Behavior detection System Log events
If sign-in attempts are evaluated for changes in behavior, details about the behavior detected are recorded in System Log events. To see behavior details for user.session.start and policy.evaluate.sign_on events, navigate to DebugContext and DebugData. For example:
As you can see in this example, the Behaviors fields have entries in the form of key=value pairs, where key represents the behavior type and the value represents the outcome of the behavior evaluation.
The possible outcomes for behavior evaluation are:
Value |
Description |
---|---|
POSITIVE | A change in behavior was detected. If MFA is configured for a policy rule and the behavior evaluated is POSITIVE, Okta prompts for MFA. |
NEGATIVE | No change in behavior is detected. If MFA is configured for a policy rule and the behavior evaluated is NEGATIVE, Okta doesn't prompt for MFA. |
UNKNOWN | Not enough history to detect behavior. If MFA is configured for a policy rule and the behavior evaluated is UNKNOWN, Okta prompts for MFA. |
BAD_REQUEST | Not enough information from the sign-in attempt to detect behavior. For example, if the location can't be determined or a no device identifier was provided, the evaluation is reported as a BAD_REQUEST. If MFA is configured for a policy rule and the behavior evaluated is BAD_REQUEST, Okta prompts for MFA. |