Suspicious Activity Reporting

Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification.

HealthInsight task recommendation

When a user reports suspicious activity, admins can enable specific actions and System Log events to obtain further details about the activity.

Okta recommends

Enable Suspicious Activity Reporting for end-user reporting.

Security impact


End-user impact


See End-user experience

End-user experience

When this feature is enabled and security email notifications are enabled, end users will have an option to report suspicious or unrecognized activity to their org admin from an email notification.

When end users receive a security email notification, they can send a report by clicking Report Suspicious Activity. Once they review the activity, they can confirm and complete the report. Note the following:

  • The link is only valid for seven days after the email is sent.
  • The link expires after the user confirms suspicious activity.

Enable or disable Security Notification emails

If you disable this feature, any currently valid links that have already been sent to users expire immediately. If you disable the Report suspicious activity via email option, the Report Suspicious Activity button is removed from the email templates that use it.

When you enable the Report suspicious activity via email option, events reported when users click the Report Suspicious Activity button appear on the Admin Console. Click Review Security Event to view the event details in the System Log. The event name is:


The following email templates include the Report Suspicious Activity button:

  • New Sign-On Notification
  • Authenticator Enrolled
  • Authenticator Reset
  • Password Changed
  1. In the Admin Console, go to Security > General.

  2. In the Security notification emails section, click Edit.

  3. Select either Enabled or Disabled from the dropdown beside the option you want to enable or disable.

  4. Click Save.

Remove the Report Suspicious Activity button from an email template

The Report Suspicious Activity button appears on the following email templates:

  • New Sign-On Notification
  • Authenticator Enrolled
  • Authenticator Reset
  • Password Changed

You can remove it from the template if you want to use something else instead.

Remove the Report Suspicious Activity button from an email template

  1. In the Admin Console, go to Customizations > Branding.
  2. In the Communication section, click Edit beside Emails.
  3. In the Email Templates list, click the name of the email template you want to edit.
  4. Click Edit, then < > Edit Code.
  5. Find the following HTML code in the email template and delete it from the template or replace it with something else:

    <a href="${baseUrl}/enduser/report-suspicious-activity?i=${request.reportSuspiciousActivityToken}" id="report-suspicious-activity" style="text-decoration: none;">

  6. Click Save changes.

System Log events

Once a user has reported suspicious activity, the System Log provides more information about the event. Admins can see all users who have reported suspicious activity in the past seven days.

  1. In the Admin Console, go to Reports > System Log.

  2. Identify any event labeled user.account.report_suspicious_activity_by_enduser.
  3. Expand the entry: Event > System > DebugData.

  4. Under SuspiciousActivityEventTransactionId, make a note of the transaction ID.
  5. Search the System Log for the transaction ID to trace the origin of the suspicious event.
  6. Optional: Create an event hook for: user.account.report_suspicious_activity_by_enduser. See Event hooks for more information.

Event Hooks for Suspicious Activity Reporting

Optionally, admins can create an Event Hook to subscribe to user.account.report_suspicious_activity_by_enduser events.

See the Ota Developer documentation for Event Hooks:

Related Topics

HealthInsight tasks and recommendations

Customize an email template

General Security

Password changed notification for end users

Authenticator enrolled notification email for end users

Authenticator reset notifications for end users