Configure Okta ThreatInsight

Configure Okta ThreatInsight to detect malicious IP addresses that attempt credential-based attacks.

Before you begin

• Create an IP zone that contains trusted IP addresses for your org so it may be exempted from Okta ThreatInsight.
• Trusted IP addresses include IP addresses for network gateways, or Okta agents, and others. See for Exclude IP zones from Okta ThreatInsight evaluation.

Start this task

1. In the Admin Console, go to SecurityGeneral.

2. Go to Okta ThreatInsight settings.
3. Click Edit. A list of actions appears:
   • No Action: Okta ThreatInsight actions aren't enabled. Okta collects Okta ThreatInsight data for aggregation purposes even if this option is selected.
   • Log authentication attempts from malicious IPs: ThreatInsight records information about sign-in attempts from potentially malicious IP addresses in the System Log.
   • Log and enforce security based on threat level: ThreatInsight can limit or block authentication requests from suspicious IP addresses based on the threat level detected. For example, if a specific IP address is suspected of malicious activity but the threat level is considered low, authentication requests from the IP address aren't denied access but might be subjected to a rate limit. The rate limit helps ensure that requests from a suspicious IP address don't overload authentication services and affect legitimate traffic. With the option to limit access requests from suspicious IP addresses, ThreatInsight can reduce the risk of malicious activity without blocking access for legitimate users. However, if an IP address is suspected of malicious activity and the threat level detected is high, authentication requests from the IP address are blocked.

4. Select the desired action for your org.
5. Add any trusted network zones that you want to exclude from threat detection.
6. Click Save.

   It may take a few minutes for any changes to these settings to take effect.