Okta System Log

Cloud & SaaSIdentity & DirectoryOktaCloud Control PlaneSIEM / Log Aggregator

Location

Okta Admin Console > Reports > System Log or Okta System Log API

Description

Tenant-wide identity and administrative audit events for Okta, including sign-ins, MFA challenges, factor resets, policy changes, app assignment changes, session activity, and API token use.

Forensic Value

The Okta System Log is the authoritative evidence source for Okta-centric identity incidents. It reveals the actor, client, IP address, target object, authentication context, and administrative changes behind credential attacks, MFA abuse, and tenant persistence.

Tools Required

Okta Admin ConsoleOkta System Log APISIEM

Collection Commands

Okta System Log API

curl -s -H "Authorization: SSWS $OKTA_TOKEN" "https://<org>.okta.com/api/v1/logs?since=2026-03-01T00:00:00.000Z" > okta_system_log.json

Okta Admin Console

Reports > System Log > Filter by actor, IP, event type, and date range > Export results for the incident window

Collection Constraints

  • The System Log API does not return events older than 90 days through standard queries; long-term preservation requires SIEM or external export workflows.
  • API access is rate-limited and requires a token with permission to read the relevant tenant activity.

MITRE ATT&CK Techniques

T1078.004T1556T1098

References

Okta System Log APISystem Log query reference

Related Blockers

SaaS Audit Logging Not Enabled or Not Licensed

The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.

SaaS Audit Retention Expired Before Collection

The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.

Cloud or Container Logging Coverage Missing

The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.