




















During a security incident, it's critical that SOC analysts (or Okta admins) can rapidly identify all activity associated with a suspicious session, user or IP.
We are often asked to provide some sort of "cheat sheet" for new analysts that are unfamiliar with the extensive library of events available in Okta's Event Library.
The following blog post re-publishes a support article that offers a few of these shortcuts. Okta Security has also published a range of platform and bespoke detections for identifying suspicious activity.
The events below are found in both Okta Classic Engine (OCE) and Okta Identity Engine (OIE).
To access the System Log, go to Reports > System Log.
To view events in the System Log, type or paste a query into the Search field on the System Log page, and press Enter.
To view sign-in events for a particular user, use this query as an example. Replace the <enter user id> in this example with a User ID.
You can find the User ID for a given user by navigating to Directory > People, searching by name and selecting the user. The User ID is appended to the end of the resulting URL:
https://<Okta org URL>/admin/user/profile/view/<User ID>(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)To learn more about each event in this query, refer to the Definitions table below for more information.
To view user sign-in events associated with a particular IP address, replace <enter ip address here> with an IP address.
(client.ipAddress eq "<enter ip address here>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)To view all events associated with a particular user session, replace <enter external session id here> with an External Session ID.
(authenticationContext.externalSessionId eq "<enter external session id here>")To only view sign-on events associated with a particular user session, replace <enter external session id here> with an External Session ID.
(authenticationContext.externalSessionId eq "<enter external session id here>") and (
(eventType eq "user.session.start") or
(eventType eq "policy.evaluate_sign_on") or
(eventType eq "user.authentication.verify") or
(eventType eq "application.policy.sign_on.deny_access") or
(eventType eq "user.authentication.sso") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.mfa.factor.activate") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password") or
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)To view user sign-out events associated with a particular user, replace <enter user id> with a User ID.
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.session.end") or
(eventType eq "user.authentication.slo")
)To identify any changes to authenticators associated with a particular user, replace <enter user id> with a User ID.
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "user.mfa.factor.activate") or
(eventType eq "user.mfa.factor.deactivate") or
(eventType eq "user.mfa.factor.reset_all") or
(eventType eq "user.mfa.factor.suspend") or
(eventType eq "user.mfa.factor.unsuspend") or
(eventType eq "user.mfa.factor.update")
)You can also share a link to a System Log query with your team members so they can view the same events in the System Log.
After you have run a query and viewed the events in the System Log, copy the link in the URL field of your browser and paste it into a message to your colleagues.
When a user signs in to Okta, you’ll see the following sequence of events:
Order | Event | Description |
1 | user.session.start | This event is fired after the first authentication method is verified. |
2 | policy.evaluate_sign_on | This event is fired after the Okta Sign-On Policy/Global Session Policy is evaluated and contains the result of the policy evaluation. |
3 | If a policy requires multifactor authentication (MFA), you’ll see various MFA enrollment or verification-related events. See the Multifactor authentication section for details on those events. | |
4 | user.authentication.verify | This event is fired after the user has successfully completed the sign-in flow. At this point, the a valid session should have been established for the user. |
Once a user has established a session, they are (usually) then able to view a dashboard of available applications. There is no System Log event for when a user clicks an app tile to start the sign-in to that app. Instead, two sequences of events fire based on whether the sign-in to the app was successful or not.
In successful app sign-in attempts, the following events are triggered:
In unsuccessful app sign-in attempts, the following event is triggered:
Order | Event | Description |
1 | application.policy.sign_on.deny_access | This event is fired if the user doesn’t meet the requirements to access the app. |
When any policy (Sign-On Policy/Global Session Policy/App Sign-On Policy) requires MFA, you should expect a number of the following events.
First there are those events that fire irrespective of the authenticator in question:
Order | Event | Description |
1 | user.authentication.auth_via_mfa | This event is fired after the user attempts to verify their identity using an MFA factor/authenticator. |
2 | user.mfa.factor.activate | If a user doesn’t have any MFA factors/authenticators enrolled, or is missing a required MFA factor/authenticator, the sign-in flow will force the user to enrol them. This event is fired after the user successfully enrols an MFA factor/authenticator. |
Specific MFA factors/authenticators also fire additional events that indicate progress of the verification flow:
Event | Description |
system.push.send_factor_verify_push | When using the Okta Verify Push factor/authenticator, this event is fired when Okta sends the push notification to the user’s device. |
system.email.send_factor_verify_message | When using the Email MFA factor/authenticator, this event is fired when Okta sends a message with a one-time password (OTP) code to the user via email. |
system.sms.send_phone_verification_message | When enrolling the Phone MFA factor/authenticator in SMS mode, this event is fired after Okta sends the message containing the OTP code by SMS. |
system.sms.send_factor_verify_message | When authenticating with the Phone MFA factor/authenticator in SMS mode, this event is fired after Okta sends the message containing the OTP code by SMS. |
system.voice.send_mfa_challenge_call | When enrolling Phone MFA factor/authenticator in Voice Call mode, this event is fired after Okta sends the message containing the OTP code in a voice call. |
system.voice.send_phone_verification_call | When authenticating with the Phone MFA factor/authenticator in Voice Call mode, this event is fired after Okta sends the message containing the OTP code in a voice call. |
If your organization using Okta Classic Engine (OCE) supports user-initiated ("self-service") password resets, an analyst should expect to see the following sequence of events:
Order | Event | Description |
1 | One of the following: system.email.password_reset.sent_message system.sms.send_password_reset_message system.voice.send_password_reset_call NB: Administrators using Okta Identity Engine can initiate recovery flows with Okta Verify, Email or SMS, and perform additional verification via any authenticator the user is enrolled in. | These events are fired after an email, SMS message or voice call are sent to the user to initiate the SSPR flow. |
2 | user.account.reset_password | This event is fired after Okta resets the user's password, after the email, SMS message or voice call are verified. The user’s password is reset to allow the user to change it. |
3 | user.account.update_password | This event is fired after the user has successfully changed their password. |
Once a user completes the SSPR, they commence a normal Okta sign-on flow. See the Sign in to Okta section for information about those events.
