ABCDEFGHIJKLMNOPQRSTUVWXYZAA
1
Top Level CategoryEvent TypeDetailsSubjectTransmitter (From)Receiver (To)Notes
2
credential eventPassword Resetself-service user reset, admin forced a reset, help desk forced a reset
3
Password Changed
4
Credential Invalidatedex: admin revocation (user must change password)
5
Credential Changeduser set new credential
6
Account Disabledby admin, by user
7
Account Deletedby admin, by user
8
revocation eventToken Revocation
9
token misuseWrongly Scoped Token Attempthijack & replay suspected
10
token misuseIncorrect Bearerhijack & replay suspected
11
token misuseIncorrect Audiencetoken substitution attack
12
revocation eventSession Revoked
13
Acccount Compromise
14
Device Disabled
15
Device Posture Change
16
GDPR Right to be Forgotten
17
Account Entitlement AdditionGovernance, from discretionary access request/approval.
18
Account Entitlement RemovalGovernacnce, from access review/certification revocation.
19
credential eventCertificate Revokedby admin, by user
20
credential eventCertificate Reissuedby admin, by user
21
Consent revokedby admin, by user
22
authentication eventNIST assurance level changed
23
authentication eventMFA authn requested<type of MFA would likely need to be an attribute here>
24
authentication eventMFA authn successful
25
authentication eventMFA authn failed
26
authentication eventMFA authn timed out
27
MFA KBA Questions ModifiedGovernance - a user's MFA KBA questions were edited.
28
Policy changed
29
New Network SessionVPN, Wi-Fi, Ethernet
30
SIM Card "event"ex: SIM activate on a new device, revoke MFA capability
31
authentication eventpassword authn successful
32
password authn failed
33
Location Change
34
proofing eventProofing Failed
35
Proofing event succeeded
36
Authentication eventmax failed password
37
credential eventcompromised password match
38
resource misuseaggressive data access
39
Authentication eventRepeated forgot password patterneMail acount compromised, now attacker tries to reset password on multiple SP
40
Identity provider context changeSAML Claim changedGsuite Use CaseSAML Assertion IdIDPSPAlso covers LoA change
41
Identity provider context changeOIDC Claim changedGsuite Use CaseJTIIDPRPAlso covers LoA change
42
Device Property ChangeIP address change CAEP federation use casescompositeRPIDPcomposite of IP address and JTI or something like that
43
Device Property ChangeIP Context change (RP determines that the new address is qualitatively different - better or worse)CAEP federation use casescompositeRPIDP
44
Device Property ChangeOS Version changeMDM Use casedevice identifierMDMIDP / RPThe device ID needs to be something that both the IDP and RP understand. This may be implementation specific
45
Device Property ChangeMalware detectedsecurity agent on device detected malware on devicedevice identifierEndpoint security SVCIDP/RPThe device ID needs to be something that both the IDP and RP understand. This may be implementation specific
46
47
Session property changeSession replayCAEP session use casesessionIDPSPIDP identifies the session compromise, takes action and propogates (more on the prescriptive end) the CAEP event to SP's.
48
SPSP/IDPSP identifies the session compromise, takes action and propogates (more on the descriptive end) the CAEP event to SP's and IDP's.
49
Authenticator Property ChangePhone number changedMulti-identity use case.
50
SIM detected in multiple regionsMulti-identity use case.
51
Security Key moved to a different deviceMulti-identity use case.Both good use case (device might be more trustworthy) or bad (security key was stolen)
52
Location change (phone is in different geolocation)Multi-identity use case.
53
Policy ViolationAccess Rights and SOD ConflictGovernance Use caseaccount IDGPIDPGP = Governance Provider
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100