, event subscriptions, or the headers and message body of each request. Note that the detailEntry field in this event's target object contains an array of fieldsUpdated, with the following possible values: DESTINATION_URL, EVENT_SUBSCRIPTIONS, HEADERS, or BODY. workflows Since: 2024.03.0 WORKFLOWS.USER.FLOW.ACTIVATE Triggered when a user activates a flow in Workflows. Can be used to audit user activity in Workflows. Event is fired when a user toggles a flow on. workflows Since: 2021.02.1 WORKFLOWS.USER.FLOW.CREATE Triggered when a user creates a new flow in Workflows. Can be used to audit user activity in Workflows. Event is fired when a user creates and saves a new flow. workflows Since: 2021.02.1 WORKFLOWS.USER.FLOW.DEACTIVATE Triggered when a user deactivates a flow in Workflows. Can be used to audit user activity in Workflows. This is triggered by deactivating a flow. workflows Since: 2021.02.1 WORKFLOWS.USER.FLOW.DELETE Triggered when a user deletes a flow in Workflows. Can be used to audit user activity in Workflows. Event is fired when a user toggles a flow off. workflows Since: 2021.02.1 WORKFLOWS.USER.FLOW.EXECUTION.CANCEL Workflows user requested to cancel flow execution. These requests attempt cancellation of in-progress flow executions which are infinitely looping, stalled, or accidentally triggered. Canceling a flow execution cancels the execution of all remaining steps in the flow as well as all parent and helper flow executions associated with that execution. These cancellation requests are best-effort meaning that at the time of request some execution processes may be past the point of no return and will still complete. workflows Since: 2023.08.0 WORKFLOWS.USER.FLOW.EXECUTION_HISTORY.ACTIVATE Workflows user activated saving execution history for a given flow. Flows may save recent execution history for the purposes of testing, debugging, or auditing a flow's activity in the Workflows console. Note that in-product flow execution history is retained for 30 days. workflows Since: 2024.03.0 WORKFLOWS.USER.FLOW.EXECUTION_HISTORY.DEACTIVATE Workflows user deactivated saving execution history for a given flow. Flows may be opted out of saving recent execution history for any reason (e.g. handling extremely sensitive data). Note that this setting is managed per individual flow, so helper flows invoked by a flow which has this setting deactivated will continue to write history unless switched off themselves. workflows Since: 2024.03.0 WORKFLOWS.USER.FLOW.EXECUTION_HISTORY.DELETE Workflows user deleted all or part of a flow's execution history. Either in the course of testing / debugging or for data sensitivity / compliance reasons, a Workflows user may elect to delete recent execution history for a given flow. Note that the detailEntry field in this event's target object contains an executionHistoryType, which may be IO_DATA_ONLY or ALL depending on which option was selected in the UI. workflows Since: 2024.03.0 WORKFLOWS.USER.FLOW.EXECUTION_LOG_STREAM.ACTIVATE Workflows user activated execution log streaming for a given flow. A flow with execution log streaming deactivated may be reactivated by an authorized Workflow user at any time. This flow-level setting is enabled by default and so this activation event will only fire in the case of an individual flow having execution log streaming deactivated then reactivated. workflows Since: 2024.03.0 WORKFLOWS.USER.FLOW.EXECUTION_LOG_STREAM.DEACTIVATE Workflows user deactivated execution log streaming for a given flow. Individual flows may have execution log streaming deactivated by an authorized Workflow user at any time to remain within monthly execution log limits per org or to reduce log volume/noise in downstream systems. This flow-level setting is enabled by default and must be manually deactivated on individual flows for which execution log streaming is undesired while an org's execution log streaming connection remains active. workflows Since: 2024.03.0 WORKFLOWS.USER.FLOW.EXPORT Triggered when a user exports a flow from Workflows. Can be used to audit user activity in Workflows. Event is fired when a user exports one or more flows as a flowpack. workflows Since: 2021.02.1 WORKFLOWS.USER.FLOW.IMPORT Triggered when a user imports a flow into Workflows. Can be used to audit user activity in Workflows. Event is fired when a user imports one or more flows as a flowpack. workflows Since: 2021.02.1 WORKFLOWS.USER.FLOW.MOVE This event can be used by any admin or security team member to monitor users moving flows between folders on the Workflows platform. The payload provides information on the user that moved the flow and the flow that was moved. Other Workflows resource move events include workflows.user.folder.move and workflows.user.table.move. Note