Okta ThreatInsight

Okta ThreatInsight aggregates data across the Okta customer base and uses this data to detect malicious IP addresses that attempt credential-based attacks.

For additional information see, Okta ThreatInsight Advisory.

Overview


The detection of a threat takes place prior to authentication evaluation. Requests that are blocked by Okta ThreatInsight prevent user lockouts from suspicious IP addresses.

Note: The Okta Model for threat detection is based on a continuous evaluation of the latest data available. If Okta incorrectly identifies any trusted IP addresses as suspicious, you may exempt them from Okta ThreatInsight as needed. Refer to Exempt Zones for more details.

 

To access this feature, navigate to Security > General from the admin console.

HealthInsight: Why is this task recommended?


This feature is a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Configure Okta ThreatInsight to detect suspicious IP addresses from credential-based attacks.

Security impact: Critical

End-user impact: Low

Okta recommends: Enable Okta ThreatInsight to both log and block authentication attempts from suspicious IP addresses.

See HealthInsight Reporting for more details.

End-User experience


When Okta ThreatInsight actions are enabled, end users may sign in to their org as usual. If a sign-in attempt from a malicious IP address is detected and authentication requests are set to be blocked, the end user receives an HTTP 403 error.

Before you begin


  • Create an IP Network zone that contains trusted IP addresses for your org so it may be exempted from Okta ThreatInsight.
  • Trusted IP addresses include IPs such as office gateway IPs or Okta agents. Refer to Exempt Zones for more details.

Procedure


To configure and enable Okta ThreatInsight:

  1. Sign in to the admin console and click Security > General.
  2. Navigate to Okta ThreatInsight Settings.
  3. Click Edit. A list of actions is displayed:
    • No Action

    • Log authentication attempts from malicious IPs

    • Log and block authentication attempts from malicious IPs

  4. Select the desired action for your org and click Save to continue with your changes.

    Note: It may take a few minutes for any changes to these settings to take effect.


Action Name

Description

No Action Okta ThreatInsight actions are not enabled. Note that Okta collects Okta ThreatInsight data for aggregation purposes even if this option is selected.
Log authentication attempts from malicious IPs Sign-in attempts from malicious IP addresses are displayed in the system log. Network zones for whitelisting may be added.
Log and block authentication attempts from malicious IPs Sign-in attempts from malicious IP addresses are displayed in the system log and blocked, returning an HTTP 403 error. Network zones for whitelisting may be added.

Exempt an IP zone from Okta ThreatInsight

Enter an existing IP zone to have it whitelisted from Okta ThreatInsight. If you need to create a new IP zone, refer to Networks and navigate to Adding and Configuring IP Zones.

To exempt a zone:

  1. Select one of the following Okta ThreatInsight options:
    • Log authentication attempts from malicious IPs
    • Log and block authentication attempts from malicious IPs
  2. Enter the name of the IP zones you'd like to whitelist from Okta ThreatInsight.
  3. Click Save.

System Log events


If Okta ThreatInsight actions are enabled, requests from malicious IP addresses will appear in the admin System Log, which can be accessed from the Admin Console menu or directly from the link provided in Okta ThreatInsight Settings.

Enter the following query to find these type of events in the system log: eventType eq "security.threat.detected"

The security.threat.detected event only appears if the request is deemed a high threat.

 

Info

Note

Okta ThreatInsight evaluates sign-in activity before the user itself can be identified so security.threat.detected events do not include a username.

  • If outcome.result is DENY, the request was terminated. The username cannot be identified.

  • If outcome.result is ALLOW, use the following query to search for other events with the same transaction ID: transaction.id eq "<TRANSACTION_ID>"
  • If there are other events in the transaction, the user can also be found in the actor field.

Admins can also audit sign-in requests to identify malicious activity by referring to the system log and choosing to block IP addresses identified as malicious.

Proxy IP usage

ThreatInsight identifies where the request originated based on the XFF header. See Network Security.

Okta can correctly identify the originating client IP for requests that are not proxied to Okta through proxy IP addresses.

When requests are proxied to Okta through trusted proxy IP addresses:

  • Okta expects that proxy IP addresses are configured as trusted proxies in any IP Network Zones.
  • ThreatInsight cannot identify the originating client IP and is not effective in detecting threats if the trusted proxies are not configured correctly in IP Network Zones.
Note

Note

If the proxy IP addresses are not trusted by the admin, they should not be configured as trusted proxies in IP Network Zones.

HealthInsight Reporting


If Okta ThreatInsight is enabled, HealthInsight reports on the number of events detected and links to Okta Syslog for admins to query the data events further.

When Okta ThreatInsight is configured with audit mode and suspicious sign-ins are detected, the HealthInsight recommendation displays the number of sign-in attempts from suspicious IPs in the last 7 days.

When Okta ThreatInsight is configured with block mode and suspicious sign-ins are detected, the HealthInsight recommendation displays the number of blocked sign-in attempts from suspicious IPs in the last 7 days.

Note: The number of suspicious sign-ins detected can be underestimated. Okta ThreatInsight may limit the events reported if the frequency of suspicious sign-ins is too high.

 

Okta ThreatInsight Advisory

Okta ThreatInsight is just one tool in the security toolbox. It cannot guarantee 100% malicious IP address detection or 100% threat detection. Okta ThreatInsight covers and blocks certain malicious traffic to the following endpoints – api/v1/authn, app/office365/{key}/sso/wsfed/active, and wsfed/passive. Please note, per our Master Subscription Agreement, endpoints are considered Free Trial Services.

 

Related links