Suspicious Activity events

Suspicious activity that is identified for end-user accounts can be queried in the System Log. For details on the events in this table, see Event Types.

  Event Event Type System Log query
1 Failed ${factor} factor attempt user.authentication.auth_via_mfa eventType eq "user.authentication.auth_via_mfa" and outcome.result eq "FAILURE"
2 The transformed username '${okta_username}' was rejected by the username filter user.authentication.auth_via_IDP eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to match transformed username"
3 Unable to resolve IdP endpoint with '${match_criteria}'. Ensure the IdP is correctly configured user.authentication.auth_via_IDP eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to resolve IdP endpoint"
4 Unable to validate incoming SAML Assertion: [${token_id}] - ${error_message} user.authentication.auth_via_IDP eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to validate incoming SAML Assertion"
5 A SAML Assertion with the same ID [${token_id}] has already been processed by Okta for a previous request user.authentication.auth_via_IDP eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "A SAML assert with the same ID has already been processed by Okta for a previous request"
6 Unable to validate SAML Response [ID=${message_id}] - 'InResponseTo=${in_response_to}' does not match an ID of a SAML authentication request sent from Okta user.authentication.auth_via_IDP eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to validate SAML Response"
7 Sign-in Failed {some reason} user.authentication.auth eventType eq "user.authentication.auth" and outcome.result eq "FAILURE"
    user.session.start eventType eq "user.session.start" and outcome.result eq "FAILURE"
8 Account Locked - Max sign-in attempts exceeded user.account.lock eventType eq "user.account.lock"
9 Unable to retrieve an access token for the Identity Provider due to error '${error_message}' user.authentication.auth_via_social eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to retrieve an access token for the Identity Provider"
10 Unable to retrieve a user profile from the Identity Provider due to error '${error_message}' user.authentication.auth_via_social eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to retrieve a user profile from the Identity Provider"
11 The UserInfo response from the Identity Provider is invalid: '${error_message}' user.authentication.auth_via_social eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "The UserInfo response from the Identity Provider is invalid"
12 Account link of incoming subject '${subject_name}' to user '${okta_username}' denied due to group membership restriction '${groups}' user.authentication.auth_via_social eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Account link of incoming subject to user denied due to group membership restriction"
13 A bypass of MFA may have been attempted for this user user.mfa.attempt_bypass eventType eq "user.mfa.attempt_bypass"
14 User answered recovery question incorrectly for self-service password resete_to_no_matching_key user.account.reset_password eventType eq "user.account.reset_password" and outcome.result eq "FAILURE" and outcome.reason eq "User answered recovery question invalid"
15 Self-service password reset attempted for suspended user user.account.reset_password eventType eq "user.account.reset_password" and outcome.result eq "FAILURE" and outcome.reason eq "User suspended"
16

Token request for ${grant_type}-${code} rejected for client ${client_id}' with authentication type ${client_auth_type} and scopes [${scopes}] due to reason: ${app_error_code}

or

Token request for ${grant_type}-${refresh_token} rejected for client ${client_id}' with authentication type ${client_auth_type} and scopes [${scopes}] due to reason: ${app_error_code}

app.oauth2.token.grant eventType eq "app.oauth2.token.grant" and outcome.result eq "FAILURE"
17 Multiple requests with a client id about to be rate limited app.oauth2.client_id_rate_limit_warning eventType eq "app.oauth2.client_id_rate_limit_warning"
18 Multiple requests with invalid client credentials ${client_secrets} for client ${client_id} app.oauth2.invalid_client_credentials eventType eq "app.oauth2.invalid_client_credentials"
19 Failed to evaluate claim for OAuth2 token for user ${user_id} with client ${client_id} and authorization server ${authorization_server} due to reason: ${app_error_code} app.oauth2.as.evaluate.claim eventType eq "app.oauth2.as.evaluate.claim" and outcome.result eq "FAILURE"
20 OAuth2 token revocation request rejected for client ${client_id} with authorization server ${authorization_server} due to reason: ${app_error_code} app.oauth2.as.token.revoke eventType eq "app.oauth2.as.token.revoke" and outcome.result eq "FAILURE"

Related topics

Reports

System Log filters and search