that this event fires when a user manually drags a flow from one folder to another folder. Additional information including old and new folder locations can be found in the debug context field. workflows Since: 2024.07.0 WORKFLOWS.USER.FLOW.SAVE Triggered when a user saves a flow in Workflows. Can be used to audit user activity in Workflows. Event is fired when a user saves a flow. workflows Since: 2021.02.1 WORKFLOWS.USER.FOLDER.CREATE This event can be used by any admin or security team member to monitor the creation of new folders in the Workflows platform. The payload provides information about the user that created the folder and the folder that was created. Other folder lifecycle events include: workflows.user.folder.delete, workflows.user.folder.import, workflows.user.folder.export, and workflows.user.folder.rename. Note that this event doesn't fire when a folder is imported. For that, users can reference workflows.user.folder.import. workflows Since: 2023.06.1 WORKFLOWS.USER.FOLDER.DELETE This event can be used by any admin or security team member to monitor the deletion of folders in the Workflows platform. The payload provides information on the user that deleted the folder and which folder was deleted. Other folder lifecycle events include: workflows.user.folder.create, workflows.user.folder.import, workflows.user.folder.export, and workflows.user.folder.rename. Note that this event fires when a user manually deletes a folder and recursively for each subfolder contained within the deleted folder. Subsequent workflows.user.flow.delete and workflows.user.table.delete events will fire for each flow and table deleted within each folder. workflows Since: 2022.11.1 WORKFLOWS.USER.FOLDER.EXPORT This event can be used by any admin or security team member to monitor when a user exports a folder from the Workflows platform. The payload provides information on the user that exported the folder and the folder that was exported. Other folder lifecycle events include: workflows.user.folder.create, workflows.user.folder.delete, workflows.user.folder.import, and workflows.user.folder.rename. Note that this event fires for the exported folder and recursively for each subfolder contained within the exported folder depending on the user's selection. Subsequent workflows.user.flow.export and workflows.user.table.schema.export events will fire for each flow and table exported within each exported folder. Additional folder information can be found in the debug context field. workflows Since: 2023.06.1 WORKFLOWS.USER.FOLDER.IMPORT This event can be used by any admin or security team member to monitor when a user imports a folder to the Workflows platform. The payload provides information on the user that imported the folder and the folder that was imported. Other folder lifecycle events include: workflows.user.folder.create, workflows.user.folder.delete, workflows.user.folder.export, and workflows.user.folder.rename. Note that this event fires for the imported folder and recursively for each subfolder contained within the imported folder. Subsequent workflows.user.flow.import and workflows.user.table.schema.import events will fire for each flow and table imported within each imported folder. Additional folder information can be found in the debug context field. workflows Since: 2023.06.1 WORKFLOWS.USER.FOLDER.MOVE This event can be used by any admin or security team member to monitor when a user moves a folder in the Workflows platform. The payload provides information on the user that moved the folder and the folder that was moved. Other folder lifecycle events include workflows.user.folder.create, workflows.user.folder.delete, workflows.user.folder.import, workflows.user.folder.export, workflows.user.folder.rename, and workflows.user.folder.duplicate. Note that this event fires for the moved folder and recursively for each subfolder contained within the moved folder. Additional information including old and new folder locations can be found in the debug context field. workflows Since: 2024.07.0 WORKFLOWS.USER.FOLDER.RENAME This event can be used by any admin or security team member to monitor when a user renames a folder in the Workflows platform. The payload provides information on the user that renamed the folder and the new name of the folder. Other folder lifecycle events include: workflows.user.folder.create, workflows.user.folder.delete, workflows.user.folder.import, and workflows.user.folder.export. Additional information including old and new folder names can be found in the debug context field. workflows Since: 2023.06.1 WORKFLOWS.USER.ROLE.GROUP.ADD This event can be used by any admin or security team member to monitor the addition of Workflows roles to an Okta group. The payload