About behavior and app sign-on policy rules

Admins can add behavior conditions in app sign-on policies using an expression. Behavior describes a change in location, device, IP address or velocity from which Okta is accessed.

A behavior heuristic is an expression that has multiple behavior conditions joined by an operator. When defined, behavior heuristics can be used as part of the Okta app sign-on rules as a measure to take action and further secure end-user authentication.

Behavior and expression language

Behaviors, that are available for your org through Security Behavior Detection, are available using Expression Language.

Pass a behaviorName in the expression security.behaviors.contains('behaviorName').

Create a custom behaviorName or use one of the following behaviorName defaults:

  • New IP
  • New Device
  • New Location
  • New Velocity

Expression examples

Unrecognized IPs OR unrecognized devices

  1. Create a new behavior policy for New Device and New IP. See Security Behavior Detection configuration.
  2. Define the expression language if the IP OR Device is not recognized.

security.behaviors.contains('New IP') || security.behaviors.contains('New Device')

Unrecognized IP AND unrecognized devices

security.behaviors.contains('New IP') && security.behaviors.contains('New Device')

For more information, see Expression Language Overview.

Related Topic

Add behavior to app sign-on policy rule