<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Why Do System Logs Show Request from Suspicious Actor Events Being Allowed
Sep 2, 2025
Okta Identity Engine
Okta Classic Engine
Administration
Overview

After Okta ThreatInsight identifies an IP as suspicious, it records the IP in the logs and shows the result as "Allow".

Event in System Logs 

Applies To
  • Okta ThreatInsight 
Cause

In the Okta ThreatInsight settings, the option to “Log authentication attempts from malicious IPs” is selected.

 

Solution

This is expected behavior when ThreatInsight is configured to Log authentication attempts from malicious IPs, but this does not mean an unwanted connection attempt was accepted. To have the suspicious IP blocked, choose the Log and enforce security based on threat level option in the ThreatInsight settings. Those settings can be found in the Admin dashboard under Security > General > Okta ThreatInsight Settings.
 

Related References

Recommended content

Still looking for help?
Loading
Why Do System Logs Show Request from Suspicious Actor Events Being Allowed