Audit trail for user

A user shows as locked out but not why so of course Okta failed to login. Is there a way to audit a specific user to find out why they were locked out as it has happened to this user more than once.

Feb 24 12:36:21 Okta System (SystemPrincipal) Authenticate user with AD agent success
Feb 24 12:15:44 John Doe (User) User login to Okta
failure: LOCKED_OUT
Feb 23 10:42:12 John Doe (User) User single sign on to app success

As you can see the log for this user is missing the reason for the locked out. It shows no reason it was successful the day before than next day users Locked out. I need a better audit log than the default log.


In the Orgs System.log can you search for outcome.reason eq "INVALID_CREDENTIALS". Do you not see any entries for this user between 2/23-2/24?

Tried that to no avail. I opened a ticket with Okta as this is one strange problem and they are looking further into it themselves.