Detections
Early Access release
Detections are the security risks that Okta can watch for as part of protecting your org. They include reports of suspicious activity submitted by admins, users, or security events providers. Others are generated by Okta when it detects suspicious patterns while monitoring your org.
You can select a detection when you configure an entity risk policy rule. If Okta finds the detection you selected, you can remediate it by following the actions in the Recommended action column in the table. These are actions that Okta recommends for each situation. Ensure that these actions are appropriate for your org before implementing them.
You can also select a risk level. You can only select a risk level that's usable by the detection you selected. Refer to the table to find your detection, and then select the usable risk level for it when you configure your entity risk policy rule.
See Add an entity risk policy rule.
| Name | Description |
Usable risk levels |
Recommended action |
|---|---|---|---|
| User reported suspicious activity | The user reported an incident by responding to an Okta-generated security notification email, or by clicking Report on the Recent Activity page of the Okta End-User Dashboard. | High | Universal Logout. See Configure Universal Logout for third-party apps. |
| Session influenced User Risk | The entity risk level was changed because of a change in session context. This detection only occurs when the session risk level is High. | Medium |
|
| Suspected Brute Force Attack | Okta detected signs of a potential brute-force attack. | Medium | Run a delegated Workflow that notifies the Security Operations Center (SOC) team to start an investigation |
| Okta Threat Intelligence | Okta Threat Intelligence detected potentially suspicious behavior. | High |
|
| Admin Reported User Risk | The Admin changed the entity risk level to High. | Low High |
Universal Logout. See Configure Universal Logout for third-party apps. |
| Entity Critical Action From High Threat IP | Okta detected suspicious behavior from a high-threat IP address. | High | Universal Logout. See Configure Universal Logout for third-party apps. |
| Security Events Provider Reported Risk | A security events provider reported a risk-level event. | Low Medium High |
|
| Suspicious App Access | Okta detected suspicious attempts to access an app. | Medium |
|
Types of detections
With Identity Threat Protection, the data-driven Okta risk engine calculates three types of risk and assigns a level of low, medium, or high.
Login risk
Before a user can sign in to your org, Okta evaluates the sign-in attempt against the rules in your org's global session policy to identify login risk. The evaluation determines if the user's behavior or device information has changed since they last signed in, and it determines if the request comes from a malicious IP address. Then Okta calculates the login risk level. Each time Okta calculates login risk, user.session.start and policy.evaluate_sign_on events appear in the System Log.
Session risk
Your org’s authentication policies and risk indicators are continuously evaluated throughout a user’s session to calculate a session risk level. This level determines if the user’s session is possibly compromised. A session risk level of medium or high might indicate a brute-force attack or suspicious app access. A session risk level is also calculated when one of your security events providers reports a risk. Each time Okta calculates a session risk level, a user.session.context.change event appears in and in the System Log.
Entity risk
Your entity risk policy continuously evaluates signals from all of your org’s threat surfaces, including your Shared Signals Framework integrations, and calculates an entity risk level. This level represents the probability of identity compromise for a user. An entity risk level is also calculated when one of your security events providers reports a user-related risk. Each time Okta calculates an entity risk level, a user.risk.change event appears in and in the System Log.
Related topics
Continuous Access violation report
System Log events for Identity Threat Protection with Okta AI