Session protection with Identity Threat Protection

During an Okta session, after the initial authentication, Identity Threat Protection with Okta AI (ITP) continuously monitors the user activity for changes in IP address and device context. By default, ITP uses signals from Okta Verify. ITP also uses signals from any endpoint security solutions that you've integrated with Okta Verify and signals from security event providers that you've configured using Shared Signals Framework (SSF).

When an IP or device context change is detected, ITP reevaluates the global session policy for the Okta session. It also reevaluates authentication policies (including device context conditions) for all active app sessions that are associated with the Okta session.

Using the session protection policy, you can configure automated remediation actions that ITP takes if there's a session protection violation.

Monitor session protection violations

By default, all session protection violations are recorded in the System Log as policy.auth_reevaluate.fail events to help you understand the security posture of your environment. You can view policy fail events and analyze historical data with these methods:

• On the Admin Dashboard, the Session protection violations widget provides a quick overview of policy failure events in a given timeframe.
• Session protection violations report provides detailed interactive insights. You can export this data for further analysis.
• In the View System Log events for Identity Threat Protection you can focus on details of a particular event.

Enforce session protection policy

You can configure the session protection policy to take automated actions in response to session protection violations. For example, you can prompt users for multifactor authentication, terminate app sessions with Universal Logout, or trigger custom actions with Okta Workflows. See Enforce session protection policy.