惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
L
LangChain Blog
博客园 - Franky
Microsoft Security Blog
Microsoft Security Blog
M
MIT News - Artificial intelligence
月光博客
月光博客
云风的 BLOG
云风的 BLOG
MongoDB | Blog
MongoDB | Blog
量子位
AWS News Blog
AWS News Blog
Jina AI
Jina AI
Webroot Blog
Webroot Blog
L
Lohrmann on Cybersecurity
Cisco Talos Blog
Cisco Talos Blog
Latest news
Latest news
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
NISL@THU
NISL@THU
The Register - Security
The Register - Security
美团技术团队
博客园 - 三生石上(FineUI控件)
I
Intezer
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
N
Netflix TechBlog - Medium
H
Hackread – Cybersecurity News, Data Breaches, AI and More
T
The Exploit Database - CXSecurity.com
C
Cisco Blogs
Attack and Defense Labs
Attack and Defense Labs
S
Securelist
Know Your Adversary
Know Your Adversary
MyScale Blog
MyScale Blog
C
CERT Recently Published Vulnerability Notes
D
Darknet – Hacking Tools, Hacker News & Cyber Security
U
Unit 42
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
雷峰网
雷峰网
B
Blog
P
Privacy International News Feed
W
WeLiveSecurity
T
Threatpost
P
Palo Alto Networks Blog
O
OpenAI News
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
博客园_首页
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Forbes - Security
Forbes - Security
K
Kaspersky official blog
Recent Announcements
Recent Announcements
A
About on SuperTechFans
B
Blog RSS Feed

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
User Sign-in and Recovery Events in the Okta System Log
Okta · 2023-02-07 · via Okta Security RSS Feed

During a security incident, it's critical that SOC analysts (or Okta admins) can rapidly identify all activity associated with a suspicious session, user or IP.

We are often asked to provide some sort of "cheat sheet" for new analysts that are unfamiliar with the extensive library of events available in Okta's Event Library.

The following blog post re-publishes a support article that offers a few of these shortcuts. Okta Security has also published a range of platform and bespoke detections for identifying suspicious activity.

The events below are found in both Okta Classic Engine (OCE) and Okta Identity Engine (OIE).

Working with Okta System Log

To access the System Log, go to Reports > System Log.

To view events in the System Log, type or paste a query into the Search field on the System Log page, and press Enter.

Search events by user

To view sign-in events for a particular user, use this query as an example. Replace the <enter user id> in this example with a User ID.

You can find the User ID for a given user by navigating to Directory > People, searching by name and selecting the user. The User ID is appended to the end of the resulting URL:

https://<Okta org URL>/admin/user/profile/view/<User ID>
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)

To learn more about each event in this query, refer to the Definitions table below for more information.

Search events by IP address

To view user sign-in events associated with a particular IP address, replace <enter ip address here> with an IP address.

(client.ipAddress eq "<enter ip address here>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)

Search events by External Session ID

To view all events associated with a particular user session, replace <enter external session id here> with an External Session ID.

(authenticationContext.externalSessionId eq "<enter external session id here>")

To only view sign-on events associated with a particular user session, replace <enter external session id here> with an External Session ID.

(authenticationContext.externalSessionId eq "<enter external session id here>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)

View logout events for a user

To view user sign-out events associated with a particular user, replace <enter user id> with a User ID.

(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.session.end") or
(eventType eq "user.authentication.slo")
)

View MFA configuration changes for a user

To identify any changes to authenticators associated with a particular user, replace <enter user id> with a User ID.

(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.mfa.factor.activate") or
(eventType eq "user.mfa.factor.deactivate") or
(eventType eq "user.mfa.factor.reset_all") or
(eventType eq "user.mfa.factor.suspend") or
(eventType eq "user.mfa.factor.unsuspend") or
(eventType eq "user.mfa.factor.update")
)

You can also share a link to a System Log query with your team members so they can view the same events in the System Log.

After you have run a query and viewed the events in the System Log, copy the link in the URL field of your browser and paste it into a message to your colleagues.

Event Scenarios

1. Troubleshooting sign-on events

Sign in to Okta

When a user signs in to Okta, you’ll see the following sequence of events:

Order

Event

Description

1

user.session.start

This event is fired after the first authentication method is verified.

2

policy.evaluate_sign_on

This event is fired after the Okta Sign-On Policy/Global Session Policy is evaluated and contains the result of the policy evaluation.

3

MFA events

If a policy requires multifactor authentication (MFA), you’ll see various MFA enrollment or verification-related events. See the

Multifactor authentication section

for details on those events.

4

user.authentication.verify

This event is fired after the user has successfully completed the sign-in flow. At this point, the a valid session should have been established for the user.

Sign in to an app

Once a user has established a session, they are (usually) then able to view a dashboard of available applications. There is no System Log event for when a user clicks an app tile to start the sign-in to that app. Instead, two sequences of events fire based on whether the sign-in to the app was successful or not.

In successful app sign-in attempts, the following events are triggered:

In unsuccessful app sign-in attempts, the following event is triggered:

Order

Event

Description

1

application.policy.sign_on.deny_access

This event is fired if the user doesn’t meet the requirements to access the app.

2. Review Multifactor Authentication Events

When any policy (Sign-On Policy/Global Session Policy/App Sign-On Policy) requires MFA, you should expect a number of the following events.

First there are those events that fire irrespective of the authenticator in question:

Order

Event

Description

1

user.authentication.auth_via_mfa

This event is fired after the user attempts to verify their identity using an MFA factor/authenticator.

