Suspicious Activity Reporting
Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification.
- HealthInsight task recommendation
- End-user experience
- Enabling Security Notification Emails
- Configure Suspicious Activity Reporting
- Customize an email template to add or remove the Report Suspicious Activity button
- Disable Suspicious Activity Reporting
- System Log events
- Event Hooks for Suspicious Activity Reporting
HealthInsight task recommendation
When a user reports suspicious activity, admins can enable specific actions and audit system logs events to obtain further details about the activity reported.
Okta recommends |
Enable Suspicious Activity Reporting for end-user reporting. |
Security impact |
High |
End-user impact |
Low |
End-user experience
When this feature is enabled and security email notifications are enabled, end users will have an option to report suspicious or unrecognized activity to their org admin from an email notification. See End-user impact.
An example of this email is as follows:
When end users receive a security email notification, they can send a report by clicking Report Suspicious Activity. Once they review the activity, they can confirm and complete the report. Note the following:
- The link is only valid for 7 days after the email is sent and the action.
- The link expires after the user confirms suspicious activity.
An example of the information an end user can review before they submit the report is as follows:
Enabling Security Notification Emails
To enable this feature, navigate to Security > General, under Security Notification Emails.
Events reported by users are displayed directly from the admin console dashboard.
Prerequisites
Note the following before you configure and enable this feature:
- You must be a super admin or org admin to configure this feature. All other admins have read-access only.
- In order for end users to report suspicious activity, ensure that at least one of the following email notifications are enabled:
- MFA enrolled notification email
- MFA reset notification email
If your org has customized email templates, they must be customized to include a button link for end-user reporting. Templates that are not customized include the Report button by default.
To add this button, see Customize an email template.
Configure Suspicious Activity Reporting
- From the admin dashboard, navigate to Security > General. The General Security page is displayed.
- Under Security Notification Emails, click Edit to configure this feature. The following settings are available:
- MFA enrolled notification email
- MFA reset notification email
- Report suspicious activity via email
- Enable any of the first three settings to turn on email notifications. At least one must be enabled for end users to report suspicious activity.
- When a report is submitted, admins will receive an email notification.
Click Review Security Event to view the event details in the System Log.
The event name is: user.account.report_suspicious_activity_by_enduser
Customize an email template to add or remove the Report Suspicious Activity button
This is an optional step. If your org uses a customized email template, the Report Suspicious Activity button must be added manually to the template.
Refer to the Email & SMS Customization on how to configure email notification templates.
Add the link to a customized email template
-
Open the email template and insert the following code in the email template:
<a href="${baseUrl}/enduser/report-suspicious-activity?i=${request.reportSuspiciousActivityToken}" id="report-suspicious-activity" style="text-decoration: none;">
Note: This setting may also be accessed in the admin console from Settings > Email & SMS.
- From the left navigation menu, scroll down to Other. The following templates contain a new section including a link that allows users to report suspicious activity:
- MFA enrolled notification email
- MFA reset notification email
Note: For orgs that already use customized email templates, admins must manually add the link to an existing customized template or reset the email template for the Report suspicious activity link to appear and customize as needed.
Remove the link from a customized email template
- Navigate to Settings > Email & SMS from the admin dashboard.
- Scroll down to the Other section.
-
Edit the email templates for the following emails if they are customized.
- New Sign-On Notification
- MFA enrolled notification email
- MFA reset notification email
-
Remove the following HTML code:
<a href="${baseUrl}/enduser/report-suspicious-activity?i=${request.reportSuspiciousActivityToken}" id="report-suspicious-activity" style="text-decoration: none;">
Disable Suspicious Activity Reporting
Admins can disable Suspicious Activity Reporting by navigating to Security > General.
-
When the feature is disabled, any existing links for users to report suspicious activity will expire.
-
If you have customized email templates, the Report Suspicious Activity button should be removed manually from the email templates.
-
If you are using Okta’s standard email templates, the button will automatically be removed.
System Log events
Once a user has reported suspicious activity, refer to the admin System Log for more details about the event. Admins can see all users who have reported suspicious activity in the past 7 days directly from the admin dashboard.
- Navigate to the admin System Log: Reports > System Log.
- Identify any event labeled:
user.account.report_suspicious_activity_by_enduser
. -
Expand the entry: Event > System > DebugData.
- Under SuspiciousActivityEventTransactionId, make a note of the transaction ID.
- Search the System Log for the transaction ID to trace the origin of the suspicious event.
- Optional: Create an event hook for:
user.account.report_suspicious_activity_by_enduser
. See Event Hooks for more information.
Event Hooks for Suspicious Activity Reporting
Optionally, admins can create an Event Hook to subscribe to user.account.report_suspicious_activity_by_enduser
events.
See Developer documentation for Event Hooks:
Related Topics
HealthInsight tasks and recommendations
Sign-on notifications for end users
Password changed notification for end users
Factor enrollment notifications for end users