• Behavior Detection

1. Start by going to the Okta Admin Console.
2. Go to Security > Behavior Detection.
3. Click Add Behavior.
4. A drop-down menu will appear, offering the option to add a behavior triggered by changes to location, device, IP address, or velocity.

The behavior setup looks as follows:

• Location

 
 

• IP

 
 

• Device

 

• Velocity

Using the behavior detection in the authentication flow.

The behavior detection can be integrated into the authentication flow in 2 methods.

1. Added to the Global Session policy rule, located under the Admin Console > Security > Global Session Policy.

2. Added to the Authentication policy rules using custom expressions, located under the Admin Console > Security > Authentication Policies.

• The custom expression can be created using the following expression:

   security.behaviors.contains('behaviorName') 

  • Replace the behaviorName value with either the predefined behaviors or the custom-created behaviors.

To use multiple behaviors in the same custom expression, the following operators can be used:

• ||, OR
• &&, AND
• !, NOT
• ==
• !=

Example of a behavior detection custom expression:

Unrecognized IPs OR unrecognized devices
security.behaviors.contains('New IP') || security.behaviors.contains('New Device')

Unrecognized IP AND unrecognized devices
security.behaviors.contains('New IP') && security.behaviors.contains('New Device')

NOTE: The behavior is considered new until a successful login is performed. After the login, the values are saved in the user's behavior profile, and accessing other applications from the same Location/IP/Device(DeviceToken) will not trigger a new behavior.

Related References

• Behavior detection and evaluation 

• About behavior and sign-on policies
• About Behaviour Detection