Risk detections
The Okta risk engine calculates three types of risk detections and assigns them a level of low, medium, or high.
-
Login risk
The login risk level indicates the probability that something is wrong with the user's authentication attempt. Before a user can access your org, Okta calculates the login risk level by evaluating the sign-in attempt against the global session policy rules if you've configured the Risk is setting. The login risk level is also calculated by evaluating the sign-in attempt against the authentication policy rules, if the authentication policy rules are configured to prompt for authentication every time the user signs in to a resource. The evaluation determines if the user's behavior or device information has changed since they last signed in, and if the request comes from a malicious IP address. Okta adds the login risk data to the System Log as a part of user.session.start and policy.evaluate_sign_on events.
-
Session risk
The session risk level indicates the probability of the user's session being a threat to the org. Okta calculates this risk level continuously only when the IP information or device context changes mid-session. A medium or high risk level can indicate that there might have been a brute-force attack or suspicious app access during the session. Okta includes the risk level and the reason for it in the user.session.context.change event in the System Log.
-
Entity risk
The entity risk level indicates the probability of the user's identity being under attack. Okta calculates this risk level for each user by continuously evaluating entity risk policy against all of your org's threat surfaces, including Shared Signals Framework integrations. The risk level is calculated even if the user session isn't active. You can configure an entity risk policy rule to take remediation actions based on the entity risk detection and risk level. Okta includes the entity risk level in the user.risk.detect event in the System Log.
Detections can also be suspicious patterns that Okta identifies while monitoring your org or suspicious activity identified by admins, users, or security events providers. You can set up entity risk policy rules to monitor your org for specific detections.
View risk detections
All risk detections are captured in the System Log. You can also focus on risk detections associated with specific users. In the Admin Console, go to , and click the user profile. On the Risk tab you can view session and entity risk detections for this user. Use the information in the table to monitor the activity for users with elevated levels of access or for troubleshooting. For each detection you can explore details such as detection type, risk level, remediation action taken, and more.
Click View System Log for a detection to get more context about the event. You can also help improve Okta AI detections by clicking Provide Feedback.