Entity critical action from high threat IP

This detection is recorded when a user performs a sensitive, critical action from an IP address that Okta ThreatInsight has flagged as being a high threat. Examples of critical actions include:

Enrolling a new MFA authenticator
Changing their password
Accessing the Admin Console

Detection risk level: High

This detection suggests that an attacker has potentially compromised the account. They may try to establish persistence by adding their own MFA or escalate privileges by accessing admin settings.

This detection may not be triggered if ThreatInsight is in block mode, because the request might be blocked at the edge.

Policy configuration

In your entity risk policy, set these conditions:

Detection: Entity Critical Action From High Threat IP
Take this action: Universal Logout, or run a Workflow to notify the SOC team to begin an investigation

Remediation strategy

The core objective of this remediation is to immediately stop the attacker's activity and fully secure the compromised account.

Immediate action: Based on your policy configuration, Universal Logout should terminate the session.
Block the threat: Add the malicious IP address to a blocked network zone. Or, enable ThreatInsight in block mode to prevent any further attempts from the IP addresses.
Investigate: This is a critical alert. Immediately check the System Log for the specific action.
- For MFA registration, check the user's authenticators. If a new one was successfully added, reset it immediately.
- For Password change, check the System Log for user activity during the session immediately following the change. If the password reset was successful, reset it immediately.
- For Admin Dashboard access, check for any malicious activity in the Admin Console.
Secure the account:
- Force a password reset.
- Clear all sessions and reset all MFA factors for the user.
- If admin access was involved, begin a wider audit of all admin activities from that time.