Security Behavior Detection system log events

The System Log lists behavior that is evaluated for any sign-in attempts.

For user.session.start and policy.evaluate.sign_on events:

  • Navigate to DebugContext to see a map of behavior evaluations.
  • The map has entries in the form of key=value pair, where key is the behavior name and value is the evaluation output.

Possible behavior values are:

Value

Description

POSITIVE Behavior is detected. POSITIVE results in the policy rule matching – if MFA is configured for the rule, Okta prompts for MFA.
NEGATIVE Behavior is not detected. NEGATIVE results in the policy rule not matching – if MFA is configured for the rule, Okta does not prompt for MFA.
UNKNOWN Not enough history to detect behavior. UNKNOWN results in the policy rule matching – if MFA is configured for the rule, Okta prompts for MFA.
BAD_REQUEST Not enough information from the sign-in attempt to detect behavior. For example, if no device identifier was provided, Okta treats it as a BAD_REQUEST, which results in the policy rule matching – if MFA is configured for the rule, Okta prompts for MFA.

Related topics

About Security Behavior Detection

Security Behavior Detection configuration