<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Explanation of Suspicious Activity Events (Management and Monitoring)
Mar 5, 2026
Administration
Okta Classic Engine
Okta Identity Engine
Overview

This article aims to explain different suspicious activity events that are logged. 

Applies To
  • Events
  • Suspicious Activity
Solution
EventsExplanation
Sign-in failed
  • This event is triggered whenever a user’s sign-in attempt to Okta fails.
  • Various factors, such as incorrect credentials, account suspension, deactivation, or other authentication errors, can cause the failure.
  • The specific reason for the failure is provided in the event details (for example, invalid username, password expired, etc.).
  • This event helps administrators identify and troubleshoot user access issues.
Account Locked - Max sign-in attempts exceeded
  • This event is triggered when a user exceeds the maximum number of allowed failed sign-in attempts, as defined by the password policy or authenticator settings.
  • Okta automatically locks the user’s account to protect against unauthorized access when this threshold is reached.
  • The user cannot sign in until the account is unlocked by an administrator or through self-service unlock (if enabled).
Self-service password reset attempted for suspended user
  • This occurs when a user who is currently suspended attempts to reset their password via the self-service option.
  • Since suspended users cannot reset their passwords, the attempt fails and is logged for security and auditing purposes.
The user answered the recovery question incorrectly for self-service password reset
  • This event is triggered when a user attempts to reset their password using self-service but answers their recovery question incorrectly.
  • The failed attempt is logged to help identify potential account takeover attempts or user difficulties with account recovery.
Multiple requests with a client ID are about to be rate-limited
  • This event is triggered when Okta detects that a client application (identified by its client ID) is making a high volume of requests and is approaching the rate limit threshold.
  • Okta uses client-based rate limiting to protect against excessive or abusive traffic from a single client, ensuring that other users and applications are not affected.
  • When this warning event occurs, it serves as a notification that if the request rate continues, subsequent requests from this client may be temporarily blocked or throttled.

 

Related References

Recommended content

Still looking for help?
Loading
Explanation of Suspicious Activity Events (Management and Monitoring)