Configure Okta ThreatInsight system log events

If Okta ThreatInsight actions are enabled, requests from malicious IP addresses will appear in the admin System Log.

Okta ThreatInsight evaluates sign-in activity before the user itself can be identified so security.threat.detected events do not include a username.

  • If outcome.result is DENY, the request was terminated. The username cannot be identified.
  • If outcome.result is ALLOW, use the following query to search for other events with the same eq "<TRANSACTION_ID>".
  • If there are other events in the transaction, the user can also be found in the actor field.

Admins can also audit sign-in requests to identify malicious activity by referring to the system log and choosing to block IP addresses identified as malicious.

To configure Okta ThreatInsight system log events:

  1. In the Security > General > Okta ThreatInsight Settings > System Log.
  2. Configure the date range.
  3. In the System Log search bar, enter the following query: eventType eq "security.threat.detected"

The security.threat.detected event only appears if the request is deemed a high threat.