Risk detections

The Okta risk engine calculates three types of risk detections and assigns them a level of low, medium, or high.

  • Login risk

    The login risk level indicates the probability that something is wrong with the user’s authentication attempt. Before a user can access your org, Okta calculates the login risk level by evaluating the sign-in attempt against the global session policy rules. The evaluation determines if the user's behavior or device information has changed since they last signed in, and if the request comes from a malicious IP address. Okta adds the login risk data to the System Log as a part of user.session.start and policy.evaluate_sign_on events.

  • Session risk

    The session risk level indicates the probability of the user's session being a threat to the org. Okta calculates this risk level continuously only when the IP information or device context changes mid-session. A medium or high risk level can indicate that there might have been a brute-force attack or suspicious app access during the session. Okta includes the risk level and the reason for it in the user.session.context.change event in the System Log.

  • Entity risk

    The entity risk level indicates the probability of the user's identity being under attack. Okta calculates this risk level for each user by continuously evaluating entity risk policy against all of your org’s threat surfaces, including your Shared Signals Framework integrations. The risk level is calculated even if the user session isn’t active at the time. You can configure an entity risk policy rule to take remediation actions based on the entity risk detection and risk level. Okta includes the entity risk level in the user.risk.change event in the System Log.

Detections can also be suspicious patterns that Okta identifies while monitoring your org or suspicious activity identified by admins, users, or security events providers. You can set up entity risk policy rules to monitor your org for specific detections.

View risk detections

All risk detections are captured in the System Log. You can also focus on risk detections associated with specific users. In the Admin Console, go to DirectoryPeople, and click the user profile. On the Risk tab you can view session and entity risk detections for this user. Use the information in the table to monitor the activity for users with elevated levels of access or for troubleshooting. For each detection you can explore details such as detection type, risk level, remediation action taken, and more.

Click View System Log for a detection to get more context about the event. You can also help improve Okta AI detections by clicking Provide Feedback.

Related topics

Get started with Identity Threat Protection