Okta Incident Response Guide
A critical part of responding to a security incident is gathering relevant information and facts that can be used to shape your response. You have to answer questions like: who accessed Okta, when, what did they do, and how did they gain access? To facilitate the Incident Response process, Okta provides detailed audit logs within the System Log. This information is available through the Admin web console, and also via the API.
Within this document we’ll cover what the System Log is and where to find it, how to translate logs to actual user activity, and how you can leverage the System Log during a security incident. We’ll also review some of the actions you can take to respond to an incident identified within the System Log.
For additional information, or if you need help, the following resources are available: