This wasn't me

This detection is triggered when a user actively reports a security event as fraudulent. This typically occurs when they receive an Okta-generated security notification (such as a new sign-in email) and click Report or This wasn't me. It can also be triggered from the Recent Activity page in the End-User Dashboard.

Detection risk level: High

This is a high-confidence signal that the user's account is under active attack.

MITRE tactic

Initial Access / Lateral Movement

MITRE technique

Valid Accounts

Policy configuration

In your entity risk policy, set these conditions:

• Detection: This wasn't me
• Entity risk level: High
• Take this action: Universal Logout

Remediation strategy

1. Immediate action: Based on your policy configuration, Universal Logout should terminate the session.

2. Block the threat: Add the IP address from the fraudulent event to a blocked network zone.

3. Investigate: Alert an admin. Review the System Log to find the event that the user reported. Run the following query in the System Log: eventType eq "user.risk.detect" and debugContext.debugData.risk co "detectionName=This Wasn't Me"

   Analyze its IP, location, device, and what action was attempted (for example, User login to Okta).

4. Contact the user: Proactively reach out to the user who reported the event. Acknowledge their report and confirm that their account is locked for protection.

5. Secure the account:

   • Guide the user through a secure password reset process.

   • Perform an MFA review to check for any unauthorized factors.

   • Unlock the account only after it's verified as secure.