This detection rule identifies instances where users report suspicious activity related to their Okta accounts. Such reports are critical for security teams as they may indicate potential attempts by adversaries to gain unauthorized access to an organization’s network. The rule is centered around monitoring specific user-reported actions in the Okta system logs, especially those tagged as 'user.account.report_suspicious_activity_by_enduser'. When these events are detected, a series of investigative actions should ensue, including reviewing the event's details, analyzing the user's recent login history, correlating with other security alerts, and reaching out to the user for further context. The rule enhances organizational defenses by enabling quick identification and response to potential security threats. False positives are a consideration, as legitimate users might mistakenly report actions, particularly in cases of access from new devices or routine activity by administrators. Therefore, certain mitigations and adjustments may be necessary to reduce noise from these alerts. The overall aim is to promptly contain any unauthorized access and safeguard sensitive data, with relevant steps outlined for effective remediation based on findings from the investigation.