Suspicious Activity Reporting

Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification.

HealthInsight task recommendation
End-user experience
Enabling Security Notification Emails
Configure Suspicious Activity Reporting
Customize an email template to add or remove the Report Suspicious Activity button
Disable Suspicious Activity Reporting
System Log events
Event Hooks for Suspicious Activity Reporting

HealthInsight task recommendation

When a user reports suspicious activity, admins can enable specific actions and audit system logs events to obtain further details about the activity reported.

Okta recommends

Enable Suspicious Activity Reporting for end-user reporting.

Security impact

High

End-user impact

Low

See End-user experience

End-user experience

When this feature is enabled and security email notifications are enabled, end users will have an option to report suspicious or unrecognized activity to their org admin from an email notification. See End-user impact.

An example of this email is as follows:

When end users receive a security email notification, they can send a report by clicking Report Suspicious Activity. Once they review the activity, they can confirm and complete the report. Note the following:

The link is only valid for 7 days after the email is sent and the action.
The link expires after the user confirms suspicious activity.

An example of the information an end user can review before they submit the report is as follows:

Enabling Security Notification Emails

To enable this feature, navigate to Security > General, under Security Notification Emails.

Events reported by users are displayed directly from the admin console dashboard.

Prerequisites

Note the following before you configure and enable this feature:

You must be a super admin or org admin to configure this feature. All other admins have read-access only.
In order for end users to report suspicious activity, ensure that at least one of the following email notifications are enabled:
- MFA enrolled notification email
- MFA reset notification email

If your org has customized email templates, they must be customized to include a button link for end-user reporting. Templates that are not customized include the Report button by default.

To add this button, see Customize an email template.

Configure Suspicious Activity Reporting

From the admin dashboard, navigate to Security > General. The General Security page appears.
Under Security Notification Emails, click Edit to configure this feature. The following settings are available:
- MFA enrolled notification email
- MFA reset notification email
- Report suspicious activity via email
Enable any of the first three settings to turn on email notifications. At least one must be enabled for end users to report suspicious activity.
When a report is submitted, admins will receive an email notification.

Click Review Security Event to view the event details in the System Log.

The event name is: user.account.report_suspicious_activity_by_enduser

Customize an email template to add or remove the Report Suspicious Activity button

This is an optional step. If your org uses a customized email template, the Report Suspicious Activity button must be added manually to the template.

See Customize an email template on how to configure email notification templates.

Add the link to a customized email template

Open the email template and insert the following code in the email template:

<a href="${baseUrl}/enduser/report-suspicious-activity?i=${request.reportSuspiciousActivityToken}" id="report-suspicious-activity" style="text-decoration: none;">

This setting may also be accessed in the admin console from Settings > Email & SMS.
From the left navigation menu, scroll down to Other. The following templates contain a new section including a link that allows users to report suspicious activity:
- MFA enrolled notification email
- MFA reset notification email
For orgs that already use customized email templates, admins must manually add the link to an existing customized template or reset the email template for the Report suspicious activity link to appear and customize as needed.

Remove the link from a customized email template

Navigate to Settings > Email & SMS from the admin dashboard.
Scroll down to the Other section.
Edit the email templates for the following emails if they are customized.
- New Sign-On Notification
- MFA enrolled notification email
- MFA reset notification email
Remove the following HTML code:

<a href="${baseUrl}/enduser/report-suspicious-activity?i=${request.reportSuspiciousActivityToken}" id="report-suspicious-activity" style="text-decoration: none;">

Disable Suspicious Activity Reporting

Admins can disable Suspicious Activity Reporting by navigating to Security > General.

When the feature is disabled, any existing links for users to report suspicious activity will expire.
If you have customized email templates, the Report Suspicious Activity button should be removed manually from the email templates.
If you are using Okta’s standard email templates, the button will automatically be removed.

System Log events

Once a user has reported suspicious activity, refer to the admin System Log for more details about the event. Admins can see all users who have reported suspicious activity in the past 7 days directly from the admin dashboard.

Navigate to the admin System Log: Reports > System Log.
Identify any event labeled: user.account.report_suspicious_activity_by_enduser.
Expand the entry: Event > System > DebugData.
Under SuspiciousActivityEventTransactionId, make a note of the transaction ID.
Search the System Log for the transaction ID to trace the origin of the suspicious event.
Optional: Create an event hook for: user.account.report_suspicious_activity_by_enduser. See Event hooks for more information.

Event Hooks for Suspicious Activity Reporting

Optionally, admins can create an Event Hook to subscribe to user.account.report_suspicious_activity_by_enduser events.

See Developer documentation for Event Hooks: