System Log events for Okta ThreatInsight
If Okta ThreatInsight actions are enabled, requests from malicious IP addresses will appear in the admin System Log. Okta ThreatInsight evaluates sign-in activity before the user itself can be identified so
security.threat.detected events do not include a username.
outcome.resultis DENY, the request was terminated. The username cannot be identified.
outcome.resultis ALLOW, use the following query to search for other events with the same
transaction.id eq "<TRANSACTION_ID>".
- If there are other events in the transaction, the user can also be found in the actor field.
Admins can also audit sign-in requests to identify malicious activity by referring to the system log and choosing to block IP addresses identified as malicious.
security.threat.detected event only appears if the request is deemed a high threat.
View System Log events
- In the Admin Console, navigate to Security > General
- Under Okta ThreatInsight Settings, click the System Log link.
- Configure the date range. The query for
eventType eq "security.threat.detected"will be pre-populated in search. For Org Under Attack events, you can search using the query
eventType eq “security.attack.start”and
eventType eq “security.attack.end”.
Org Under Attack
When an org is under attack, ThreatInsight flags IPs more aggressively, which can result in more
security.threat.detected events. You can view why an IP was identified as suspicious by reviewing the Reason field and the threat level that appears in the field