Suspicious Activity Reporting

Suspicious Activity Reporting provides a user with the option to report unrecognized activity from email notifications about account activity.

HealthInsight task recommendation

When a user reports suspicious activity, admins can enable specific actions and System Log events to obtain further details about the activity.

Okta recommends

Enable Suspicious Activity Reporting for end-user reporting.
Security impact

High
End-user impact

Low

See End-user experience

End-user experience

When this feature and security email notifications are enabled, users may report suspicious or unrecognized activity to their org admin from an email notification.

When end users receive a security email notification, they can send a report by clicking Report Suspicious Activity. Once they review the activity, they can confirm and complete the report. Note the following:

  • The link is only valid for seven days after the email is sent.
  • The link expires after the user confirms suspicious activity.

Enable or disable Security Notification emails

If you disable this feature, all valid links expire immediately.

If you disable the Report suspicious activity via email option, the Report Suspicious Activity button is removed from the email templates that use it.

When you enable the Report suspicious activity via email option, events reported when users click the Report Suspicious Activity button appear on the Admin Console. Click Review Security Event to view the event details in the System Log. The event name is:

user.account.report_suspicious_activity_by_enduser

The following email templates include the Report Suspicious Activity button:

  • New Sign-On Notification
  • Authenticator Enrolled
  • Authenticator Reset
  • Password Changed

  1. In the Admin Console, go to SecurityGeneral.

  2. In the Security notification emails section, click Edit.

  3. Select either Enabled or Disabled from the dropdown beside the option that you want to enable or disable.

  4. Click Save.

Remove the Report Suspicious Activity button from an email template

The Report Suspicious Activity button appears on the following email templates:

  • New Sign-On Notification
  • Authenticator Enrolled
  • Authenticator Reset
  • Password Changed

You can remove it from the template if you want to use something else instead.

Remove the Report Suspicious Activity button from an email template

If you've enabled Early Access (EA) multibrand customization, your Admin Console navigation is different. See parenthetical notes.

  1. In the Admin Console, go to CustomizationsBranding. Or, if you enabled multibrand customization, go to CustomizationsBrands, and then select the brand you want.
  2. In the Communication section, click Edit beside Emails. (EA users: Click Emails.)
  1. In the Email Templates list, click the name of the email template you want to edit.
  2. In the customizations panel, click Edit.

  3. Find the following HTML code in the email template and delete it from the template or replace it with something else:

    <a href="${baseUrl}/enduser/report-suspicious-activity?i=${request.reportSuspiciousActivityToken}" id="report-suspicious-activity" style="text-decoration: none;">

  4. Click Save changes.

System Log events

Once a user has reported suspicious activity, the System Log provides more information about the event. Admins can see all users who have reported suspicious activity in the past seven days.

  1. In the Admin Console, go to ReportsSystem Log.

  2. Identify any event labeled user.account.report_suspicious_activity_by_enduser.

  3. Expand the entry: Event > System > DebugData.

  4. Under SuspiciousActivityEventTransactionId, make a note of the transaction ID.
  5. Search the System Log for the transaction ID to trace the origin of the suspicious event.
  6. Optional: Create an event hook for: user.account.report_suspicious_activity_by_enduser. See Event hooks for more information.

Event Hooks for Suspicious Activity Reporting

Optionally, admins can create an Event Hook to subscribe to user.account.report_suspicious_activity_by_enduser events.

See the Okta Developer documentation for Event Hooks:

Related Topics

HealthInsight tasks and recommendations

Customize an email template

General Security

Sign-on notifications for end users

Password changed notification for end users

Factor enrollment notifications for end users

Factor reset notifications for end users