This wasn't me

This detection is triggered when a user actively reports a security event as fraudulent. This typically occurs when they receive an Okta-generated security notification (such as a new sign-in email) and click Report or This wasn't me. It can also be triggered from the Recent Activity page in the End-User Dashboard.

Detection risk level: High

This is a high-confidence signal that the user's account is under active attack.

MITRE tactic

Initial Access / Lateral Movement

MITRE technique

Valid Accounts

Policy configuration

In your entity risk policy, set these conditions:

• Detection: This wasn't me
• Entity risk level: High
• Take this action: Universal Logout

System Log query

eventType eq "user.risk.detect" and debugContext.debugData.risk co "detectionName=This Wasn't Me"

Remediation strategy

1. Immediate action: Based on your policy configuration, Universal Logout should terminate the session.

2. Block the threat: Add the IP address from the fraudulent event to a blocked network zone.

3. Investigate: Alert an admin. Review the System Log to find the event that the user reported.

   Analyze its IP, location, device, and what action was attempted (for example, User login to Okta).

4. Contact the user: Proactively reach out to the user who reported the event. Acknowledge their report and confirm that their account is locked for protection.

5. Secure the account:

   • Guide the user through a secure password reset process.

   • Perform an MFA review to check for any unauthorized factors.

   • Unlock the account only after it's verified as secure.