Behavior detection System Log events

If sign-in attempts are evaluated for changes in behavior, details about the behavior detected are recorded in System Log events. To see behavior details for user.session.start and policy.evaluate.sign_on events, navigate to DebugContext and DebugData. For example:

Behavior details are recorded in the System Log under DebugData

As you can see in this example, the Behaviors fields have entries in the form of key=value pairs, where key represents the behavior type and the value represents the outcome of the behavior evaluation.

The possible outcomes for behavior evaluation are:

Value

Description

POSITIVE A change in behavior was detected. If MFA is configured for a policy rule and the behavior evaluated is POSITIVE, Okta prompts for MFA.
NEGATIVE No change in behavior is detected. If MFA is configured for a policy rule and the behavior evaluated is NEGATIVE, Okta does not prompt for MFA.
UNKNOWN Not enough history to detect behavior. If MFA is configured for a policy rule and the behavior evaluated is UNKNOWN, Okta prompts for MFA.
BAD_REQUEST Not enough information from the sign-in attempt to detect behavior. For example, if the location cannot be determined or a no device identifier was provided, the evaluation is reported as a BAD_REQUEST. If MFA is configured for a policy rule and the behavior evaluated is BAD_REQUEST, Okta prompts for MFA.

Related topics

About behavior detection

Configure Behavior Detection