Behavior Detection System Log events

If sign-in attempts are evaluated for changes in behavior, details about the behavior detected are recorded in System Log events. Behaviour Detection only tracks sign-in events with unique session context.

To see behavior details for user.session.start and policy.evaluate.sign_on events, go to DebugContext and DebugData. For example:

Behavior details are recorded in the System Log under DebugData

The Behaviors fields have entries in the form of key=value pairs. The key represents the behavior type and the value represents the outcome of the behavior evaluation.

These are the possible outcomes for behavior evaluation:

Value

Description

POSITIVE A change in behavior was detected. If MFA is configured for a policy rule and the behavior evaluated is POSITIVE, Okta prompts for MFA.
NEGATIVE No change in behavior is detected. If MFA is configured for a policy rule and the behavior evaluated is NEGATIVE, Okta doesn't prompt for MFA.
UNKNOWN Not enough history to detect behavior. If MFA is configured for a policy rule and the behavior evaluated is UNKNOWN, Okta prompts for MFA.
BAD_REQUEST Not enough information from the sign-in attempt to detect behavior. For example, if the location can't be determined or a no device identifier was provided, the evaluation is reported as a BAD_REQUEST. If MFA is configured for a policy rule and the behavior evaluated is BAD_REQUEST, Okta prompts for MFA.

Related topics

About Behavior Detection

Configure Behavior Detection