Risk detections
Learn what risk detections mean and how to automate your response to them with the entity risk policy.
Surfacing risks in your org reduces exposure: suspected attackers are quickly blocked from accessing apps, and notifications allow for review and remediation. Then, automate the response to ensure faster initialization of mitigation steps and reduce users' dependence on your help desk.
How to use these resources
Risk detections are the types of tactics, techniques, and procedures used for attacking identities. ITP surfaces risk detections within user.risk.detect events in the System Log, so your security teams have better visibility into malicious patterns and trends. This helps them determine when more security measures are required.
Each resource contains sections for the detection context, risk level, policy configuration, and remediation strategy. Review the context to understand the conditions that lead to each detection. High-risk detections indicate an elevated likelihood of suspicious user activity. Use the policy configuration section to automate the response, and then follow the steps for remediation.
Detections
|
Detection |
Risk level |
Summary |
|---|---|---|
| Breached credential detected | High | A username and password combination used to sign in to your Okta org has appeared in a third-party list of publicly available data breaches. |
| Entity critical action from high threat IP | High | A user performs a sensitive, critical action from an IP address that Okta ThreatInsight has flagged as being a high threat. |
| Okta Threat Intelligence | High | Okta identifies activity from infrastructure used by threat actors. |
| Suspicious login from an IP flagged by FastPass | High | A successful sign-in event has originated from an IP address that Okta FastPass previously flagged in a phishing attempt. |
| Suspicious login from an IP flagged in a credential based attack | High | An IP address previously involved in a high-volume failed login attack is used for to sign in to your org. |
| This wasn't me | High | A user actively reports a security event as fraudulent. |
| Session influenced user risk | Medium | A user's session risk level changes to High. |
| Suspected brute force attack | Medium | Okta observes a high rate of failed password or MFA-based sign-in attempts. |
| Suspicious app access | Medium | Okta detects an attacker's attempts to harvest app (service provider) session cookies. |
| Admin reported user risk | Low, Medium, or High | An admin manually changes a user's risk level to Low, Medium, or High. |
| Security events provider reported risk | Low, Medium, or High | An integrated security partner sends a signal to Okta through the Shared Signals Framework (SSF). |