This article explains the conditions under which user.risk.detect events are displayed in the Okta System Log when Okta is configured as a Shared Signals Framework (SSF) receiver. It provides details regarding the required Identity Threat Protection (ITP) SKU and specific administrator exceptions for event visibility.

• Identity Threat Protection
• Shared Signals Framework
• Okta System Log
• Adaptive Multi-Factor Authentication
• Okta Identity Engine

When Okta acts as a Shared Signals Framework (SSF) receiver, security signals from third-party providers are ingested and reported as entity risk detections. However, visibility for these user.risk.detect events in the Okta System Log is generally restricted to organizations with an active Identity Threat Protection (ITP) SKU. Without this specific license, the system does not display these events for standard users, although an exception exists for the super admin role to ensure visibility for highly privileged accounts.

• Verify the organization has the Identity Threat Protection (ITP) SKU enabled.

• Ensure Okta is correctly configured as a Shared Signals Framework (SSF) receiver by following the steps in Configure an SSF receiver.

• Sign in as a user with the super admin role to view user.risk.detect events if the ITP SKU is not present.