# Suspicious Activity Reported by End User

Detects users that have reported suspicious or unrecognized activity to the organization’s admin from an email notification.

This check requires the "Suspicious Activity Reporting" feature to be configured in Okta.

<br>

**Recommended Actions**

Oort recommends you notify the user and admin channel. Oort allows the user to say the user made a mistake to reduce false positives. Please review the highlighted activity in the log to see the highlighted session.

**Compatibility**

[Okta](/integrations/okta-data-integration.md)

[Duo](/integrations/duo-security-integration.md)

[Microsoft Entra ID](/integrations/azure-active-directory-integration.md)

<figure><img src="/files/SRDkQc3sm8Qx29nrVpI7" alt=""><figcaption></figcaption></figure>

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.oort.io/understanding-check-failures/oort-insights/identity-threat-detection-insights/suspicious-activity-reported-by-end-user.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.