Configure Okta ThreatInsight system log events

If Okta ThreatInsight actions are enabled, requests from malicious IP addresses will appear in the admin System Log.

Okta ThreatInsight evaluates sign-in activity before the user itself can be identified so security.threat.detected events do not include a username.

• If outcome.result is DENY, the request was terminated. The username cannot be identified.
• If outcome.result is ALLOW, use the following query to search for other events with the same  transaction.id eq "<TRANSACTION_ID>".
• If there are other events in the transaction, the user can also be found in the actor field.

Admins can also audit sign-in requests to identify malicious activity by referring to the system log and choosing to block IP addresses identified as malicious.

To configure Okta ThreatInsight system log events:

1. In the Security > General > Okta ThreatInsight Settings > System Log.
2. Configure the date range.
3. In the System Log search bar, enter the following query: eventType eq "security.threat.detected"

The security.threat.detected event only appears if the request is deemed a high threat.