This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.
ThreatInsight aggregates data across the Okta customer base and uses this data to detect malicious IP addresses that attempt credential-based attacks. ThreatInsight detection takes place prior to authentication evaluation. Requests that are blocked by ThreatInsight prevent user lockouts from malicious IP addresses. Admins can audit sign-in requests to identify malicious activity by referring to the system log and choose to block IP addresses identified as malicious.
Access ThreatInsight from the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console by navigating to Security > General.
- An exempt IP Network zone that contains trusted IP addresses for your orgThe Okta container that represents a real-world organization.. Trusted IP addresses include IPs such as office gateway IPs or Okta agents. Refer to Exempt Zones for more details.
- Sign in to the admin console and click Security > General.
- Navigate to Okta ThreatInsight Settings.
- Click Edit. A list of actions is displayed:
Log authentication attempts from malicious IPs
Log and block authentication attempts from malicious IPs
Select the desired action for your org and click Save to continue with your changes.
Note: It may take a few minutes for any changes to these settings to take effect.
|No Action||ThreatInsight actions are not enabled. Note that Okta collects ThreatInsight data for aggregation purposes even if this option is selected.|
|Log authentication attempts from malicious IPs||Sign-in attempts from malicious IP addresses are displayed in the system log. Network zones for whitelisting may be added.|
|Log and block authentication attempts from malicious IPs||Sign-in attempts from malicious IP addresses are displayed in the system log and blocked, returning an HTTP 403 error. Network zones for whitelisting may be added.|
When a network zone is added to this field, IP addresses included in the zones are exempt from the following actions:
- Log authentication attempts from malicious IPs
- Log and block authentication attempts from malicious IPs
System Log Events
If ThreatInsight actions are enabled, requests from malicious IP addresses will appear in the admin System Log, which can be accessed from the admin console menu or directly from the link provided in Okta ThreatInsight Settings.
Enter the following query to find these type of events in the system log: eventType eq "security.threat.detected"
When ThreatInsight actions are enabled, end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. may sign in to their org as usual. If a sign-in attempt from a malicious IP address is detected and authentication requests are set to be blocked, the user receives an HTTP 403 error.