This article discusses why an Okta Admin receives email notifications about Suspicious Activity Reported by a User.
 

• Suspicious Activity Reporting

If a Super Admin or Org Admin has configured the feature for Suspicious Activity Reporting, when End-Users receive a security email notification, they can send a report by clicking Report Suspicious Activity. Once they review the activity, they can confirm and complete the report. Note the following:

• The link is only valid for 7 days after the email is sent.
• The link expires after the user confirms suspicious activity.

Also, if the Users can view Recent Activity setting under Security > General > Organization Security is set to Enabled, users can send a report directly from the Okta End-User Dashboard by clicking on Last sign in and then on Report. Disabling it will stop users from reviewing recent sign-ins and security events on the Okta End-User Dashboard; therefore, they will no longer be able to report them.

Once a user has reported suspicious activity, refer to the admin System Log for more details about the event. Admins can also see all users who have reported suspicious activity in the past 7 days directly from the admin dashboard.

1. Navigate to the admin System Log: Reports > System Log.
2. Identify any event labeled user.account.report_suspicious_activity_by_enduser.
3. Expand the entry: Event > System > DebugData.
4. Under SuspiciousActivityEventTransactionId, make a note of the transaction ID.
5. Search the System Log for the transaction ID to trace the origin of the suspicious event.
6. Optional! Create an event hook for user.account.report_suspicious_activity_by_enduser.

The same steps are shown in the video below.