ThreatInsight

This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.

Overview

ThreatInsight aggregates data across the Okta customer base and uses this data to detect malicious IP addresses that attempt credential-based attacks. ThreatInsight detection takes place prior to authentication evaluation. Requests that are blocked by ThreatInsight prevent user lockouts from malicious IP addresses. Admins can audit sign-in requests to identify malicious activity by referring to the system log and choose to block IP addresses identified as malicious.

 

Access ThreatInsight from the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console by navigating to Security > General.

 

Note: The Okta Model for threat detection is based on a continuous evaluation of the latest data available. If Okta incorrectly identifies any trusted IP addresses as malicious, you may exempt them from ThreatInsight as needed. Refer to Exempt Zones for more details.

 

Prerequisites

 

Configure ThreatInsight

  1. Sign in to the admin console and click Security > General.
  2. Navigate to Okta ThreatInsight Settings.
  3. Click Edit. A list of actions is displayed:
    • No Action

    • Log authentication attempts from malicious IPs

    • Log and block authentication attempts from malicious IPs

  4. Select the desired action for your org and click Save to continue with your changes.

    Note: It may take a few minutes for any changes to these settings to take effect.


Action Name Description
No Action ThreatInsight actions are not enabled. Note that Okta collects ThreatInsight data for aggregation purposes even if this option is selected.
Log authentication attempts from malicious IPs Sign-in attempts from malicious IP addresses are displayed in the system log. Network zones for whitelisting may be added.
Log and block authentication attempts from malicious IPs Sign-in attempts from malicious IP addresses are displayed in the system log and blocked, returning an HTTP 403 error. Network zones for whitelisting may be added.

 

Exempt Zones

When a network zone is added to this field, IP addresses included in the zones are exempt from the following actions:

  • Log authentication attempts from malicious IPs
  • Log and block authentication attempts from malicious IPs

Enter an existing IP address zone to have it whitelisted from ThreatInsight. If you need to create a new IP zone, refer to Networks and navigate to Adding and Configuring IP Zones.

 

System Log Events

If ThreatInsight actions are enabled, requests from malicious IP addresses will appear in the admin System Log, which can be accessed from the admin console menu or directly from the link provided in Okta ThreatInsight Settings.

Enter the following query to find these type of events in the system log: eventType eq "security.threat.detected"

 

End-User Experience

When ThreatInsight actions are enabled, end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. may sign in to their org as usual. If a sign-in attempt from a malicious IP address is detected and authentication requests are set to be blocked, the user receives an HTTP 403 error.

 

 

Top