Add an entity risk policy rule

An Okta org contains one entity risk policy with one default catch-all rule. You can add rules to monitor different scenarios, detect unusual activities, and respond to them.

The default catch-all rule monitors entity risk and records events to the System Log. When you add more rules, you can arrange them in priority order over the catch-all rule.

For example, you can add one rule that monitors your org for medium-risk activity and runs a delegated workflow in response. You can add a second rule that monitors your org for high-risk activity and signs users out of apps, or Okta, or both.

Before you begin

If you want to launch a delegated flow when Okta detects policy violations, create a delegated flow before you add the entity risk policy.

Add a rule to an entity risk policy

In the Admin Dashboard, go to SecurityEntity Risk Policy.
Click Add Rule.
Enter a Rule Name.

Configure IF conditions. These conditions specify when the rule is applied.

IF	Description
IF User's group membership includes	Select an option to specify the user groups to include in or exclude from the rule: Any group: The user can be a member of any group in your org. At least one of the following groups: Specify which groups to include in or exclude from the rule. In Enter groups to include or Enter groups to exclude, start entering text that matches the name of the group you want. Okta presents results that match what you entered. Click a group name to select it. Repeat this step to add more groups.
AND Detection	Select an option to specify the activity you want Okta to detect or exclude. You can include detections in a rule, or exclude them, but you can’t use both conditions in the same rule. See Detection settings for entity risk policy. Any detection: Select this option to watch for any kind of activity. Include at least one of the following detections: Start entering text that matches the name of the activity you want to detect. Okta presents results that match what you entered. Click a name to select it. Repeat this step to add more detections. Exclude at least one of the following detections: Start entering text that matches the name of the activity you want to exclude. Okta presents results that match what you entered. Click a name to select it. Repeat this step to exclude more detections.
AND Entity risk level	You can only use specific entity risk levels with a detection type. See Detection settings for entity risk policy for a table that shows which risk levels you can use with each detection type, then return to Okta and select the risk level for the detection type you want to use. Select a risk level: Any: Detect events with any risk level. Low: Detect events with a low risk level. Medium: Detect events with a medium risk level. High: Detect events with a high risk level. See Detection settings for entity risk policy.

Description

IF User's group membership includes

Select an option to specify the user groups to include in or exclude from the rule:

Any group: The user can be a member of any group in your org.
At least one of the following groups: Specify which groups to include in or exclude from the rule. In Enter groups to include or Enter groups to exclude, start entering text that matches the name of the group you want. Okta presents results that match what you entered. Click a group name to select it. Repeat this step to add more groups.

AND Detection

Select an option to specify the activity you want Okta to detect or exclude. You can include detections in a rule, or exclude them, but you can’t use both conditions in the same rule. See Detection settings for entity risk policy.

Any detection: Select this option to watch for any kind of activity.
Include at least one of the following detections: Start entering text that matches the name of the activity you want to detect. Okta presents results that match what you entered. Click a name to select it. Repeat this step to add more detections.
Exclude at least one of the following detections: Start entering text that matches the name of the activity you want to exclude. Okta presents results that match what you entered. Click a name to select it. Repeat this step to exclude more detections.

AND Entity risk level

You can only use specific entity risk levels with a detection type. See Detection settings for entity risk policy for a table that shows which risk levels you can use with each detection type, then return to Okta and select the risk level for the detection type you want to use.

Select a risk level:

Any: Detect events with any risk level.
Low: Detect events with a low risk level.
Medium: Detect events with a medium risk level.
High: Detect events with a high risk level.

See Detection settings for entity risk policy.

Configure THEN conditions. These conditions specify how Okta responds when the conditions you configure are detected.

THEN	Description
THEN Take this action	Select one of these actions: No further action: Don’t take any further action if the rule conditions are detected in your org. These events are logged even if you select this option. Logout and revoke tokens: Users are logged out of Okta and x apps: Click to see the apps that users are logged out of. Universal Logout and Partial Universal logout: Some apps support Universal Logout and others support partial Universal Logout. Okta changes the entity risk level to Low when the entity risk policy or the Clear user sessions action triggers Universal Logout and terminates the Okta Identity Provider session. See Configure Universal Logout for third-party apps. Run a Workflow: The Workflow triggered by action dropdown appears when you select this option.
AND Workflow triggered by action	This dropdown appears when you select Run a Workflow. Click the dropdown or type the name of a delegated workflow, and then click to select it. You can only select from existing delegated flows. If you need to create a flow to meet a new policy rule, see Create delegated flows for policy actions. You can only assign one delegated flow to each policy rule, so you may need separate rules for each different risk level.

THEN

Description

THEN Take this action

Select one of these actions:

No further action: Don’t take any further action if the rule conditions are detected in your org. These events are logged even if you select this option.
Logout and revoke tokens:
- Users are logged out of Okta and x apps: Click to see the apps that users are logged out of.
- Universal Logout and Partial Universal logout: Some apps support Universal Logout and others support partial Universal Logout. Okta changes the entity risk level to Low when the entity risk policy or the Clear user sessions action triggers Universal Logout and terminates the Okta Identity Provider session. See Configure Universal Logout for third-party apps.
Run a Workflow: The Workflow triggered by action dropdown appears when you select this option.

AND Workflow triggered by action

This dropdown appears when you select Run a Workflow.

Click the dropdown or type the name of a delegated workflow, and then click to select it. You can only select from existing delegated flows. If you need to create a flow to meet a new policy rule, see Create delegated flows for policy actions.

You can only assign one delegated flow to each policy rule, so you may need separate rules for each different risk level.

Click Save.

Add an entity risk policy rule

Before you begin

Add a rule to an entity risk policy

Related topics