System Log events for Okta ThreatInsight

If Okta ThreatInsight actions are enabled, requests from malicious IP addresses are recorded as events in the admin System Log. Okta ThreatInsight evaluates sign-in activity before the user itself can be identified, so security.threat.detected events don't include a username.

  • If outcome.result is DENY, the request was terminated. The username can't be identified. However, you can view more information about why the request was terminated in the System Log event. For example:

    A System Log event for a blocked request indicates the IP address and reason the request was denied

  • If outcome.result is RATE_LIMIT, suspicious activity was detected. To prevent a malicious actor from consuming the rate limit for your org, the request was terminated and the username can't be identified. However, you can view more information about why the request was terminated in the System Log event. For example:

    A System Log event for suspicious activity indicates the action taken and the reason

  • If outcome.result is ALLOW, use the following query to search for other events with the same transaction.id eq "<TRANSACTION_ID>". If there are other events in the transaction, the user can also be found in the actor field.

You can also audit sign-in requests to identify malicious activity by referring to the System Log and choosing to block IP addresses identified as malicious.

The security.threat.detected event only appears if the request is deemed a high threat.

View System Log events

  1. In the Admin Console, go to Security > General.

  2. Under Okta ThreatInsight Settings, click the System Log link.

    Because you navigated to the System Log from Okta ThreatInsight Settings, the search field is pre-populated with the query eventType eq "security.threat.detected".

  3. Configure the date range.

Org Under Attack

When an org is under attack, ThreatInsight flags IPs more aggressively, which can result in more security.threat.detected events. You can view why an IP was identified as suspicious by reviewing the Reason field and the threat level that appears in the field Event.System.DebugContext.DebugData.ThreatDetections.

A System Log event for an org under attack

To find Org Under Attack events, you can search using the query eventType eq “security.attack.start” and eventType eq “security.attack.end”.

Sign-in attempts from suspicious IP addresses

If ThreatInsight detects sign-on attempts from an IP address suspected of potentially malicious activity, it signals this detection by setting the ThreatSuspected field to true. You can search for sign-in attempts from suspicious IP addresses using the following query:

debugContext.debugData.threatSuspected eq "true"

The ThreatSuspected field also appears in the user.session.start and security.threat.detected System Log events.