Skip to main content

Get events by tenant, with optional case-insensitive filters.

Get events by tenant, with optional case-insensitive filters.

Query Parameters
start_time int64

Unix epoch in milliseconds to begin events recorded time. Defaults to 0.

end_time int64

Unix epoch in milliseconds to end events recorded time. No default.

page_size int64

The number of events to return in a single page. The default is 100 and the maximum page_size is 1000.

ordering string REQUIRED

Possible values: [asc, desc]

The ordering of the events (by time injected by the dataexport system, not when they occurred). No default.

cursor string

A page contains 100 events by default, or 'page_size' events if that's set in the request. Set this to the value of 'cursor' from the last response to retrieve the next page of results.

event_type string[]

If passed, returns only events of the given event types. Case insensitive.

Example: OIDC_INBOUND
actor string[]

If passed, returns onnly events involving principal agents with these full human names.

Example: John Smith
outcome string[]

If passed, returns only events with the given outcomes.

Example: SUCCESS
emitting_service string[]

If passed, returns only events produced by the given services.

correlation_id string[]

If passed, returns only events with the given correlation IDs.

query_text string

If passed, returns events with data matching a free-form text query of the given input.

Example: add_device OR device_credential_change -windows
include_not_attested boolean

If set to true events whose data cannot be fully attested to by Beyond Identity will be included in the repsonse.

Example: true
Responses
200

Retrieve the given page of events for the given tenant over the given window.

Schema
message string

OK

body object

The full response to GET /events.

events object[]

The page of events.

id uuid REQUIRED

The unique ID for this event.

correlation_id string REQUIRED

The ID to link events in a single authentication flow.

actor_tenant_id string

The ID of the tenant that performed the event. This could be different from tenant_id when one tenant administrates another.

service string REQUIRED

Service that produced the event.

event_occurred_millis int64 REQUIRED

The Unix epoch in milliseconds of the moment the event happened in the system.

event_recorded_millis int64

The Unix epoch in milliseconds of the moment the event was saved by the system.

outcome string

The outcome of the event i.e. whether the event was (un)successful, had a side effect, etc.

attested boolean

Whether the data in the event can be attested to by Beyond Identity. Events that have this field set to false may contain raw user input or data from a process not controlled by Beyond Identity.

actor object

The entity whose action caused the event to be emitted.

type string REQUIRED

The type of actor.

display_name string

The display name for the actor.

id string REQUIRED

The ID for the actor. Internal ID for Users.

display_id string REQUIRED

A human-friendly ID of the actor.

tenant_id string REQUIRED

The actor's tenant ID. This may not match the tenant ID acted upon when e.g. one tenant administers another.

event_type string REQUIRED

Possible values: [USER_AUTHENTICATION, OIDC_INBOUND, OIDC_COMPLETE, WSFED_INBOUND, WSFED_COMPLETE, SAML_INBOUND, SAML_COMPLETE, ADD_DEVICE, POLICY, TENANT_CREATED, GROUP_CHANGE, USER_CHANGE, GROUP_MEMBERSHIP_CHANGE, CONTINUOUS_AUTHENTICATION, DEVICE_CREDENTIAL_CHANGE, BOOTSTRAP_INBOUND, BOOTSTRAP_COMPLETE, BOOTSTRAP_KEY_ROTATION, AUTHSERVER_ACCESS, AUTHSERVER_DIRECTORY_ACCESS, AUTHORIZE_CONTEXT_ACCESS, APPLICATION_ACCESS, TENANT_CHANGE, OIDC_CLIENT_CHANGE, CONSOLE_SSO_IDP_CHANGE, CONSOLE_SSO_OIDC_AUTH_CONFIG_CHANGE, CONSOLE_SSO_SAML_AUTH_CONNECTION_CHANGE, SAML_CONNECTION_CHANGE, OKTA_DESKTOP_LOGIN_CONFIGURATION_CHANGE, OKTA_EVENT_HOOK_CONFIGURATION_CHANGE, POLICY_CHANGE, OKTA_REGISTRATION_ATTRIBUTE_CONFIGURATION_CHANGE, GPG_KEY_CHANGE, ENROLLMENT_CHANGE, REALM_CHANGE, SCIM11_PROVIDER_CHANGE, SCIM20_PROVIDER_CHANGE, OUTBOUND_ATTRIBUTE_UPDATE, CREDENTIAL_CHANGE, CREDENTIAL_BINDING_JOB_CHANGE, AUTHENTICATOR_INVOCATION_ATTEMPT]

The type of the event.

data

The event payload.

cursor string

An opaque value used to indicate that more results are available. Use this value to retrieve the next page of results. Once a response is returned without a 'next_cursor' value, it can be assumed that all results have been paged through.

400

Bad request.

Schema
message string

Error message.

401

Not authorized.

Schema
message string

Error message.

403

Forbidden user

Schema
message string

Error message.