Bot protection reporting

Early Access release. See Enable self-service features.

Use the System Log to review bot protection events in your org. If you determine that a valid user was prompted with Okta Challenge, you can add their network zone to the Default Exempt IP Zone.

Review System Log events

Bot protection runs during your sign-in, sign-up, and self-service password recovery flows. Whenever a user or agent submits credentials for authentication and clicks Next, Sign up, or Change password, the event is recorded in System Log.

  1. In the Admin Console, go to ReportsSystem Log.

  2. Expand one of the following event types:

    • User login to Okta: user.session.start
    • Create Okta user: user.lifecycle.create
    • User's Okta password is reset: user.account.reset_password

  3. In the Event section, expand the SecurityContext > BotProtection section. Level indicates the detected bot likeliness score (NONE, LOW, MEDIUM, HIGH).

  4. Locate the Target section that's labeled Bot Protection Configuration, and expand the DetailEntry section. This section isn't visible if the detection falls outside of your Bot Likeliness threshold.

    • EnforcementType: The remediation action that's configured for bot protection. If your ModeType is set to LOG_ONLY, the detection is logged without enforcement.
    • Level: Your Bot Likeliness threshold (ANY, LOW, MEDIUM, HIGH).
    • ModeType: The status of your bot protection configuration. ENFORCED indicates that bot protection is live and remediation actions are enforced. LOG_ONLY means that bot detections are logged, but no remediation actions are enforced.

Query the System Log

If you know which event you want to see, you can query the System Log by event type:

  • target.type eq "bot_protection_configuration" and eventType eq "user.session.start"
  • target.type eq "bot_protection_configuration" and eventType eq "user.lifecycle.create"
  • target.type eq "bot_protection_configuration" and eventType eq "user.account.reset_password"

Add IPs to the Default Exempt IP Zone

Gateway IPs that you add to DefaultExemptIpZone always have access to Okta resources, offering a bypass to IP and ASN session binding based on the client IP.

  1. In the Admin Console, go to ReportsSystem Log.

  2. Find the event and IP address in the System Log.
  3. Hover over the IP to display the ... menu, and then select Add to zone.
  4. In the Add IP to zone dialog, select the following:
    • Add to zone: Select the network zone to which to add the IP address. If you want to always allow traffic from this IP, select DefaultExemptIpZone. To always block traffic from this IP, select BlockedIpZone instead.
    • IP type: Select from Proxy or Gateway. If you selected DefaultExemptIpZone, you can only add gateway IPs.
  5. Click Save.

When you edit a network zone, wait approximately 60 seconds for the change to propagate across all servers and take effect.

Related topics

Bot protection

Configure bot protection for enforcement