Beyond Identity Events

  • Updated on Feb 9, 2026
  • Published on Nov 4, 2025
  • 4 minute(s) read
  • e
  • EA
 Prev Next

This article explains the types of events tracked by the Beyond Identity Admin Console, detailing each event’s outcome and description, and how these events can also be forwarded to a SIEM integration for monitoring and auditing purposes.

The following events display on the Events page in the Admin console or, if you're configuring an SIEM integration, you can choose which of these events you want forwarded to your provider's logs.

Event Type

Outcome

Description

ADD_DEVICE

Success
Failure

Indicates whether a device was successfully enrolled.

API_TOKEN_CHANGE

Create
Revoke

Generated when the access token used to access the Beyond Identity Secure Workforce public APIs is created or revoked.

ATTRIBUTE_LIST_
CREATE

Create

Generated when an attribute list is created on the policy.

ATTRIBUTE_LIST_
DELETE

Delete

Generated when an attribute list is deleted from the policy.

ATTRIBUTE_LIST_
UPDATE

Update

Generated when an attribute list is created on the policy.

AUTHENTICATION_
ERROR_MESSAGE_
CHANGE

Update
Delete

Generated when an authentication error message is updated.

AZURE_AD_HYBRID_
PROVIDER_CHANGE

N/A

Generated when an Azure AD Hybrid provider is created, updated, or deleted.

CLIENT_COMMIT_
SIGN

N/A

Generated when a commit is signed with a GPG Key for Secure DevOps on the client.

Note: Secure DevOps is an add-on feature that signs and verifies the author of every commit using the authenticator to prevent unauthorized threats.

CLIENT_CORE_
AUTHENTICATION

Start
End

Indicates the status of the authentication event from the client.

CLIENT_CORE_
SELECTED_
CREDENTIAL

Start
End

Indicates that a credential has been selected by the client.

CLIENT_CREATE_
GPG_KEY

Success
Failure

Indicates whether a GPG key for Secure DevOps was created on the authenticator.

Note: Secure DevOps is an add-on feature that signs and verifies the author of every commit using the authenticator to prevent unauthorized threats.

CLIENT_CREATE_SSH_KEY

N/A

Generated when an SSH key is created on the client.

CLIENT_CREDENTIALS
_CHANGE

N/A

Generated when client credentials are created, updated, or deleted. This includes updates to the client ID, name, token scope, and the expiration time after which the token will expire.

CLIENT_DELETE_
GPG_KEY

N/A

Indicates whether a GPG key for Secure DevOps was removed from the authenticator.

Note: Secure DevOps is an add-on feature that signs and verifies the author of every commit using the authenticator to prevent unauthorized threats.

CLIENT_KEY_
COMPROMISED

N/A

Generated when a compromised key is detected.

CLIENT_SSH_CERT_
USED

N/A

Generated when an SSH certificate is used to authenticate an SSH connection.

CLIENT_WDL_
ENROLLMENT

N/A

Generated when a user enrolls in Windows Desktop Login for Active Directory.

CLIENT_WDL_
UNEROLLMENT

N/A

Generated when a user unenrolls from Windows Desktop Login for Active Directory.

CONSOLE_SSO_IDP_
CHANGE

N/A

Generated when the Console SSO IDP is changed for a tenant's Admin or User console. For example, this could occur if you switch the SSO provider from Okta to Beyond Identity’s Secure Access SSO.  

CONSOLE_SSO_OIDC_
AUTH_CONFIG_
CHANGE

N/A

Generated when a Console OIDC authentication configuration is created, updated, or deleted.

CONSOLE_SSO_SAML_
AUTH_CONNECTION_
CHANGE

N/A

Generated when a Console SAML authentication connection is created, updated, or deleted.

CONTINUOUS_
AUTHENTICATION

Allow
Deny

Repeats an authentication on an interval, evaluating the policy each time as if it was the original authentication.

Note: The key used to sign collected information cannot be used while the computer is locked – macOS devices will only report information when awake and unlocked.

CREATE_
ENROLLMENT_
SHORT_CODE

N/A

Generated when a short code binding jobs is created.

CREDENTIAL_TAG_
CHANGE

N/A

Generate when tags are added to or removed from a device credential.

