Suspicious activity events

You can query for any suspicious activity that is identified for users in the System Log. For details on the events in this table, see Event Types.

Event Event Type System Log query
1 Failed ${factor} factor attempt user.authentication.auth_via_mfa eventType eq "user.authentication.auth_via_mfa" and outcome.result eq "FAILURE"
2 The transformed username '${okta_username}' was rejected by the username filter user.authentication.auth_via_IDP eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to match transformed username"
3 Unable to resolve IdP endpoint with '${match_criteria}'. Ensure the IdP is correctly configured user.authentication.auth_via_IDP eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to resolve IdP endpoint"
4 Unable to validate incoming SAML Assertion: [${token_id}] - ${error_message} user.authentication.auth_via_IDP eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to validate incoming SAML Assertion"
5 A SAML Assertion with the same ID [${token_id}] has already been processed by Okta for a previous request user.authentication.auth_via_IDP eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "A SAML assert with the same ID has already been processed by Okta for a previous request"
6 Unable to validate SAML Response [ID=${message_id}] - 'InResponseTo=${in_response_to}' does not match an ID of a SAML authentication request sent from Okta user.authentication.auth_via_IDP eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to validate SAML Response"
7 Sign-in Failed {some reason} user.authentication.auth eventType eq "user.authentication.auth" and outcome.result eq "FAILURE"
user.session.start eventType eq "user.session.start" and outcome.result eq "FAILURE"
8 Account Locked - Max sign-in attempts exceeded user.account.lock eventType eq "user.account.lock"
9 Unable to retrieve an access token for the Identity Provider due to error '${error_message}' user.authentication.auth_via_social eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to retrieve an access token for the Identity Provider"
10 Unable to retrieve a user profile from the Identity Provider due to error '${error_message}' user.authentication.auth_via_social eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to retrieve a user profile from the Identity Provider"
11 The UserInfo response from the Identity Provider is invalid: '${error_message}' user.authentication.auth_via_social eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "The UserInfo response from the Identity Provider is invalid"
12 Account link of incoming subject '${subject_name}' to user '${okta_username}' denied due to group membership restriction '${groups}' user.authentication.auth_via_social eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Account link of incoming subject to user denied due to group membership restriction"
13 A bypass of MFA may have been attempted for this user user.mfa.attempt_bypass eventType eq "user.mfa.attempt_bypass"
14 User answered recovery question incorrectly for self-service password resete_to_no_matching_key user.account.reset_password eventType eq "user.account.reset_password" and outcome.result eq "FAILURE" and outcome.reason eq "User answered recovery question invalid"
15 Self-service password reset attempted for suspended user user.account.reset_password eventType eq "user.account.reset_password" and outcome.result eq "FAILURE" and outcome.reason eq "User suspended"
16

Token request for ${grant_type}-${code} rejected for client ${client_id}' with authentication type ${client_auth_type} and scopes [${scopes}] due to reason: ${app_error_code}

Or

Token request for ${grant_type}-${refresh_token} rejected for client ${client_id}' with authentication type ${client_auth_type} and scopes [${scopes}] due to reason: ${app_error_code}

app.oauth2.token.grant eventType eq "app.oauth2.token.grant" and outcome.result eq "FAILURE"
17 Multiple requests with a client id about to be rate limited app.oauth2.client_id_rate_limit_warning eventType eq "app.oauth2.client_id_rate_limit_warning"
18 Multiple requests with invalid client credentials ${client_secrets} for client ${client_id} app.oauth2.invalid_client_credentials eventType eq "app.oauth2.invalid_client_credentials"
19 Failed to evaluate claim for OAuth2 token for user ${user_id} with client ${client_id} and authorization server ${authorization_server} due to reason: ${app_error_code} app.oauth2.as.evaluate.claim eventType eq "app.oauth2.as.evaluate.claim" and outcome.result eq "FAILURE"
20 OAuth2 token revocation request rejected for client ${client_id} with authorization server ${authorization_server} due to reason: ${app_error_code} app.oauth2.as.token.revoke eventType eq "app.oauth2.as.token.revoke" and outcome.result eq "FAILURE"

Related topics

Reports

System Log filters and search