About Okta ThreatInsight

The detection of a threat takes place prior to authentication evaluation. Requests that are blocked by Okta ThreatInsight prevent user lockouts from suspicious IP addresses. Configure Okta ThreatInsight to detect suspicious IP addresses from credential-based attacks.

When Okta ThreatInsight actions are enabled, end users may sign in to their org as usual. If a sign-in attempt from a malicious IP address is detected and authentication requests are set to be blocked, the user receives an HTTP 403 error.

HealthInsight task recommendation

This feature is a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Okta recommends

Enable Okta ThreatInsight to both log and block authentication attempts from suspicious IP addresses.

Security impact

Critical

End-user impact

Low

Proxy IP usage

Okta ThreatInsight identifies where the request originated based on the XFF header. See Network Security.

Okta can correctly identify the originating client IP for requests that are not proxied to Okta through proxy IP addresses.

When requests are proxied to Okta through trusted proxy IP addresses:

  • Okta expects that proxy IP addresses are configured as trusted proxies in any IP Zones.
  • Okta ThreatInsight cannot identify the originating client IP and is not effective in detecting threats if the trusted proxies are not configured correctly in IP Zones.
Note

Note

If the proxy IP addresses are not trusted by the admin, they should not be configured as trusted proxies in IP Zones.

Okta ThreatInsight is just one tool in the security toolbox and blocks certain malicious traffic. It cannot guarantee 100% malicious IP address detection or 100% threat detection. To learn which endpoints support your ThreatInsight implementation, please contact your Customer Success Manager or create a Support ticket at support.okta.com.

Related topics

Configure Okta ThreatInsight

Configure Okta ThreatInsight system log events

Exempt an IP Zone from Okta ThreatInsight

HealthInsight Reporting on Okta ThreatInsight

HealthInsight