Suspicious Activity Reporting
Suspicious Activity Reporting provides a user with the option to report unrecognized activity from email notifications about account activity.
- HealthInsight task recommendation
- End-user experience
- Enable or disable Security Notification emails
- Remove the Report Suspicious Activity button from an email template
- System Log events
- Event Hooks for Suspicious Activity Reporting
HealthInsight task recommendation
When a user reports suspicious activity, admins can enable specific actions and System Log events to obtain further details about the activity.
Okta recommends |
Enable Suspicious Activity Reporting for end-user reporting. |
Security impact |
High |
End-user impact |
Low |
End-user experience
When this feature and security email notifications are enabled, users may report suspicious or unrecognized activity to their org admin from an email notification.
When end users receive a security email notification, they can send a report by clicking Report Suspicious Activity. Once they review the activity, they can confirm and complete the report. Note the following:
- The link is only valid for seven days after the email is sent.
- The link expires after the user confirms suspicious activity.
Enable or disable Security Notification emails
If you disable this feature, all valid links expire immediately.
If you disable the Report suspicious activity via email option, the Report Suspicious Activity button is removed from the email templates that use it.
When you enable the Report suspicious activity via email option, events reported when users click the Report Suspicious Activity button appear on the Admin Console. Click Review Security Event to view the event details in the System Log. The event name is:
user.account.report_suspicious_activity_by_enduser
The following email templates include the Report Suspicious Activity button:
- New Sign-On Notification
- Authenticator Enrolled
- Authenticator Reset
- Password Changed
-
In the Admin Console, go to .
-
In the Security notification emails section, click Edit.
-
Select either Enabled or Disabled from the dropdown beside the option that you want to enable or disable.
-
Click Save.
Remove the Report Suspicious Activity button from an email template
The Report Suspicious Activity button appears on the following email templates:
- New Sign-On Notification
- Authenticator Enrolled
- Authenticator Reset
- Password Changed
You can remove it from the template if you want to use something else instead.
Remove the Report Suspicious Activity button from an email template
If you've enabled Early Access (EA) multibrand customization, your Admin Console navigation is different. See parenthetical notes.
- In the Admin Console, go to .
- In the Communication section, click Edit beside Emails. (EA users: Click Emails.)
- In the Email Templates list, click the name of the email template you want to edit.
- In the customizations panel, click Edit.
-
Find the following HTML code in the email template and delete it from the template or replace it with something else:
<a href="${baseUrl}/enduser/report-suspicious-activity?i=${request.reportSuspiciousActivityToken}" id="report-suspicious-activity" style="text-decoration: none;">
- Click Save changes.
System Log events
Once a user has reported suspicious activity, the System Log provides more information about the event. Admins can see all users who have reported suspicious activity in the past seven days.
-
In the Admin Console, go to .
- Identify any event labeled user.account.report_suspicious_activity_by_enduser.
-
Expand the entry:
. - Under SuspiciousActivityEventTransactionId, make a note of the transaction ID.
- Search the System Log for the transaction ID to trace the origin of the suspicious event.
- Optional: Create an event hook for: user.account.report_suspicious_activity_by_enduser. See Event hooks for more information.
Event Hooks for Suspicious Activity Reporting
Optionally, admins can create an Event Hook to subscribe to user.account.report_suspicious_activity_by_enduser events.
See the Okta Developer documentation for Event Hooks:
Related Topics
HealthInsight tasks and recommendations
Sign-on notifications for end users
Password changed notification for end users