When users fail to authenticate from a single IP address after multiple attempts, Okta ThreatInsight adds the IP address to a blocklist. To resolve this issue, create an IP network zone for the blocked address and add it to the Okta ThreatInsight exempt zones. To verify if Okta ThreatInsight blocked the IP address, query the System Log for security.threat.detected to view the following event:
Request from suspicious actor
- Okta Identity Engine (OIE)
- Okta Classic Engine
- ThreatInsight
- Network Zones
Okta ThreatInsight adds an IP address to a blocklist when authentication fails from a single IP address after multiple attempts.
How is an IP address exempted from Okta ThreatInsight?
To exempt an IP address from Okta ThreatInsight, watch the video below or follow the steps below to create a new IP network zone containing the blocked address and add it to the exempt zones in the general security settings.
- Sign in to the Okta Admin Console.
- Navigate to Security > Networks.
- Choose Add Zone > IP Zone.
- Enter a name for the zone and add the IP address to exempt.
- Click Save.
- Navigate to Security > General.
- Scroll to the Okta ThreatInsight settings section and click Edit.
- Add the previously created network zone under the Exempt Zones section.
- Click Save.
NOTE:
- After adding the IP address to the exempt zone, it may take up to 40 minutes for it to replicate in Okta. However, it typically takes only 5 to 10 minutes.
- Okta ThreatInsight is a separate feature from the user behavior profile. Resetting a user behavior profile does not clear the blocked IP address in Okta ThreatInsight.
