Detection settings for entity risk policy

Learn what configuration settings to use when you define conditions and actions in your entity risk policy rules.

In the table below, check what entity risk level goes with each detection type. When you define your rule conditions, select the detection and then select the matching entity risk level.

Detection

Entity risk levels

Recommended action

This wasn't me

The user responded to an Okta-generated security notification email or clicked Report on the Recent Activity page of the Okta End-User Dashboard.

High Universal Logout. See Configure Universal Logout for supported apps.
Session influenced User Risk

Entity user risk is influenced by changes in risk associated with user sessions. The session risk may change because of a change in IP or device context. This detection only occurs when the session risk level changes to High.

Medium Run a delegated Workflow or don't take any action.
Suspected Brute Force Attack

Okta detects attempts by a potential threat actor to gain password or MFA-based access to the org.

Medium Run a delegated Workflow that notifies the Security Operations Center (SOC) team to start an investigation.
Okta Threat Intelligence

Okta Threat Intelligence identifies sophisticated threat actor activity by detecting signatures of the infrastructure that they use. For example, Okta detects that phishing infrastructure was used to attack the user account and the account may have been compromised.

High Universal Logout. See Configure Universal Logout for supported apps. Alternatively, you can run a delegated Workflow that notifies the SOC team to start an investigation.

You can also take the following actions manually:

  • Force a password change
  • Force re-enrollment in authenticators
Admin Reported User Risk

An admin can elevate the entity risk level from a user's profile page in the Admin Console or using the User Risk API. Elevating the entity risk level automatically changes it to High.

Low or high Universal Logout. See Configure Universal Logout for supported apps.
Entity Critical Action From High Threat IP

Okta detected that a critical action was taken from a high-threat IP address. Examples of critical actions include the following:

  • MFA authenticator registration

  • Password change

  • Admin Dashboard access

High Universal Logout. See Configure Universal Logout for supported apps.
Security Events Provider Reported Risk

This detection occurs when your integrated security event providers report a risk event.

Low, medium, or high Universal Logout. See Configure Universal Logout for supported apps.
Suspicious App Access

Identity Threat Protection detected an attacker's attempts to harvest app session cookies. For example, a bad actor tried to access multiple apps using a stolen session cookie.

Medium Run a delegated Workflow that notifies the SOC team to start an investigation or don't take any action.

Related topics

Identity Threat Protection key concepts

Observability with Identity Threat Protection

Risk remediation with Identity Threat Protection

Configure a shared signal receiver