Add an entity risk policy rule

Early Access release

An Okta org contains one entity risk policy with one default catch-all rule. You can add rules to monitor different scenarios, detect unusual activities, and respond to them.

The default catch-all rule monitors entity risk and records events to the System Log. When you add more rules, you can arrange them in priority order over the catch-all rule.

For example, you can add one rule that monitors your org for medium-risk activity and runs a Workflow in response. You can add a second rule that monitors your org for high-risk activity and signs users out of apps, or Okta, or both.

Before you begin

If you want to launch a Workflow when Okta detects policy violations, create a delegated Workflow before you enforce the entity risk policy. Only delegated Workflows are supported. See Workflows for Identity Threat Protection with Okta AI.

Add a rule to an entity risk policy

  1. In the Admin Dashboard, go to SecurityEntity Risk Policy.
  2. Click Add Rule.
  3. Enter a Rule Name.
  4. Configure IF conditions. These conditions specify when the rule is applied.
    IFDescription
    IF User's group membership includesSelect an option to specify the user groups to include in or exclude from the rule:
    • Any group: The user can be a member of any group in your org.
    • At least one of the following groups: Specify which groups to include in or exclude from the rule. In Enter groups to include or Enter groups to exclude, start entering text that matches the name of the group you want. Okta presents results that match what you entered. Click a group name to select it. Repeat this step to add more groups.
    AND DetectionSelect an option to specify the activity you want Okta to detect or exclude. You can include detections in a rule, or exclude them, but you can’t use both conditions in the same rule. See Detections.
    • Any detection: Select this option to watch for any kind of activity.
    • Include at least one of the following detections: Start entering text that matches the name of the activity you want to detect. Okta presents results that match what you entered. Click a name to select it. Repeat this step to add more detections.
    • Exclude at least one of the following detections: Start entering text that matches the name of the activity you want to exclude. Okta presents results that match what you entered. Click a name to select it. Repeat this step to exclude more detections.
    AND Entity risk level

    You can only use specific entity risk levels with a detection type. See Detections for a table that shows which risk levels you can use with each detection type, then return to Okta and select the risk level for the detection type you want to use.

    Select a risk level:

    • Any: Detect events with any risk level.
    • Low: Detect events with a low risk level.
    • Medium: Detect events with a medium risk level.
    • High: Detect events with a high risk level.

    See Detections.

  1. Configure THEN conditions. These conditions specify how Okta responds when the conditions you configure are detected.

    THEN Description
    THEN Take this action Select one of these actions:
    • No further action: Don’t take any further action if the rule conditions are detected in your org. These events are logged even if you select this option.
    • Logout:
      • Users are logged out of Okta and x apps: Click to see the apps that users are logged out of.
      • Universal Logout and Partial logout: Some apps support Universal Logout and others support partial logout. See Configure Universal Logout for third-party apps.
    • Run a Workflow: The Workflow triggered by action dropdown appears when you select this option.

    AND Workflow triggered by action

    This dropdown appears when you select Run a Workflow.

    Click this dropdown to select an existing delegated Workflow. Start entering text that matches the name of the Workflow you want. Click the Workflow name to select it. You can only select one Workflow.

  2. Click Save.

Related topics

Entity risk policy

Entity risk detections widget

Entity risk report