# Article Name
4 Ways to Monitor User Activity in Okta

# Article Summary
Explore four practical ways to monitor user activity in Okta to enhance visibility, auditing, and incident response for admins

# Original HTML URL on Toriihq.com
https://www.toriihq.com/articles/how-to-monitor-user-activity-okta

# Details
Keeping track of who signs in, what apps they access, and when changes happen in Okta can feel overwhelming for admins. You need reliable visibility to spot misuse, meet audit requirements, and speed up response.

This article walks through four practical ways to monitor user activity in Okta so you can build clearer logs, stronger audits, and faster incident response. No fluff, actionable steps you can apply today.

## Use Okta's UI

Here, you'll use the Okta Admin Console to view, filter, save, and export user activity from the System Log and built-in Reports, following Okta’s UI guidance.

### Open the Admin Console and go to logs

- Sign in to your Okta Admin Console.
- From the top navigation pick Reports then choose System Log.
- If your org uses a custom domain, sign in to that admin URL first.

### Use basic filters to find the events you care about

- Start with the time range selector to narrow the period.
- Click Add Filter and try these common filters:
- Event category: choose things like Authentication, MFA, or User Lifecycle.
- Actor or Target: enter a user’s email or name to see events they caused or were affected by.
- App: pick a specific application to see sign-ons and provisioning events for that app.
- Outcome or Status: filter for Success or Failure to spot failed logins.
- You can combine filters to narrow results (for example, failed authentication + specific user).

### Read event details

- Click any row to open the event detail pane.
- Look for these fields:
- Timestamp
- Event type and description
- Actor (who performed the action)
- Target (which user or app was affected)
- Client IP and device info
- Copy the raw event details from the pane if you need to paste it into a ticket or review it later.

### Save searches and reuse them

- After you build a useful filter set, click Save search and give it a clear name.
- Open saved searches later from the Saved Searches menu to run them again quickly.
- Keep a few standard saved searches, like “failed logins last 7 days” or “profile changes”.

### Turn saved searches into alerts (if enabled)

- If your Okta plan and settings include Alerts, you can convert a saved search into an alert rule so admins get notified when matching events occur.
- If you don’t see an Alerts option, check with your Okta administrator-some features require specific permissions or plan levels.

### Use built-in Reports for trends and quick checks

- In the Admin Console go to Reports > Reports.
- Pick a report such as authentication or user activity to see charts and summaries.
- Adjust the date range and any available filters.
- Use these reports to spot trends like rising failed logins or spikes in new device enrollments.

### Export or schedule data for off-console review

- From System Log or many Report views you can export results as CSV (look for an Export or Download button).
- For larger exports Okta may prepare a file and notify you when it’s ready.
- Some reports can be scheduled to run and send results automatically, depending on your Okta plan.

### Practical checks to monitor regularly

- Watch failed authentication trends and the IPs tied to them.
- Track MFA enrollments and changes to authentication policies.
- Review app assignments and provisioning events after onboarding or role changes.
- Save common searches and review them on a schedule (daily or weekly).

These steps follow Okta’s Admin Console UI guidance for the System Log and Reports. Use saved searches and exports to make regular monitoring repeatable and easier for your team.

## Use Torii

Rather than integrating with Okta directly, you can use Torii [https://www.toriihq.com/], a SaaS Management Platform, to track user activity in Okta. SMPs combine your SaaS subscriptions into a single dashboard, giving you one place to see all your SaaS applications and related data.

To view Okta user activity from Torii, complete these steps:

### 1. Sign up for Torii

Contact Torii [https://www.toriihq.com/] to request a complimentary two-week proof-of-concept.

### 2. Connect your Okta account to Torii

After your Torii instance is active, add your Okta account (assuming you already have one). Here are the instructions for the Okta integration [https://support.toriihq.com/hc/en-us/articles/23967598630683-Okta-integration-Alpha].

### 3. Search for Okta within Torii

Use the search box at the top of the Torii dashboard to find Okta. That page presents an Okta overview with details like license counts, expenditure, next renewal date, and other account metrics.

### Or, chat with Eko

Torii's AI helper, Eko [https://www.toriihq.com/eko], can also retrieve Okta details inside Torii using natural, conversational queries. Click the Eko icon in the bottom-right corner of the dashboard and ask it to find Okta's information - it will show the results directly in the chat window.

## Use Okta's API

Use Okta's API to monitor user activity

Here you'll use Okta's System Log API to pull events about users, filter for specific activity, and page through results. The examples use the REST API only-no UI steps.

### Get an API credential for calls

You need an Okta API token or an OAuth access token to call the System Log API. Put it in the Authorization header as either:

- Authorization: SSWS ${OKTAAPITOKEN}
- Authorization: Bearer ${ACCESSTOKEN}

Example curl to test a token:

### Read the System Log

The System Log endpoint returns events. Start with a simple fetch and increase filters once you see the data.

Example curl to fetch recent logs:

- The response is JSON array of events. Each event has fields like eventType, published, actor, target, and outcome.

### Filter results to a specific user

You can filter by user ID, email, or other fields using the filter query parameter.

Example: filter by user ID

Example: filter by user email (actor alternateId)

### Narrow by event type or combine filters

Use eventType and logical operators in filter to find specific actions.

Examples:

- Single event type:

- Combined: user email and event type

### Use time ranges and handle pagination

Add since and until to limit the time window. Use after to page through results. The API may return a Link header with a rel="next" and an after cursor.

Example: fetch a time window

Example: loop through pages (bash)

- The loop reads the Link header to get the after cursor and stops when there’s no next link.

### Subscribe or push events (Event Hooks)

If you want events delivered instead of polling, use Okta Event Hooks. Create an event hook via the Event Hooks API and subscribe to event types you care about. The Event Hooks API requires you to register a URL and validate the subscription challenge.

Example JSON payload to create an event hook (send with POST to /api/v1/eventHooks):

- After creation, Okta will send a verification request to the uri; complete that challenge per the API flow.

### Validate and map fields you need

Look at event JSON fields to pick what to store or alert on:

- eventType - what happened
- published - timestamp
- actor.alternateId and actor.id - user who took action
- target - affected user or object
- outcome - success or failure

There are many event types for logins, MFA, user lifecycle, admin actions, and more. Refer to Okta’s System Log API docs for full field and event type details.

### Tips for production use

- Request only the fields you need and filter on the server to reduce volume.
- Respect rate limits and use pagination.
- Keep tokens secure and rotate them per your policy.
- Use Event Hooks when you want near-real-time delivery instead of frequent polling.

This flow follows Okta’s System Log and Event Hooks APIs. Check the API docs for exact parameter behavior, supported eventType values, and any updates to pagination and authentication methods.

## Use Claude (via MCP)

You can also retrieve this information directly from Claude using the Model Context Protocol (MCP). Claude is Anthropic’s AI assistant and a competitor to ChatGPT.

To inspect Okta user activity from within Claude, do the following:

### 1. Set up Torii

Complete the Torii setup described above to link your Okta account with Torii: https://www.toriihq.com/

Then, in Torii’s Settings, generate a new API key.

### 2. Set up MCP in Claude

See the Torii MCP docs here: https://www.npmjs.com/package/@toriihq/torii-mcp?activeTab=readme and this explanatory blog post: https://www.toriihq.com/blog/introducing-model-context-protocol-in-torii

Install the Claude Desktop app, then add the following to your claudedesktopconfig.json file:

You can create that API key from the Settings tab in Torii.

### 3. Chat with Claude

Once configured, you can query your Torii data directly from Claude - for example, ask it to review your Okta account to report license counts, total spend, upcoming renewal dates, and other metrics.