Detection settings for entity risk policy
Learn what configuration settings to use when you define conditions and actions in your entity risk policy rules.
In the table below, check what entity risk level goes with each detection type. When you define your rule conditions, select the detection and then select the matching entity risk level.
| Detection |
Risk levels |
Recommended action |
|---|---|---|
| This wasn't me
The user reported an incident by responding to an Okta-generated security notification email, or by clicking Report on the Recent Activity page of the Okta End-User Dashboard. |
High | Universal Logout. See Configure Universal Logout for third-party apps. |
| Session influenced User Risk
The entity risk level changed because of a change in session context. This detection only occurs when the session risk level is High. |
Medium | Run a delegated Workflow or don't take any action. |
| Suspected Brute Force Attack | Medium | Run a delegated Workflow that notifies the Security Operations Center (SOC) team to start an investigation. |
| Okta Threat Intelligence | High |
You can also take the following actions manually:
|
| Admin Reported User Risk
The admin changed the entity risk level to High. |
Low High |
Universal Logout. See Configure Universal Logout for third-party apps. |
| Entity Critical Action From High Threat IP
Okta detected suspicious behavior from a high-threat IP address. |
High | Universal Logout. See Configure Universal Logout for third-party apps. |
| Security Events Provider Reported Risk | Low Medium High |
Run a delegated Workflow or don't take any action. |
| Suspicious App Access | Medium | Run a delegated Workflow that notifies the SOC team to start an investigation or don't take any action. |