Manual remediation actions for Identity Threat Protection
Your Entity risk policy configurations determine what actions Identity Threat Protection with Okta AI should take when it identifies a risk. These actions are automatic and don’t require any action from an admin. However, you may want to take manual actions in response to a security threat.
Elevate an entity risk level
You can manually elevate a low or medium entity risk level to high.
- In the Admin Console, go to .
- Select a user from the People & username column.
- Click More actions, and then click Elevate Risk Level. The Elevate entity risk level dialog opens.
- Click Yes, elevate risk level.
When you manually elevate a user’s risk level, the user.risk.change event appears in the System Log.
End a user session
You can manually revoke a user’s IdP sessions and refresh tokens by clearing their sessions. Okta changes the entity risk level to Low when the entity risk policy or the Clear user sessions action triggers Universal Logout and terminates the Okta Identity Provider session. See Universal Logout revocations for information on which artifacts are revoked.
Follow these steps to revoke user sessions and refresh tokens for a user:
- In the Admin Console, go to .
- Select a user from the People & username column.
- Click More Actions, and then select Clear user sessions. The Clear sessions and revoke tokens dialog opens.
- Select Clear active sessions for apps with logout enabled to invoke Universal Logout for the user.
If you don’t select this checkbox, Okta clears all active Identity Provider sessions and revokes the OpenID Connect and OAuth refresh and access tokens that were issued to the user. The user must then authenticate the next time they sign in.
- Click Clear and revoke.