provides information about both the group to which the role was added and the role that was added. Related events include workflows.user.role.group.remove, workflows.user.role.user.add, workflows.user.role.user.remove, application.user_membership.add, and application.user_membership.remove. The event fires when an admin manually adds a role to an Okta group in the Workflows console. Adding multiple roles in a single action triggers multiple system log events. workflows Since: 2024.02.1 WORKFLOWS.USER.ROLE.GROUP.REMOVE This event can be used by any admin or security team member to monitor the removal of Workflows roles from an Okta group. The payload provides information about both the group from which the role was removed and the role that was removed. Related events include workflows.user.role.group.add, workflows.user.role.user.add, workflows.user.role.user.remove, application.user_membership.add, and application.user_membership.remove. The event fires when an admin manually removes a role from an Okta group in the Workflows console. Removing roles in a single action triggers multiple system log events. workflows Since: 2024.02.1 WORKFLOWS.USER.ROLE.USER.ADD This event can be used by any admin or security team member to monitor the addition of Workflows roles to an Okta user. The payload provides information about both the user to whom the role was added and the role that was added. Related events include workflows.user.role.user.remove, workflows.user.role.group.add, workflows.user.role.group.remove, application.user_membership.add, and application.user_membership.remove. The event fires when an admin manually adds a role to a user in the Workflows console. Adding multiple roles in a single action triggers multiple system log events. workflows Since: 2024.02.1 WORKFLOWS.USER.ROLE.USER.REMOVE This event can be used by any admin or security team member to monitor the removal of Workflows roles from an Okta user. The payload provides information about both the user from whom the role was removed and the role that was removed. Related events include workflows.user.role.user.add, workflows.user.role.group.add, workflows.user.role.group.remove, application.user_membership.add, and application.user_membership.remove. The event fires when an admin manually removes a role from a user in the Workflows console. Removing multiple in a single action triggers multiple system log events. workflows Since: 2024.02.1 WORKFLOWS.USER.TABLE.CREATE This event can be used by any admin or security team member to monitor the creation of new tables in the Workflows platform. The target fields provide information on the user that created the table and the new table. Other table lifecycle events include: workflows.user.table.view, workflows.user.table.update, and workflows.user.table.delete. Note that this event doesn't fire when a table is imported. For that, users can reference workflows.user.table.import or workflows.user.folder.import. workflows Since: 2021.02.1 WORKFLOWS.USER.TABLE.DELETE This event can be used by any admin or security team member to monitor when a user deletes a table from the Workflows platform. The target fields provide information on the user that deleted the table and the table itself. Other table lifecycle events include: workflows.user.table.view, workflows.user.table.update, and workflows.user.table.create. workflows Since: 2021.02.1 WORKFLOWS.USER.TABLE.EXPORT This event can be used by any admin or security team member to monitor when a user exports table data from the Workflows platform using the Tables interface. The target fields provide information on the user that exported the table and the table itself. Related events include: workflows.user.table.import, workflows.user.folder.import, and workflows.user.folder.export. Note that exports through the table interface include table data, while exporting tables as part of folder export does not. workflows Since: 2021.02.1 WORKFLOWS.USER.TABLE.IMPORT This event can be used by any admin or security team member to monitor when a user imports table data into the Workflows platform using the Tables interface. The target fields provide information on the user that imported the table and the table itself. Related events include: workflows.user.table.export, workflows.user.folder.export, and workflows.user.folder.import. Note that importing through the table interface requires an existing schema and is used to import the data from a .csv file. This event does not fire as part of workflows.user.folder.import. workflows Since: 2021.02.1 WORKFLOWS.USER.TABLE.MOVE This event can be used by any admin or security team member to monitor users moving tables between folders on the Workflows platform. The payload provides information on the user that