About Okta ThreatInsight
Okta ThreatInsight adds extra security to your org by evaluating sign-in attempts for potentially suspicious activity.
You can log events for auditing purposes or block potentially suspicious network traffic. If Okta ThreatInsight detects suspicious events, it records the event and can deny access to the request.
Okta ThreatInsight blocks certain types of malicious traffic. It can't guarantee 100% malicious IP address detection or 100% threat detection.
Credential-based attacks
ThreatInsight is designed to prevent credential-based attacks. Credential-based attacks rely on weak, common, or stolen identity information to impersonate legitimate users or take control of legitimate accounts. For example, credential stuffing attacks rely on usernames and passwords that have been stolen in data breaches, captured in phishing campaigns, or traded in online forums. Attackers then use automated tools to test them across other online services. Brute force and password spray attacks rely on systematic or automated testing of weak and common passwords, often against a known set of usernames.
Threat evaluation happens before authentication
ThreatInsight evaluates sign-in requests to identify potential threats before users are authenticated. If a sign-in request comes from a potentially malicious IP address, Okta denies the user access to the org.
Blocked requests aren't treated as failed user sign-in attempts because ThreatInsight treats these request separately from failed authentication attempts. This produces fewer lockouts and a more reliable analysis of potentially malicious IP addresses.
Data analysis and machine learning for threat detection
ThreatInsight evaluates authentication requests made to Okta orgs and Okta authentication endpoints. It analyzes data to identify potentially suspicious IP addresses, learns from each situation, and enhances the protection for all Okta orgs.
You can configure ThreatInsight to record events for further analysis, block traffic, and increase protection levels until no further attacks are detected.
See System Log events for Okta ThreatInsight for more information.
Recommended configuration
You can enable ThreatInsight to protect your Okta org as a standalone service or with other security devices and services:
- Web application firewalls (WAFs)
- Bot management services
- DDoS mitigation services
- Security alert management services
At a minimum, Okta recommends that you enable ThreatInsight to log and block suspicious traffic.
| Okta recommendation | Enable Okta ThreatInsight to both log and block authentication attempts from suspicious IP addresses. |
| Security impact | Critical |
| End user impact | Low |
For more security recommendations from Okta, see HealthInsight.
Trusted and untrusted proxy IP addresses
With ThreatInsight, Okta can correctly identify the originating client IP address for requests that aren't proxied to Okta through trusted proxy IP addresses. If requests are passed to Okta through trusted proxy IP addresses:
- Only include IP addresses that you trust as proxies for any network zone.
- Okta ThreatInsight can't identify the originating client IP address. If you don't configure trusted proxies properly for network zones it's less effective at detecting threats.
See Network zones and Exclude IP zones from Okta ThreatInsight evaluation for more information.