Configure Okta ThreatInsight system log events
If Okta ThreatInsight actions are enabled, requests from malicious IP addresses will appear in the admin System Log.
Okta ThreatInsight evaluates sign-in activity before the user itself can be identified so security.threat.detected events do not include a username.
- If outcome.result is DENY, the request was terminated. The username cannot be identified.
- If outcome.result is ALLOW, use the following query to search for other events with the same transaction.id eq "<TRANSACTION_ID>".
- If there are other events in the transaction, the user can also be found in the actor field.
Admins can also audit sign-in requests to identify malicious activity by referring to the system log and choosing to block IP addresses identified as malicious.
To configure Okta ThreatInsight system log events:
- In the Security > General > Okta ThreatInsight Settings > System Log.
- Configure the date range.
- In the System Log search bar, enter the following query: eventType eq "security.threat.detected"
The security.threat.detected event only appears if the request is deemed a high threat.