Below is a query analysts using OCE can use to search for SSPR-related activity in Okta System Log:
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "system.email.password_reset.sent_message") or
(eventType eq "system.sms.send_password_reset_message") or
(eventType eq "system.voice.send_password_reset_call") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.account.reset_password") or
(eventType eq "user.account.update_password")
)If an organization using Okta Classic Engine (OCE) allows self-service account unlock (SSU), an analyst should expect to see the following sequence of events:
Order | Event | Description |
1 | One of the following: system.email.account_unlock.sent_message system.sms.send_account_unlock_message system.voice.send_account_unlock_call NB: Administrators using Okta Identity Engine can initiate recovery flows with Okta Verify, Email or SMS, and perform additional verification via any authenticator the user is enrolled in. | These events are fired after the email, SMS message or voice call are sent to the user to initiate the SSU flow. |
2 | user.account.unlock_token | This event is fired after Okta grants a recovery token to the user. The recovery token is used as part of the request that verifies the user’s security question. |
3 | user.account.unlock | This event is fired after the user has successfully unlocked their account. |
Below is a query analysts using OCE can use to search for self-service unlock activity in Okta System Log:
(actor.id eq "<enter user id>" or target.id eq "<enter user id>") and (
(eventType eq "system.email.account_unlock.sent_message") or
(eventType eq "system.sms.send_account_unlock_message") or
(eventType eq "system.voice.send_account_unlock_call") or
(eventType eq "system.push.send_factor_verify_push") or
(eventType eq "system.email.send_factor_verify_message") or
(eventType eq "system.sms.send_factor_verify_message") or
(eventType eq "system.sms.send_phone_verification_message") or
(eventType eq "system.voice.send_mfa_challenge_call") or
(eventType eq "system.voice.send_phone_verification_call") or
(eventType eq "user.authentication.auth_via_mfa") or
(eventType eq "user.account.unlock_token") or
(eventType eq "user.account.unlock")
)Event | Description |
actor.id | The actor that performed an event on a target (typically a user) |
application.policy.sign_on.deny_access | A user was denied access to an application. |
policy.evaluate_sign_on | Provides context on the values that are used and evaluated in the context of the Global Session Policy. |
system.email.account_unlock.sent_message | Okta sends a system-generated account unlock email to the user when they request account unlocking. |
system.email.password_reset.sent_message | Okta sends a system-generated password reset email to the user when they request a password reset. |
system.email.send_factor_verify_message | Okta sends a system-generated verification email to the user when they sign in. |
system.push.send_factor_verify_push | Okta sends a push notification to the user. |
system.sms.send_account_unlock_message | Okta sends a system-generated account unlock text message to the user when they request account unlocking. |
system.sms.send_factor_verify_message | Okta sends a system-generated verification text message to the user when they sign in. |
system.sms.send_password_reset_message | Okta sends a system-generated password reset text message to the user when they request a password reset. |
system.sms.send_phone_verification_message | Okta sends a system-generated one-time password text message to the user when they select the Phone authenticator and the SMS mode. |
system.voice.send_account_unlock_call | Okta triggers a phone call to the user containing a one-time password when they request account unlocking. |
system.voice.send_mfa_challenge_call | Okta triggers a phone call to the user containing a one-time password when they select the Phone authenticator and the Voice mode. |
system.voice.send_password_reset_call | Okta triggers a phone call to the user containing a one-time password when they request a password reset. |
system.voice.send_phone_verification_call | Okta triggers a phone call to the user containing a one-time password when they select the Phone authenticator and the Voice mode. |
user.account.reset_password | The user reset their password. |
user.account.unlock | The user’s account was unlocked. |
user.account.unlock_token | A token was issued for unlocking the user’s account. |
user.account.update_password | The user updated their password. |
user.authentication.auth_via_mfa | The user responded to an authentication challenge with a multifactor authentication method. |
user.authentication.sso | A user attempts a Single Sign-On (SSO) to an application managed in Okta. This event doesn't capture whether the SSO attempt is successful or has failed, as Okta can't collect the subsequent authentication attempt status from the third-party service. |
user.authentication.verify | The user was successfully verified. |
user.mfa.factor.activate | An MFA factor/authenticator was activated for a user. |
user.session.start | Okta issues a session to a user who is authenticating. |
For more information about the System Log, see the online help for your version of Okta:
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。