Okta Event-Type Logging Filters

These are great to know no matter what, especially with what’s going on with what LAPSUS is showing us with Okta.

Here’s the Okta Event-Type catalog:


User Events:
EventType Filter Notes
eventType eq “user.session.start” User logging in
eventType eq “user.session.end” User logging out
eventType eq “policy.evaluate_sign_on” Sign in policy evaluation
eventType eq “user.account.lock” Okta user locked out
eventType sw “user.authentication.auth” All types of Auth events, covering MFA, AD, Radius, etc
eventType eq “user.account.update_password” User changing password
eventType eq “user.authentication.sso” User accesing app via single sign on
eventType eq “user.authentication.auth_via_mfa” MFA challenge
eventType eq “user.mfa.factor.update” User changing MFA factors
eventType eq “system.mfa.factor.deactivate” Identify when an admin has disabled a factor for MFA
eventType eq “Attempt bypass of factor” Attempt bypass of factor
eventType eq “user.session.impersonation.initiate” Initiate impersonation session



Okta Events:
EventType Filter Notes
eventType eq “user.session.access_admin_app These events are associated with users accessing the Admin section of your Okta instance
eventType eq “user.account.reset_password” User password reset by Okta Admin
eventType eq “zone.update” Modification of a Network Zone
eventType eq “user.account.privilege.grant” Granting Okta Admin to a user
eventType eq “group.user_membership.add” Adding Okta user to a group
eventType eq “application.user_membership.add” Adding user to application membership
eventType eq “policy.lifecycle.create” Creation of a new Okta Policy
eventType eq ”application.lifecycle.create” New Application created
eventType eq ”user.lifecycle.activate” New Okta user
eventType eq “application.provision.user.push” Assign application to user
eventType eq ”user.lifecycle.deactivate” Deactivate Okta user
eventType eq ”user.lifecycle.suspend” Suspend Okta user
eventType eq “user.session.clear” Okta user login session cleared
eventType eq “system.api_token.create” Creation of a new Okta API token
eventType eq “system.org.rate_limit.violation” Hitting the rate limit on requests
eventType eq “user.mfa.factor.deactivate” Removed MFA factor from user
eventType eq “user.mfa.factor.reset_all” Remove all MFA factors from user

Cloudflare investigated with these events:

You can read about the Cloudflare investigation here:


  • You can link events to sessions. For example: sessionId:trs2lk299ljajfa
  • In all Okta activity, ipAddresses are recorded.
  • Different types of events are captured by eventType.
  • You may combine all of your eventTypes in the past to find uncommon occurrences.
  • Search for eventType:app* in okta apps to check for abnormalities.
  • Okta logs contain user agents that can lead to some interesting discoveries. If your company is Mac-based, why are you seeing a user agent that says Windows? (UserAgents can be altered, and operators can be lazy.)