Okta ThreatInsight is designed to detect and block high-volume credential-based attacks (password spraying, credential stuffing, and similar brute-force attacks) directed at Okta endpoints. This knowledge article aims to point customers to the technical brief describing how to get the most out of Okta ThreatInsight.
- Okta ThreatInsight
Configuring ThreatInsight
The degree to which ThreatInsight requires configuration depends largely on customer requirements.
If all users of an org authenticate directly to the Okta tenant, administrators can toggle ThreatInsight on with confidence (see Basic Configuration below).
This paper provides additional advice for customers with more complex authentication flows, such as customers who use:
- Third-party security network providers that intercept access requests between an originating client and Okta, or
- Externally-hosted resources such as Content Delivery Networks, or self-hosted sign-in widgets, or
- Trusted applications that process authentication requests en route to Okta.
Detailed advice for these scenarios is provided under Advanced Configuration.
Also, per the documentation found in related references, ThreatInsight is a baseline security capability available to every Okta customer. It is designed to detect and mitigate large-scale attacks on an Okta org (organization).
When a request comes in from a globally blocklisted IP, ThreatInsight drops the connection immediately. ThreatInsight is designed to detect malicious activity prior to authentication, hence details in regards to the block found in the system logs look similar to a network zone block. Because the transaction is terminated before the system can read the username, no username is ever recorded, and therefore no correlation can be made to specific user accounts for these particular blocked events.