DESKTOP_LOGIN_
ENROLLMENT

Succeeded
Failed

Indicates whether enrollment in Windows Desktop Login succeeded.

DESKTOP_LOGIN_
RECOVERY_KEYS_
CHANGE

Set
Failed

Generated when a device's recovery keys are set.

DESKTOP_LOGIN_
UNENROLLMENT

Succeeded
Failed

Indicates whether unenrollment in Windows Desktop Login succeeded.

DEVICE_CREDENTIAL_
CHANGE

N/A

Generated when a device credential is created or revoked.

EMAIL_STATUS_
CHANGE

Delivered

Generate when an email delivery status is changed.

ENROLLMENT_
CHANGE

N/A

Generated when a device’s enrollment changes such as a user enrolling or unenrolling a device. This could be related to a user setting up a new device or decommissioning of an older device.

GPG_KEY_CHANGE

N/A

Indicates if a GPG key for Secure DevOps was changed.

GROUP_CHANGE

N/A

Generated when a group is created, updated, or deleted.

GROUP_MEMBERSHIP
_CHANGE

N/A

Generated when a user or child group is added to or removed from a group.

INTEGRATION_API_
CALL

N/A

Provides Information about API calls made to 3rd party integrations.

INTEGRATION_
CONFIGURATION_
CHANGE

N/A

Generated when an integration configuration such as CrowdStrike is created, updated, deleted, or transitioned to an error state.

OIDC_CLIENT_
CHANGE

N/A

Generated when an OIDC client configuration is created, updated, or deleted.

OIDC_COMPLETE

Success
Failure
Timeout
Unauthorized

Generated when the OIDC transaction completes.

OIDC_INBOUND

Success
Failure

Provides information about the inbound OIDC request from the authenticator.

OKTA_DESKTOP_
LOGIN_
CONFIGURATION_
CHANGE

N/A

Generated when an Okta desktop login is created, updated, or deleted.

OKTA_EVENT_HOOK_
CONFIGURATION_
CHANGE

N/A

Generated when an Okta event hook configuration is created, updated, or deleted. Okta event hooks are

OKTA_REGISTRATION_
ATTRIBUTE_
CONFIGURATION_
CHANGE

N/A

Generated when an Okta registration attribute configuration is created, updated, or deleted. An example of an Okta registration attribute is byndidRegistered.

OUTBOUND_
ATTRIBUTE_UPDATE

Success
Failure

Generated when a user is updated/synchronized with an outbound SCIM server.

POLICY

Allow
Deny

Indicates whether access was allowed or denied based on the criteria defined in a policy rule.

POLICY_CHANGE

Update

Indicates that a change has been made to the policy. This can include adding/removing rules, changing the order of rules, changing the policy name, etc.

ROAMING_AUTH_
CONFIG_CHANGE

Update

Generated when a tenant's roaming authentication configuration is updated.

SAML_COMPLETE

Success
Unauthorized
Timeout

Generated when the SAML transaction completes.

SAML_CONNECTION_
CHANGE

N/A

Generated when a SAML connection is created, updated, or deleted.

SAML_INBOUND

Success
Failure

Provides information about the inbound SAML request from the authenticator.

SCIM11_PROVIDER_
CHANGE

N/A

Generated when a SCIM 1.1 provider is created, updated, or deleted.

SCIM20_PROVIDER_
CHANGE

N/A

Generated when a SCIM 2.0 provider is created, updated, or deleted.

TAG_CHANGE

N/A

Generated when tags are created for a tenant.

TENANT_CHANGE

N/A

Generated when a tenant is updated. This includes updates to the logo, name, roaming authentication,  enrollment URI, and login URI.

USER_
AUTHENTICATION

Success
Failure
Unauthorized

Provides the status of a user’s authentication.

USER_CHANGE

Active
Suspended
Deleted

Generated when a user is created, updated, deleted, activated, or suspended.

WS_FED_CLIENT_
CONFIG_CHANGE

N/A

Generated when a WS-Fed client configuration is created, updated, or deleted.

WSFED_COMPLETE

Success
Unauthorized
Timeout

Generated when the WS-Federation transaction completes.

WSFED_INBOUND

Success
Failure

Provides information about the inbound WS-Federation request.

Related articles