About Okta ThreatInsight

Okta ThreatInsight provides a security baseline for all Okta customers with minimal configuration required. You can choose to log events for auditing or to log events and block traffic that ThreatInsight has identified as suspicious. After you select the action you want to enable, ThreatInsight automatically logs or logs and denies access to requests that are identified as malicious.

Credential-based attacks

ThreatInsight is designed to prevent credential-based attacks. Credential-based attacks rely on weak, common, or stolen identity information to impersonate legitimate users or take control of legitimate accounts. For example, credential stuffing attacks rely on user names and passwords that have been stolen in data breaches, captured in phishing campaigns, or traded in online forums. Attackers then use automated tools to test them across other online services. Brute force and password spray attacks rely on systematic or automated testing of weak and common passwords, often against a known set of user names.

Threat evaluation happens before authentication

ThreatInsight evaluates sign-in requests to identify potential threats before users are authenticated. Users sign in as usual. If you're blocking suspicious traffic and ThreatInsight detects that the sign-in request comes from a malicious IP address, Okta automatically denies the user access to the organization and the user receives an error in response to the request.

However, requests that are blocked by ThreatInsight are not treated as failed user sign-in attempts. Because ThreatInsight treats requests from suspicious IP addresses as a separate threat vector than failed authentication attempts, there are fewer account lockout events and more reliable analysis of the IP addresses that might be involved in an attack.

Data analysis and machine learning for threat detection

ThreatInsight evaluates millions of authentication requests made to thousands of Okta organizations and Okta authentication endpoints to identify suspicious internet protocol (IP) addresses. ThreatInsight then uses data analysis and machine learning models to observe and derive intelligence to identify credential-based attacks across the customer base. If ThreatInsight identifies that an organization is under attack, it can record events for further analysis, block traffic, and increase the protection it provides until no further attacks are detected.

For information about how to query ThreatInsight events in the System Log, see System Log events for Okta ThreatInsight.

Recommended configuration

You can enable ThreatInsight as a standalone service or use it in combination with other security devices and services—such as web application firewalls (WAFs), bot management services, DDoS mitigation services, or security alert management services—to provide multiple layers of security protect your organization and network access.

At a minimum, Okta recommends that you enable ThreatInsight to log and block suspicious traffic.

Okta recommendation Enable Okta ThreatInsight to both log and block authentication attempts from suspicious IP addresses.
Security impact Critical
End-user impact Low

For more security recommendations from Okta, see HealthInsight.

Trusted and untrusted proxy IP addresses

With ThreatInsight, Okta can correctly identify the originating client IP address for requests that are not proxied to Okta through trusted proxy IP addresses. If requests are passed to Okta through trusted proxy IP addresses:

  • You should only include IP addresses that you trust as proxies for any network zone.
  • Okta ThreatInsight can't identify the originating client IP address and, therefore, is less effective in detecting threats if you do not configure trusted proxies properly for network zones.

For more information about configuring network zones, see Network zones. For information about excluding a network zone from being analyzed by Okta ThreatInsight, see Exempt an IP Zone from Okta ThreatInsight.


To prevent abuse, Okta ThreatInsight works in a limited capacity for free trial editions. Contact Okta Support if you require the full functionality of Okta ThreatInsight.

Okta ThreatInsight blocks certain types of malicious traffic. It can't guarantee 100% malicious IP address detection or 100% threat detection.

To learn which endpoints support your Okta ThreatInsight implementation, contact your Customer Success Manager or create a Support ticket at support.okta.com.

Related topics

Configure Okta ThreatInsight

System Log events for Okta ThreatInsight

Exempt an IP Zone from Okta ThreatInsight