About Okta ThreatInsight
The detection of a threat takes place prior to authentication evaluation. Requests that are blocked by Okta ThreatInsight prevent user lockouts from suspicious IP addresses. Configure Okta ThreatInsight to detect suspicious IP addresses from credential-based attacks.
When Okta ThreatInsight actions are enabled, end users may sign in to their org as usual. If a sign-in attempt from a malicious IP address is detected and authentication requests are set to be blocked, the user receives an HTTP 403 error.
HealthInsight task recommendation
This feature is a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.
Enable Okta ThreatInsight to both log and block authentication attempts from suspicious IP addresses.
Proxy IP usage
Okta ThreatInsight identifies where the request originated based on the XFF header. See Network Security.
Okta can correctly identify the originating client IP for requests that are not proxied to Okta through proxy IP addresses.
When requests are proxied to Okta through trusted proxy IP addresses:
- Okta expects that proxy IP addresses are configured as trusted proxies in any IP Zones.
- Okta ThreatInsight cannot identify the originating client IP and is not effective in detecting threats if the trusted proxies are not configured correctly in IP Zones.
If the proxy IP addresses are not trusted by the admin, they should not be configured as trusted proxies in IP Zones.
Okta ThreatInsight is just one tool in the security toolbox and blocks certain malicious traffic. It cannot guarantee 100% malicious IP address detection or 100% threat detection. To learn which endpoints support your ThreatInsight implementation, please contact your Customer Success Manager or create a Support ticket at support.okta.com.