2

user.mfa.factor.activate

If a user doesn’t have any MFA factors/authenticators enrolled, or is missing a required MFA factor/authenticator, the sign-in flow will force the user to enrol them. This event is fired after the user successfully enrols an MFA factor/authenticator.

Specific MFA factors/authenticators also fire additional events that indicate progress of the verification flow:

Event

Description

system.push.send_factor_verify_push

When using the Okta Verify Push factor/authenticator, this event is fired when Okta sends the push notification to the user’s device.

system.email.send_factor_verify_message

When using the Email MFA factor/authenticator, this event is fired when Okta sends a message with a one-time password (OTP) code to the user via email.

system.sms.send_phone_verification_message

When

enrolling

the Phone MFA factor/authenticator in SMS mode, this event is fired after Okta sends the message containing the OTP code by SMS.

system.sms.send_factor_verify_message

When authenticating with the Phone MFA factor/authenticator in SMS mode, this event is fired after Okta sends the message containing the OTP code by SMS.

system.voice.send_mfa_challenge_call

When enrolling Phone MFA factor/authenticator in Voice Call mode, this event is fired after Okta sends the message containing the OTP code in a voice call.

system.voice.send_phone_verification_call

When authenticating with the Phone MFA factor/authenticator in Voice Call mode, this event is fired after Okta sends the message containing the OTP code in a voice call.

3. Review Password Reset and Account Lockout Events

Self-Service Password Reset

If your organization using Okta Classic Engine (OCE) supports user-initiated ("self-service") password resets, an analyst should expect to see the following sequence of events:

Order

Event

Description

1

One of the following:

system.email.password_reset.sent_message

system.sms.send_password_reset_message

system.voice.send_password_reset_call

NB: Administrators using Okta Identity Engine can initiate recovery flows with Okta Verify, Email or SMS, and perform additional verification via any authenticator the user is enrolled in.

These events are fired after an email, SMS message or voice call are sent to the user to initiate the SSPR flow.

2

user.account.reset_password

This event is fired after Okta resets the user's password, after the email, SMS message or voice call are verified. The user’s password is reset to allow the user to change it.

3

user.account.update_password

This event is fired after the user has successfully changed their password.

Once a user completes the SSPR, they commence a normal Okta sign-on flow. See the Sign in to Okta section for information about those events.

Below is a query analysts using OCE can use to search for SSPR-related activity in Okta System Log:

(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password")
)
Self-Service Account Unlock

If an organization using Okta Classic Engine (OCE) allows self-service account unlock (SSU), an analyst should expect to see the following sequence of events:

Order

Event

Description

1

One of the following:

system.email.account_unlock.sent_message

system.sms.send_account_unlock_message

system.voice.send_account_unlock_call

NB: Administrators using Okta Identity Engine can initiate recovery flows with Okta Verify, Email or SMS, and perform additional verification via any authenticator the user is enrolled in.

These events are fired after the email, SMS message or voice call are sent to the user to initiate the SSU flow.

2

user.account.unlock_token

This event is fired after Okta grants a recovery token to the user. The recovery token is used as part of the request that verifies the user’s security question.

3

user.account.unlock

This event is fired after the user has successfully unlocked their account.

Below is a query analysts using OCE can use to search for self-service unlock activity in Okta System Log:

(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)

Definitions

Event

Description

actor.id

The actor that performed an event on a target (typically a user)

application.policy.sign_on.deny_access

A user was denied access to an application.

policy.evaluate_sign_on

Provides context on the values that are used and evaluated in the context of the Global Session Policy.

system.email.account_unlock.sent_message

Okta sends a system-generated account unlock email to the user when they request account unlocking.

system.email.password_reset.sent_message

Okta sends a system-generated password reset email to the user when they request a password reset.

system.email.send_factor_verify_message

Okta sends a system-generated verification email to the user when they sign in.

system.push.send_factor_verify_push

Okta sends a push notification to the user.

system.sms.send_account_unlock_message

Okta sends a system-generated account unlock text message to the user when they request account unlocking.

system.sms.send_factor_verify_message

Okta sends a system-generated verification text message to the user when they sign in.

system.sms.send_password_reset_message

Okta sends a system-generated password reset text message to the user when they request a password reset.

system.sms.send_phone_verification_message

Okta sends a system-generated one-time password text message to the user when they select the Phone authenticator and the SMS mode.

system.voice.send_account_unlock_call

Okta triggers a phone call to the user containing a one-time password when they request account unlocking.

system.voice.send_mfa_challenge_call

Okta triggers a phone call to the user containing a one-time password when they select the Phone authenticator and the Voice mode.

system.voice.send_password_reset_call

Okta triggers a phone call to the user containing a one-time password when they request a password reset.

system.voice.send_phone_verification_call

Okta triggers a phone call to the user containing a one-time password when they select the Phone authenticator and the Voice mode.

user.account.reset_password

The user reset their password.

user.account.unlock

The user’s account was unlocked.

user.account.unlock_token

A token was issued for unlocking the user’s account.

user.account.update_password

The user updated their password.

user.authentication.auth_via_mfa

The user responded to an authentication challenge with a multifactor authentication method.

user.authentication.sso

A user attempts a Single Sign-On (SSO) to an application managed in Okta. This event doesn't capture whether the SSO attempt is successful or has failed, as Okta can't collect the subsequent authentication attempt status from the third-party service.

user.authentication.verify

The user was successfully verified.

user.mfa.factor.activate

An MFA factor/authenticator was activated for a user.

user.session.start

Okta issues a session to a user who is authenticating.

More information

For more information about the System Log, see the online help for your version of Okta: