Detection settings for entity risk policy
Learn what configuration settings to use when you define conditions and actions in your entity risk policy rules.
In the table below, check what entity risk level goes with each detection type. When you define your rule conditions, select the detection and then select the matching entity risk level.
Detection |
Entity risk levels |
Recommended action |
---|---|---|
This wasn't me
The user responded to an Okta-generated security notification email or clicked Report on the Recent Activity page of the Okta End-User Dashboard. |
High | Universal Logout. See Configure Universal Logout for supported apps. |
Session influenced User Risk
Entity user risk is influenced by changes in risk associated with user sessions. The session risk may change because of a change in IP or device context. This detection only occurs when the session risk level changes to High. |
Medium | Run a delegated Workflow or don't take any action. |
Suspected Brute Force Attack
Okta detects attempts by a potential threat actor to gain password or MFA-based access to the org. |
Medium | Run a delegated Workflow that notifies the Security Operations Center (SOC) team to start an investigation. |
Okta Threat Intelligence
Okta Threat Intelligence identifies sophisticated threat actor activity by detecting signatures of the infrastructure that they use. For example, Okta detects that phishing infrastructure was used to attack the user account and the account may have been compromised. |
High | Universal Logout. See Configure Universal Logout for supported apps. Alternatively, you can run a delegated Workflow that notifies the SOC team to start an investigation.
You can also take the following actions manually:
|
Admin Reported User Risk
An admin can elevate the entity risk level from a user's profile page in the Admin Console or using the User Risk API. Elevating the entity risk level automatically changes it to High. |
Low or high | Universal Logout. See Configure Universal Logout for supported apps. |
Entity Critical Action From High Threat IP
Okta detected that a critical action was taken from a high-threat IP address. Examples of critical actions include the following:
|
High | Universal Logout. See Configure Universal Logout for supported apps. |
Security Events Provider Reported Risk
This detection occurs when your integrated security event providers report a risk event. |
Low, medium, or high | Universal Logout. See Configure Universal Logout for supported apps. |
Suspicious App Access
Identity Threat Protection detected an attacker's attempts to harvest app session cookies. For example, a bad actor tried to access multiple apps using a stolen session cookie. |
Medium | Run a delegated Workflow that notifies the SOC team to start an investigation or don't take any action. |
Related topics
Identity Threat Protection key concepts
Observability with Identity Threat Protection