Security Behavior Detection system log events
The System Log lists behavior that is evaluated for any sign-in attempts.
For user.session.start and policy.evaluate.sign_on events:
- Navigate to DebugContext to see a map of behavior evaluations.
- The map has entries in the form of key=value pair, where key is the behavior name and value is the evaluation output.
Possible behavior values are:
|
Value |
Description |
|---|---|
| POSITIVE | Behavior is detected. POSITIVE results in the policy rule matching – if MFA is configured for the rule, Okta prompts for MFA. |
| NEGATIVE | Behavior is not detected. NEGATIVE results in the policy rule not matching – if MFA is configured for the rule, Okta does not prompt for MFA. |
| UNKNOWN | Not enough history to detect behavior. UNKNOWN results in the policy rule matching – if MFA is configured for the rule, Okta prompts for MFA. |
| BAD_REQUEST | Not enough information from the sign-in attempt to detect behavior. For example, if no device identifier was provided, Okta treats it as a BAD_REQUEST, which results in the policy rule matching – if MFA is configured for the rule, Okta prompts for MFA. |