Identity Threat Protection key concepts
Learn about the key concepts and components of Okta Identity Threat Protection with Okta AI (ITP) to better understand how the identity security solution protects your org.
User session concepts
- User session
- The Okta session or app sessions associated with an Okta session.
- Okta session
- The state during which a user is authenticated and authorized to access apps secured by Okta. The Okta session starts when a user successfully signs in to Okta. An Okta session can be associated with one or more app sessions during which the user interacts with the app's resources. Okta maintains this state with the user by issuing an Okta session cookie to the user (client).
- App session
- The state that's maintained by an app after a user authenticates with Okta and was granted access to the app. The app maintains this state with the user by issuing an app session cookie to the user (client).
- Session context change
- A user's IP or device context may change during a session. When such a change is detected, ITP reevaluates the user risk. It also reevaluates behavior when the session context change is associated with a user request. ITP logs this information as user.session.context.change events in the System Log.
- Session violation
- When ITP detects a session context change, it reevaluates your global session and authentication policies for all active app sessions. A session violation occurs when the requirements in the matched policy rules aren't satisfied by the user sessions. The policy.auth_reevaluate.fail event in the System Log indicates a session violation.
Risk types and associated policies
- Risk engine
- A key component of Okta AI. In ITP, the Okta risk engine calculates login, session, and entity risk. Login risk is calculated during authentication. After authentication, the risk engine calculates the session risk. The risk engine also aids Behavior Detection and ThreatInsight. ITP uses the risk engine to collect feedback from admins and users, reevaluate global session policy and authentication policies, and drive entity risk policy evaluation.
- Session risk
- When an IP or device context change occurs during an active user session, ITP assesses the probability of the session being compromised and calculates the risk level. ITP checks for patterns of session hijacking, such as token theft and replay. The potential impact of session risk is limited to the Okta session and the apps accessed through that session. In the System Log, the user.session.context.change event indicates a session context change. This event includes information about risk level and the reason for the change. When a session violation occurs, the post auth session evaluation policy automatically takes remediation actions that you've configured.
Session risk, session context change, and session violation drive the post-auth session evaluation policy. In this policy you can configure adaptive remediation actions when a session violation occurs. The policy.auth_reevaluate.action event in the System Log indicates remediation actions taken by post-auth session policy as a response to the session violation. See Post auth session evaluation with Identity Threat Protection
- Entity risk
- ITP assesses the probability of a user account being compromised based on access across devices, sessions, and applications. ITP assesses entity risk even if the user doesn't have an active session. Since the entity risk is evaluated on the user account, it's also called entity user risk. ITP evaluates the risk based on Okta-sourced entity risk detections and signals or detections received from security event providers through the Shared Signals Framework (SSF) and Continuous Access Evaluation Protocol (CAEP). In the System Log, the user.risk.detect event indicates entity user risk level detections.
In the entity risk policy, you can configure adaptive remediation actions (Universal Logout or Workflows) in response to entity risk detections. You can set multiple rules that target different threats and define conditions by user group, entity risk detection and risk level. See Entity risk policy.
Risk detections
ITP surfaces risk as risk detections within user.risk.detect and user.session.context.change events in the System Log. At Okta, risk detections are the types of tactics, techniques, and procedures (TTPs) used for attacking identities. When grouped by risk type, detections fall under session risk or entity risk.
- Suspected session hijacking
- Session risk detection. ITP identifies patterns of token theft and replay by using Okta AI.
- This wasn't me
- Entity risk detection. The user reported an incident by responding to an Okta-generated security notification email, or by clicking Report on the Recent Activity page of the Okta End-User Dashboard.
- Session influenced User Risk
- Entity risk detection. The entity risk level changed because of a change in session context. The session risk may change because of a change in IP or device context. This detection only occurs when the session risk level changes to High.
- Suspected Brute Force Attack
- Entity risk detection. Okta detects attempts by a potential threat actor to gain password or MFA-based access into the org.
- Okta Threat Intelligence
- Entity risk detection. Okta Threat Intelligence identifies sophisticated threat actor activity by detecting signatures of the infrastructure that they use. For example, Okta detects that phishing infrastructure was used to attack the user account and the account may have been compromised.
- Admin Reported User Risk
- Entity risk detection. An admin can elevate the entity risk level from a user's profile page in the Admin Console or using the User Risk API. Elevating the entity risk level automatically changes it to High. Usually, admins elevate the entity risk level manually when they learn from non-Okta sources or security operations that a user account is compromised. The User Risk API also allows admins to connect various identity protection providers to each other to ensure consistent representations of risk throughout the identity security stack in their org.
- Entity Critical Action From High Threat IP
- Entity risk detection. Okta detected that a critical action was taken from a high-threat IP address. Examples of critical actions include the following items:
- MFA authenticator registration
- Password change
- Admin Dashboard access
- Security Events Provider Reported Risk
- Entity risk detection. This detection occurs when your integrated security event providers report a risk event. See Configure a shared signal receiver.
- Suspicious App Access
- Entity risk detection. ITP detected an attacker's attempts to harvest app session cookies. For example, a bad actor attempted to access multiple apps using a stolen session cookie.