User Event Monitor Messages for Cloud Access Service (20601 - 38000)
User Event Monitor Messages for Cloud Access Service (20601 - 38000)
User events trigger the following messages to appear in the User Event Monitor. New user events have been added and descriptions for some of the events have been modified recently. If these descriptions are used for SIEM integrations, they must be modified accordingly.
| Event Code | Level | Category | Description |
|---|---|---|---|
| 20601 | error | Authentication | RADIUS - LDAP authentication succeeded - Access denied. Policy does not contain RADIUS-compatible methods for additional authentication. |
| 20602 | error | Authentication | RADIUS - LDAP authentication succeeded - Access denied. No authenticators were found for additional authentication methods. |
| 20603 | error | Authentication | RADIUS - Invalid format for additional authentication request - Access denied. |
| 20604 | error | Authentication | RADIUS - Invalid checklist attributes - Access denied. |
| 20605 | error | Authentication | RADIUS - the Cloud Authentication Service unreachable - Access denied. |
| 20606 | error | Authentication | RADIUS – Approve authentication failed – Method timeout. |
| 20608 | error | Authentication | RADIUS - Biometric authentication failed - Method timeout. |
| 20609 | error | Authentication | RADIUS - Authentication failed - Internal error. |
| 20610 | error | Authentication | RADIUS - Approve authentication failed - Authentication could not be completed within push notification timeout. |
| 20611 | error | Authentication | RADIUS - Biometric authentication failed - Authentication could not be completed within push notification timeout. |
| 20612 | notice | Authentication | User initiated additional authentication, primary authentication managed by RADIUS client. |
| 20613 | notice | Authentication | RADIUS – User selected last used method or default assurance level method for additional authentication. |
| 20614 | notice | Authentication | RADIUS - User selected SecurID OTP or Authenticate OTP for additional authentication. |
| 20616 | error | Authentication | RADIUS - Authentication denied as user exceeded attempt threshold. |
| 20701 | error | Authentication | Access denied – User not a member of any identity source in access policy. |
| 20702 | error | Authentication | Access denied – User does not match any rule sets or matches a deny rule set in access policy. |
| 20703 | error | Authentication | Access denied – Policy authentication conditions deny access. |
| 20704 | notice | Authentication | Access allowed – Policy conditions allow access without additional authentication. |
| 20801 | error | Authentication | SMS OTP message transmission attempted. |
| 20802 | error | Authentication | SMS OTP message transmission attempt failed - Invalid phone number. |
| 20803 | error | Authentication | SMS OTP message transmission attempt failed. |
| 20804 | notice | Authentication | SMS OTP regenerated. |
| 20805 | error | Authentication | SMS OTP delivery failed. |
| 20851 | notice | Authentication | Voice OTP call succeeded. |
| 20852 | error | Authentication | Voice OTP call attempt failed - Invalid phone number. |
| 20853 | error | Authentication | Voice OTP call attempt failed. |
| 20854 | notice | Authentication | Voice OTP regenerated. |
| 20855 | error | Authentication | Voice OTP delivery failed. |
20900 | notice | Authentication | OIDC - Authentication request received. |
20901 | notice | Authentication | OIDC - ID Token sent for successful user authentication. |
20902 | error | Authentication | OIDC - Response sent for unsuccessful user authentication. |
20903 | error | Authentication | OIDC - Error response sent. |
| 20909 | notice | Authentication | OIDC - Successful user authentication through SSO. |
| 20910 | notice | Authentication | OIDC - Successful user authentication through Relying Party. |
| 20912 | notice | Authentication | OIDC - Successful user authentication through AAD Relying Party. |
| 21901 | notice | Authentication | SMS OTP verification succeeded. |
| 21902 | error | Authentication | SMS OTP verification failed |
| 21903 | error | Authentication | SMS OTP authentication method locked - User exceeded maximum OTPs allowed. |
| 21904 | error | Authentication | SMS OTP verification failed – internal error. |
| 21951 | notice | Authentication | Voice OTP verification succeeded. |
| 21952 | error | Authentication | Voice OTP verification failed. |
| 21953 | error | Authentication | Voice OTP authentication method locked - User exceeded maximum OTPs allowed. |
| 21954 | error | Authentication | Voice OTP verification failed – internal error. |
| 23000 | error | Authentication | Approve with authenticator unlock enabled – No push notification sent for Approve. RSA SecurID Authenticator version not supported. |
| 24001 | notice | Authentication | My Authenticators sign-in succeeded. |
| 24002 | notice | Authentication | My Page sign-out succeeded. |
| 24003 | notice | Authentication | My Page session expired. |
| 24004 | notice | Authentication | User deleted authenticator in My Page. |
| 24005 | notice | Authentication | User deleted FIDO authenticator in My Page. |
| 24006 | notice | Authentication | Hardware Authenticator registration successful. |
