Suspicious activity events
You can query for any suspicious activity that is identified for users in the System Log. For details on the events in this table, see Event Types.
| Event | Event Type | System Log query | |
| 1 | Failed ${factor} factor attempt | user.authentication.auth_via_mfa | eventType eq "user.authentication.auth_via_mfa" and outcome.result eq "FAILURE" |
| 2 | The transformed username '${okta_username}' was rejected by the username filter | user.authentication.auth_via_IDP | eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to match transformed username" |
| 3 | Unable to resolve IdP endpoint with '${match_criteria}'. Ensure the IdP is correctly configured | user.authentication.auth_via_IDP | eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to resolve IdP endpoint" |
| 4 | Unable to validate incoming SAML Assertion: [${token_id}] - ${error_message} | user.authentication.auth_via_IDP | eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to validate incoming SAML Assertion" |
| 5 | A SAML Assertion with the same ID [${token_id}] has already been processed by Okta for a previous request | user.authentication.auth_via_IDP | eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "A SAML assert with the same ID has already been processed by Okta for a previous request" |
| 6 | Unable to validate SAML Response [ID=${message_id}] - 'InResponseTo=${in_response_to}' does not match an ID of a SAML authentication request sent from Okta | user.authentication.auth_via_IDP | eventType eq "user.authentication.auth_via_IDP" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to validate SAML Response" |
| 7 | Sign-in Failed {some reason} | user.authentication.auth | eventType eq "user.authentication.auth" and outcome.result eq "FAILURE" |
| user.session.start | eventType eq "user.session.start" and outcome.result eq "FAILURE" | ||
| 8 | Account Locked - Max sign-in attempts exceeded | user.account.lock | eventType eq "user.account.lock" |
| 9 | Unable to retrieve an access token for the Identity Provider due to error '${error_message}' | user.authentication.auth_via_social | eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to retrieve an access token for the Identity Provider" |
| 10 | Unable to retrieve a user profile from the Identity Provider due to error '${error_message}' | user.authentication.auth_via_social | eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Unable to retrieve a user profile from the Identity Provider" |
| 11 | The UserInfo response from the Identity Provider is invalid: '${error_message}' | user.authentication.auth_via_social | eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "The UserInfo response from the Identity Provider is invalid" |
| 12 | Account link of incoming subject '${subject_name}' to user '${okta_username}' denied due to group membership restriction '${groups}' | user.authentication.auth_via_social | eventType eq "user.authentication.auth_via_social" and outcome.result eq "FAILURE" and outcome.reason eq "Account link of incoming subject to user denied due to group membership restriction" |
| 13 | A bypass of MFA may have been attempted for this user | user.mfa.attempt_bypass | eventType eq "user.mfa.attempt_bypass" |
| 14 | User answered recovery question incorrectly for self-service password resete_to_no_matching_key | user.account.reset_password | eventType eq "user.account.reset_password" and outcome.result eq "FAILURE" and outcome.reason eq "User answered recovery question invalid" |
| 15 | Self-service password reset attempted for suspended user | user.account.reset_password | eventType eq "user.account.reset_password" and outcome.result eq "FAILURE" and outcome.reason eq "User suspended" |
| 16 |
Token request for ${grant_type}-${code} rejected for client ${client_id}' with authentication type ${client_auth_type} and scopes [${scopes}] due to reason: ${app_error_code} Or Token request for ${grant_type}-${refresh_token} rejected for client ${client_id}' with authentication type ${client_auth_type} and scopes [${scopes}] due to reason: ${app_error_code} |
app.oauth2.token.grant | eventType eq "app.oauth2.token.grant" and outcome.result eq "FAILURE" |
| 17 | Multiple requests with a client id about to be rate limited | app.oauth2.client_id_rate_limit_warning | eventType eq "app.oauth2.client_id_rate_limit_warning" |
| 18 | Multiple requests with invalid client credentials ${client_secrets} for client ${client_id} | app.oauth2.invalid_client_credentials | eventType eq "app.oauth2.invalid_client_credentials" |
| 19 | Failed to evaluate claim for OAuth2 token for user ${user_id} with client ${client_id} and authorization server ${authorization_server} due to reason: ${app_error_code} | app.oauth2.as.evaluate.claim | eventType eq "app.oauth2.as.evaluate.claim" and outcome.result eq "FAILURE" |
| 20 | OAuth2 token revocation request rejected for client ${client_id} with authorization server ${authorization_server} due to reason: ${app_error_code} | app.oauth2.as.token.revoke | eventType eq "app.oauth2.as.token.revoke" and outcome.result eq "FAILURE" |
Related topics