Security events provider reported risk

This detection is recorded when an integrated security partner like CrowdStrike or Omnissa, or a Cloud Access Security Broker (CASB), sends a signal to Okta through the Shared Signals Framework (SSF).

Detection risk level: High, Medium, or Low

This is an automated version of Admin reported user risk. For example, if your EDR provider notifies Okta that a user's device risk level has changed to High, Okta records this detection.

Policy configuration

In your entity risk policy, create separate rules:

Rule 1

• Detection: Security Events Provider Reported Risk
• Entity risk level: High
• Take this action: Universal Logout

Rule 2

• Detection: Security Events Provider Reported Risk
• Entity risk level: Medium
• Take this action: Run a Workflow to notify an admin

Remediation strategy

1. Automated action: The policy immediately enforces the action based on the signal from the partner tool.

2. Investigate: The investigation must occur in the source tool (for example, the EDR console). The Okta System Log shows the event, but the original context for the risk change is in the partner system.

3. Restore access: Access is typically restored automatically. For example, after the EDR tool confirms that a device is healthy, it sends a new "risk level is low" signal to Okta. When Okta lowers the user's risk level, the enforcement ends.