This wasn't me

This detection is triggered when a user actively reports a security event as fraudulent. This typically occurs when they receive an Okta-generated security notification (such as a new sign-in email) and click Report or This wasn't me. It can also be triggered from the Recent Activity page in the End-User Dashboard.

Detection risk level: High

This is a high-confidence signal that the user's account is under active attack.

Policy configuration

In your entity risk policy, set these conditions:

• Detection: This wasn't me
• Entity risk level: High
• Take this action: Universal Logout

Remediation strategy

1. Immediate action: Based on your policy configuration, Universal Logout should terminate the session.

2. Block the threat: Add the IP address from the fraudulent event to a blocked network zone.

3. Investigate: Alert an admin. Review the System Log to find the event the user reported. Analyze its IP, location, device, and what action was attempted (for example, User login to Okta).

4. Contact the user: Proactively reach out to the user who reported the event. Acknowledge their report and confirm that their account is locked for protection.

5. Secure the account:

   • Guide the user through a secure password reset process.

   • Perform an MFA review to check for any unauthorized factors.

   • Unlock the account only after it's verified as secure.