When Okta ThreatInsight flags an IP address as suspicious and blocks it, an error occurs during sign-in. Validate blocked login attempts by searching the System Log for specific events and IP addresses. When attempting to sign in to Okta, the following error occurs:
You do not have permission to perform the requested action.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Org-level login
- Single Sign-On (SSO)
- ThreatInsight
If the Admin Console has ThreatInsight enabled with the Log and enforce security based on threat level setting selected under Security > General > Okta ThreatInsight settings, Okta flags the user's IP address as suspicious and blocks it.
How are blocked login attempts validated?
Validate blocked login attempts by navigating to the System Log, searching for recent login activity, investigating associated sign-on policies, and querying specific client IP addresses for detected threats.
- Navigate to the Okta System Log under Reports > System Log.
- Search for any recent login activity associated with the impacted user.
- If the System Log displays associated events indicating an "Evaluation of sign-on policy DENY", expand the event and investigate the associated Sign-on Policy to ascertain why the policy denies the login attempt. If the System Log does not display these events, proceed to the subsequent steps.
- Document the client IP addresses associated with the recent login activity and any consistent login failures.
NOTE: If there is a lot of user activity, download the System Log to a Comma-Separated Values (CSV) file and filter by the IP address. - Create a new System Log search using the following query for each IP address:
actor.id eq "<ip_address>" and eventType eq "security.threat.detected" and outcome.result eq "DENY"
If the search returns any Suspicious Activity events, Okta temporarily blocked at least one of the IP addresses.
