Add an entity risk policy rule

Add a rule to the entity risk policy to customize your response to entity risk changes.

Your org has one entity risk policy with a default catch-all rule, which monitors entity risk and records user.risk.detect events to the System Log. You can add rules that monitor and respond to different scenarios or unusual activities. For example, add one rule that monitors your org for medium-risk activity and runs a delegated workflow in response. Then, add a second rule that monitors your org for high-risk activity and signs users out of apps, or Okta, or both. Prioritize both of your new rules over the catch-all rule.

Before you begin

You must be a super admin or have a custom role with the Manage policy permission and the Entity risk policy resource set.

If you want to launch a delegated flow when Okta detects policy violations, create a delegated flow before you add the entity risk policy.

Start this task

  1. In the Admin Dashboard, go to Security Entity Risk Policy . Or, go to Security Identity Threat Protection . In the Configure response section, click Go to entity risk policy.
  2. Click Add Rule.
  3. Enter a Rule Name.
  4. In User's group membership includes, specify the user groups to include in or exclude from the rule.
    • Any group
    • At least one of the following groups
  5. In Detection, select an option to specify the activity you want Okta to detect or exclude.
    • Any detection
    • Include at least one of the following detections
    • Exclude at least one of the following detections
  6. Select an Entity Risk Level.
    • Any
    • Low
    • Medium
    • High
  7. In the Take this action field, specify how Okta responds when the conditions you configured are detected.
    • No further action: Don't take any action. These events are logged even if you select this option.
    • Logout and revoke tokens > Users are signed out of Okta and x apps: Click to see the apps that users are signed out of.
    • Logout and revoke tokens > Universal Logout and Partial Universal Logout: Some apps support Universal Logout and others support partial Universal Logout. Okta changes the entity risk level to Low when the entity risk policy or the Clear user sessions action triggers Universal Logout and terminates the Okta identity provider session. See Configure Universal Logout for supported apps.
    • Run a Workflow: The Workflow triggered by action dropdown menu appears when you select this option.
  8. If you selected Run a Workflow, click the Workflow triggered by action dropdown menu or type the name of a delegated workflow.
  9. Click Save.

You can only assign one delegated flow to each policy rule, so you may need separate rules for each different risk level.

Update a rule

Use the Entity Risk Policy page to view your rules. You can activate, deactivate, delete, or edit rules and change their order of evaluation.

  1. In the Admin Dashboard, go to Security Entity Risk Policy. Or, go to Security Identity Threat Protection. In the Configure response section, click Go to entity risk policy.
  2. To activate or deactivate a rule, click Actions for the rule and then select an option. Deactivated rules don't generate rule match entries in the System Log.
  3. To delete a rule, click Actions, and then select Deactivate. Click Actions again, and then select Delete.
  4. Reorder the priority by dragging and dropping rules.

Related topics

Entity risk policy

Entity risk detections widget

Entity risk report