| 24007 | notice | Authentication | Hardware Authenticator registration unsuccessful. |
| 24008 | notice | Authentication | Hardware Authenticator unassigned from this user. |
| 24010 | notice | Authentication | Hardware Authenticator PIN reset successful. |
| 24011 | error | Authentication | Hardware Authenticator PIN reset unsuccessful. |
| 24012 | notice | Authentication | Hardware Authenticator successfully resynchronized. |
| 24013 | error | Authentication | Hardware Authenticator resynchronization unsuccessful. |
| 24014 | notice | Authentication | Hardware Authenticator test successful. |
| 24015 | error | Authentication | Hardware Authenticator test unsuccessful. |
| 24016 | error | Authentication | Attempt to unassign Hardware Authenticator unsuccessful. |
| 24017 | notice | Authentication | Hardware Authenticator registration successful. |
| 24018 | notice | Authentication | Hardware Authenticator rename successful. |
| 24019 | error | Authentication | Hardware Authenticator rename unsuccessful. |
| 24020 | notice | Authentication | User deleted OTP credential for RSA DS100 Hardware Authenticator from My Page. |
| 24021 | notice | Authentication | Application credential reset successful in My Applications portal. |
| 24022 | notice | Authentication | User accessed My Authenticators successfully. |
| 24023 | notice | Authentication | My Authenticators authentication succeeded. |
| 24024 | error | Authentication | My Authenticators authentication failed. |
| 24025 | notice | Authentication | My Applications sign-in succeeded. |
| 24026 | error | Authentication | Error retrieving Hardware Authenticator by Serial Number. |
| 24027 | notice | Authentication | Hardware Authenticator retrieved successfully. |
| 25001 | notice | Authentication | Evaluated identity confidence. See Condition Attributes for Access Policies - Reporting a User's Identity Confidence Score for details. |
| 25002 | notice | Authentication | Failed to evaluate identity confidence. |
| 25003 | notice | Authentication | Identity confidence collection disabled. Evaluation skipped, returning low identity confidence. |
| 26000 | notice | Authentication | Emergency Access Code verification succeeded. |
| 26001 | error | Authentication | Emergency Access Code verification failed. |
| 26002 | error | Authentication | Emergency Access Code not configured. |
| 26003 | error | Authentication | Emergency Access Code is expired. |
| 26004 | error | Authentication | Emergency Access Code locked - User previously exceeded maximum attempts. |
| 26005 | error | Authentication | Emergency Access Code now locked. |
| 26007 | error | Authentication | Emergency Access Code deactivated as it is marked for one-time use. User already authenticated using this code. |
| 33000 | notice | Application Invocation | SAML SP application invoked through My Page. |
| 33001 | notice | Application Invocation | SAML IDP application invoked through My Page. |
| 33002 | notice | Application Invocation | OIDC application invoked through My Page. |
| 33003 | notice | Application Invocation | HFED application invoked through My Page. |
| 33004 | notice | Application Invocation | Bookmark application invoked through My Page. |
| 33005 | notice | Application Invocation | Trusted Header application invoked through My Page. |
| 33006 | notice | Application Invocation | NTLM application invoked through My Page. |
| 34000 | error | Email Code | Invalid e-mail address. |
| 34001 | error | Email Code | E-mail code not sent. |
| 34002 | notice | Email Code | E-mail code sent to user. |
| 34003 | error | Email Code | E-mail codes don't match. |
| 34004 | notice | Email Code | Successful e-mail code verification. |
| 34005 | error | Email Code | E-mail address not found. |
| 34006 | error | Email Code | E-mail code verification failed - E-mail code locked. |
| 34007 | error | Email Domain | Blocked invalid e-mail domain. |
| 34100 | error | Verification | Verification was unsuccessful because already enrolled authenticators were found. |
| 34101 | error | Verification | Verification was unsuccessful because user doesn't have exactly one enrolled authenticator. |
| 34102 | error | Verification | Verification was unsuccessful because user enrolled authenticator failed to delete. |
| 34110 | notice | Verification | Successful recovery sign-in. |
| 34120 | notice | Verification | User reported device as lost. |
| 34121 | notice | Verification | User reported device as stolen. |
| 34122 | notice | Verification | User reported device as damaged. |
| 34123 | notice | Verification | User reported device as unusable (other). |
| 38000 | notice | Authentication | User attempted Live Verification with no session started by admin. |
See:
User Event Monitor Messages for Cloud Access Service (02 - 345)
User Event Monitor Messages for Cloud Access Service (400 - 1409)
User Event Monitor Messages for Cloud Access Service (1501 - 20406)
Related Articles
User Event Monitor Messages for Cloud Access Service (02 - 345) Number of Views User Event Monitor Messages for Cloud Access Service (1501 - 20406) Number of Views User Event Monitor Messages for Cloud Access Service (400 - 1409) Number of Views Event Message Components for Cloud Access Service Number of Views System Event Monitor Messages for Cloud Access Service Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
