Use System Logs Query (to save time!)

Dec. 5, 2021

Author: Pratik Bhatt

Audience: Okta Administrators or Aspiring Okta Admins

Bias Information: None for this post

================================================================================================================

Hello readers! Hope you all are doing well.

When managing okta, you must have come across using the system logs to troubleshoot any issue, and at that time, it is required to dig into the system logs to know where the exact issue is.

Though Okta has shared a few pre-configured system logs directly into Reports->Reports->System Logs, which can be used for troubleshooting; I will be sharing a few queries which can be handy, useful for day-to-day activities and may save your minute or two

So, Let’s roll it

1.actor.displayName eq “Name of Okta User” :

When you want to search about the user’s all events in Okta, you may use this query. (Alternate way is to search a person in Directory->People->Search Person-> Click on the user and then click View Logs)

Person’s Logs

2.ipAddress eq “specific IP Address” :

When you want to search about activity from IP Address in Okta, you may use this query.

3.userAgent.os eq “OS Name” :

When you want to search about activity from a specific OS in Okta, you may use this query.

4.userAgent.browser eq “BROWSERNAME” :

When you want to search about activity from a specific Browser in Okta, you may use this query.

5.eventType eq “security.threat.detected” :

This event is important, whenever Okta threat-insight detects any unusual activity from specific IP, in Okta log it shows as this event. It is always recommended to use Okta Threat Insight Settings as “Log and block authentication attempts from malicious IPs”

6.reason eq “Sign-on policy evaluation resulted in CHALLENGE” :

When you want to see if the configured sign-on policies work and challenge the MFA, you can find out via this query

7.reason eq “Authentication failed: the password has expired” :

When you want to see a list of users whose passwords expired, you can use this query.

Let me know via email – bhattpratik@live.com or via LinkedIn, to provide feedback on this

Powered by Hugo with Console Theme.