Suspicious Activity Reporting

This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.

Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification.


In this topic



When a user reports suspicious activity, admins can enable specific actions and audit system logs events to obtain further details about the activity reported.

To enable this feature, navigate to Security > General, under Security Notification Emails.

Admin console dashboard showing status of reported events

Events reported by users are displayed directly from the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console dashboard.

Admin console dashboard showing status of reported events


End-user experience

When this feature is enabled and security email notifications are enabled, end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. will have an option to report suspicious or unrecognized activity to their orgThe Okta container that represents a real-world organization. admin from an email notification.

An example of this email is as follows:

Example of an enrollment email sent to an end user containing the Report Suspicious Activity button.

When end users receive a security email notification, they can send a report by clicking Report Suspicious Activity. Once they review the activity, they can confirm and complete the report. Note the following:

  • The link is only valid for 7 days after the email is sent and the action.
  • The link expires after the user confirms suspicious activity.

An example of the information an end user can review before they submit the report is as follows:


Before you begin

Note the following before you configure and enable this feature:

  1. You must be a super admin or org admin to configure this feature. All other admins have read-access only.
  2. In order for end users to report suspicious activity, ensure that at least one of the following email notifications are enabled:
    • New sign on notification email
    • MFA enrolled notification email
    • MFA reset notification email

If your org has customized email templates, they must be customized to include a button link for end-user reporting. Templates that are not customized include the Report button by default.

To add this button, see Customize an email template.



Configure Suspicious Activity Reporting

  1. From the admin dashboard, navigate to Security > General. The General Security page is displayed.
  2. Under Security Notification Emails, click Edit to configure this feature. The following settings are available:
    • New sign on notification email
    • MFA enrolled notification email
    • MFA reset notification email
    • Report suspicious activity via email
  3. Enable any of the first three settings to turn on email notifications. At least one must be enabled for end users to report suspicious activity.
  4. When a report is submitted, admins will receive an email notification.
  5. Example of an email sent to an admin when a user reports suspicious activity.

    Click Review Security Event to view the event details in the System Log.

    The event name is: user.account.report_suspicious_activity_by_enduser


Customize an email template to add or remove the Report Suspicious Activity button

This is an optional step. If your org uses a customized email template, the Report Suspicious Activity button must be added manually to the template.

Refer to the Email & SMS Customization link on how to configure email notification templates.


To add the link to a customized email template:

  1. Open the email template and insert the following code in the email template:

    <a href="${baseUrl}/enduser/report-suspicious-activity?i=${request.reportSuspiciousActivityToken}" id="report-suspicious-activity" style="text-decoration: none;">

    Note: This setting may also be accessed in the admin console from Settings > Email & SMS.

  2. From the left navigation menu, scroll down to Other. The following templates contain a new section including a link that allows users to report suspicious activity:
    • New Device Notification
    • MFA Factor Enrolled
    • MFA Factor Reset

    Note: For orgs that already use customized email templates, admins must manually add the link to an existing customized template or reset the email template for the Report suspicious activity link to appear and customize as needed.


To remove the link from a customized email template:

  1. Navigate to Settings > Email & SMS from the admin dashboard.
  2. Scroll down to the Other section.
  3. Edit the email templates for the following emails if they are customized.

    • New Sign-On Notification
    • MFA Factor Enrolled
    • MFA Factor Reset
  4. Remove the following HTML code:

    <a href="${baseUrl}/enduser/report-suspicious-activity?i=${request.reportSuspiciousActivityToken}" id="report-suspicious-activity" style="text-decoration: none;">


Disable Suspicious Activity Reporting

Admins can disable Suspicious Activity Reporting by navigating to Security > General.

  • When the feature is disabled, any existing links for users to report suspicious activity will expire.

  • If you have customized email templates, the Report Suspicious Activity button should be removed manually from the email templates.

  • If you are using Okta’s standard email templates, the button will automatically be removed.



System Log events

Once a user has reported suspicious activity, refer to the admin System Log for more details about the event. Admins can see all users who have reported suspicious activity in the past 7 days directly from the admin dashboard.

  1. Navigate to the admin System Log: Reports > System Log.
  2. Identify any event labeled: user.account.report_suspicious_activity_by_enduser
  3. Expand the entry: Event > System > DebugData

  4. Under SuspiciousActivityEventTransactionId, make a note of the transaction ID.
  5. Search the System Log for the transaction ID to trace the origin of the suspicious event.
  6. Optional: Create an event hook for: user.account.report_suspicious_activity_by_enduser. See Event hooks for more information.


Event hooks for Suspicious Activity Reporting

Optionally, admins can create an event hook to subscribe to user.account.report_suspicious_activity_by_enduser events.

Developer documentation for Event Hooks are available here:


Related links