moved the table and the table that was moved. Other Workflows resource move events include workflows.user.folder.move and workflows.user.flow.move. Note that this event fires when a user manually drags a table from one folder to another folder. Additional information including old and new folder locations can be found in the debug context field. workflows Since: 2024.07.0 WORKFLOWS.USER.TABLE.SCHEMA.EXPORT This event can be used by any admin or security team member to monitor when a user exported a table schema from the Workflows platform. The payload provides information on the user that exported the table schema and the table that was exported. Other related table events include: workflows.user.table.create, workflows.user.table.delete, workflows.user.table.update, workflows.user.table.view, workflows.user.table.import, workflows.user.table.export, and workflows.user.table.schema.import. This event fires when a user exports a folder that contains a table. workflows Since: 2023.06.1 WORKFLOWS.USER.TABLE.SCHEMA.IMPORT This event can be used by any admin or security team member to monitor when a user has imported a table schema into the Workflows platform. The payload provides information on the user that imported the schema and the table that was created from that schema. Other related table events include: workflows.user.table.create, workflows.user.table.delete, workflows.user.table.update, workflows.user.table.view, workflows.user.table.import, workflows.user.table.export, and workflows.user.table.schema.export. This event fires when a user imports a folder that contains a table. workflows Since: 2023.06.1 WORKFLOWS.USER.TABLE.UPDATE This event can be used by any admin or security team member to monitor when a user updates a table's schema on the Workflows platform. The target fields provide information on the user that updated the table and the table itself. Other table lifecycle events include workflows.user.table.view, workflows.user.table.create, and workflows.user.table.delete. Note that this event does not include information about what was updated, only that the table name or columns were modified. It does not fire when the table data itself is updated. workflows Since: 2021.02.1 WORKFLOWS.USER.TABLE.VIEW This event can be used by any admin or security team member to monitor the viewing of table data in the Workflows platform. The target fields provide information on the user that viewed the table and which table was viewed. Other table lifecycle events include: workflows.user.table.create, workflows.user.table.update, and workflows.user.table.delete. Note that this event only fires when a user manually accesses a table. It does not fire when table data is accessed using the Workflows Table functions. workflows Since: 2021.02.1 ZONE.ACTIVATE Network zone activate. network-zone Since: 2017.49 ZONE.CREATE Network zone create. network-zone Since: 2017.49 ZONE.DEACTIVATE Network zone deactivate. network-zone Since: 2017.49 ZONE.DELETE Network zone delete. network-zone Since: 2017.49 ZONE.MAKE_BLACKLIST Network zone mark as blacklist. network-zone Since: 2017.49 ZONE.REMOVE_BLACKLIST Network zone unmark as blacklist. network-zone Since: 2017.49 ZONE.UPDATE Network zone update. network-zone Since: 2017.49 Edit This Page On GitHub On this page * Catalog ADDITIONAL LINKS Questions? Ask us on the forum. * * * * CONTACT & LEGAL * Contact our team * Contact sales * Developer Service terms * Site terms * Privacy policy * Copyright & trademarks MORE INFORMATION * Integrate with Okta * Pricing * 3rd-party notes * Customer Identity Cloud * Archive OKTA.COM Products, case studies, resources HELP CENTER Knowledgebase, roadmaps, and more TRUST System status, security, compliance Copyright © 2024 Okta. All rights reserved. Feedback We use cookies to ensure you get the best experience on our website, to help us understand our marketing efforts, and to reach potential customers across the web. You can learn more by viewing our privacy policy. Cookies Settings Reject All Cookies Accept All Cookies PRIVACY PREFERENCE CENTER YOUR PRIVACY YOUR PRIVACY When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information * STRICTLY NECESSARY COOKIES STRICTLY NECESSARY COOKIES Always Active Strictly Necessary Cookies These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. * PERFORMANCE COOKIES PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. * FUNCTIONAL COOKIES FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. * TARGETING COOKIES TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Back Button ADVERTISING COOKIES Filter Button Consent Leg.Interest Select All Vendors Select All Vendors Select All Hosts Select All Clear Filters Information storage and access Apply Confirm My Choices Allow All