Suspicious activity events

When you use the Suspicious Activity report, it populates this query by default.

( outcome.result eq "SUCCESS" AND ( eventType eq "app.oauth2.client_id_rate_limit_warning" OR eventType eq "user.mfa.attempt_bypass" ) ) OR ( outcome.result eq "FAILURE" AND ( eventType eq "user.authentication.auth_via_mfa" OR eventType eq "user.authentication.auth_via_IDP" OR eventType eq "user.authentication.auth" OR eventType eq "user.session.start" OR eventType eq "user.account.lock" OR eventType eq "user.authentication.auth_via_social" OR eventType eq "user.account.unlock" OR eventType eq "user.account.use_token" OR eventType eq "app.oauth2.token.grant" OR eventType eq "app.oauth2.as.evaluate.claim" OR eventType eq "app.oauth2.as.token.revoke" ) )

You can query for any suspicious activity that is identified for users in the System Log. For details on the events in this table, see Event Types.

	Event	Event Type	System Log query
1	Failed ${factor} factor attempt	user.authentication.auth_via_mfa	eventType eq "user.authentication.auth_via_mfa" and outcome.result eq "FAILURE"
2	The transformed username '${okta_username}' was rejected by the username filter	user.authentication.auth_via_IDP	eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to match transformed username"
3	Unable to resolve IdP endpoint with '${match_criteria}'. Ensure the IdP is correctly configured	user.authentication.auth_via_IDP	eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to resolve IdP endpoint"
4	Unable to validate incoming SAML Assertion: [${token_id}] - ${error_message}	user.authentication.auth_via_IDP	eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to validate incoming SAML Assertion"
5	A SAML Assertion with the same ID [${token_id}] has already been processed by Okta for a previous request	user.authentication.auth_via_IDP	eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "A SAML assert with the same ID has already been processed by Okta for a previous request"
6	Unable to validate SAML Response [ID=${message_id}] - 'InResponseTo=${in_response_to}' does not match an ID of a SAML authentication request sent from Okta	user.authentication.auth_via_IDP	eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to validate SAML Response"
7	Sign-in Failed {some reason}	user.authentication.auth	eventType eq "user.authentication.auth" and outcome.result eq "FAILURE"
		user.session.start	eventType eq "user.session.start" and outcome.result eq "FAILURE"
8	Account Locked - Max sign-in attempts exceeded	user.account.lock	eventType eq "user.account.lock"
9	Unable to retrieve an access token for the Identity Provider due to error '${error_message}'	user.authentication.auth_via_social	eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to retrieve an access token for the Identity Provider"
10	Unable to retrieve a user profile from the Identity Provider due to error '${error_message}'	user.authentication.auth_via_social	eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to retrieve a user profile from the Identity Provider"
11	The UserInfo response from the Identity Provider is invalid: '${error_message}'	user.authentication.auth_via_social	eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "The UserInfo response from the Identity Provider is invalid"
12	Account link of incoming subject '${subject_name}' to user '${okta_username}' denied due to group membership restriction '${groups}'	user.authentication.auth_via_social	eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Account link of incoming subject to user denied due to group membership restriction"
13	A bypass of MFA may have been attempted for this user	user.mfa.attempt_bypass	eventType eq "user.mfa.attempt_bypass"
14	User answered recovery question incorrectly for self-service password resete_to_no_matching_key	user.account.reset_password	eventType eq "user.account.reset_password" and outcome.result eq "FAILURE" and outcome.reason eq "User answered recovery question invalid"
15	Self-service password reset attempted for suspended user	user.account.reset_password	eventType eq "user.account.reset_password" and outcome.result eq "FAILURE" and outcome.reason eq "User suspended"
16	Token request for ${grant_type}-${code} rejected for client ${client_id}' with authentication type ${client_auth_type} and scopes [${scopes}] due to reason: ${app_error_code} Or Token request for ${grant_type}-${refresh_token} rejected for client ${client_id}' with authentication type ${client_auth_type} and scopes [${scopes}] due to reason: ${app_error_code}	app.oauth2.token.grant	eventType eq "app.oauth2.token.grant" and outcome.result eq "FAILURE"
17	Multiple requests with a client id about to be rate limited	app.oauth2.client_id_rate_limit_warning	eventType eq "app.oauth2.client_id_rate_limit_warning"
18	Multiple requests with invalid client credentials ${client_secrets} for client ${client_id}	app.oauth2.invalid_client_credentials	eventType eq "app.oauth2.invalid_client_credentials"
19	Failed to evaluate claim for OAuth2 token for user ${user_id} with client ${client_id} and authorization server ${authorization_server} due to reason: ${app_error_code}	app.oauth2.as.evaluate.claim	eventType eq "app.oauth2.as.evaluate.claim" and outcome.result eq "FAILURE"
20	OAuth2 token revocation request rejected for client ${client_id} with authorization server ${authorization_server} due to reason: ${app_error_code}	app.oauth2.as.token.revoke	eventType eq "app.oauth2.as.token.revoke" and outcome.result eq "FAILURE"

Related topics

Reports

Report types

System Log filters and search