<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00009so9V2SAIOkta Classic EngineAdministrationAnswered2023-07-26T18:55:51.000Z2020-11-12T16:00:37.000Z2020-12-24T20:52:01.000Z

Admin-MattM.11539 (Customer) asked a question.

November 12, 2020 at 4:00 PM
Has anyone else noticed a drastic decrease in ThreatInsight events?

We've been tracking the number of reported ThreatInsight events in our org for the past few months for a security dashboard. We've noticed that the number of reported events has dropped off dramatically, from around 3,000/month in June, July, and August of 2020 to just 600 in September, and then 6 in October. I put in a ticket with Okta, and they say nothing has changed in the algorithm, but this seems like too big of a change to be normal variation.

 

Has anyone else noticed a drop off in the past few months?

  • 1 answer
  • 599 views

  • cezar.martin1.5700149569864211E12 (Vendor Management)

    Thank you for reaching out to us Matt! This is Cezar with Okta support and I can provide some info in regards to your query.

     

    Okta does use threat information gathered from all of the tenants based on blacklist. It is a sensitive topic and we cannot post the exact formulas or criteria in our documentation as this can create loopholes that could be exploited. At a high level threat insight looks at:

    - Login behavior: high number of failed consecutive logins in a small timeframe

    - MFA behavior: high number of failed MFA requests in a small timeframe

    - User account lockouts: number of lockouts that the user had in the last 24 hours.

    - Impossible travel: User logs in multiple times from different locations

    - Blacklisted IPs

    - Users that are accessing Okta via IPs that are seen as malicious by our third party IP Reputation providers. When Okta sees a large-scale identity attack coming from a common IP address or set of IP addresses based on varying criteria, those IP addresses are then added to the ThreatInsight pool.

     While Okta does pool the Suspicious IPs from the entire customer base, the Password Spray events should be specific to your tenant, meaning that Okta should log and block login attempts that are coming from the detected suspicious IP(s) and hitting your tenant directly.

     As for Password Spray events, Okta detects events based on a set of specific criteria that involves the percentage of failed login attempts over a specific period of time against the same IP or set of IPs, and more, however, since the rules and percentage or time values may be subject to change over time, the exact threshold may be changed in the future.

     While Okta does pool the Suspicious IPs from the entire customer base, the Password Spray events should be specific to your tenant, meaning that Okta should log and block login attempts that are coming from the detected suspicious IP(s) and hitting your tenant directly.

     As for Password Spray events, Okta detects events based on a set of specific criteria that involves the percentage of failed login attempts over a specific period of time against the same IP or set of IPs, and more, however, since the rules and percentage or time values may be subject to change over time, the exact threshold may be changed in the future.

     

    As a summary, the threatinsight system is ever evolving and if the number of suspicious actors increased at one point in time, it's expected that the number will decrease in the future as any past classified suspicious logins would get automatically blocked by the system.

     

    If you do require further assistance with us, please let us know via a case.

    Expand Post
    Selected as Best

  • cezar.martin1.5700149569864211E12 (Vendor Management)

    Thank you for reaching out to us Matt! This is Cezar with Okta support and I can provide some info in regards to your query.

     

    Okta does use threat information gathered from all of the tenants based on blacklist. It is a sensitive topic and we cannot post the exact formulas or criteria in our documentation as this can create loopholes that could be exploited. At a high level threat insight looks at:

    - Login behavior: high number of failed consecutive logins in a small timeframe

    - MFA behavior: high number of failed MFA requests in a small timeframe

    - User account lockouts: number of lockouts that the user had in the last 24 hours.

    - Impossible travel: User logs in multiple times from different locations

    - Blacklisted IPs

    - Users that are accessing Okta via IPs that are seen as malicious by our third party IP Reputation providers. When Okta sees a large-scale identity attack coming from a common IP address or set of IP addresses based on varying criteria, those IP addresses are then added to the ThreatInsight pool.

     While Okta does pool the Suspicious IPs from the entire customer base, the Password Spray events should be specific to your tenant, meaning that Okta should log and block login attempts that are coming from the detected suspicious IP(s) and hitting your tenant directly.

     As for Password Spray events, Okta detects events based on a set of specific criteria that involves the percentage of failed login attempts over a specific period of time against the same IP or set of IPs, and more, however, since the rules and percentage or time values may be subject to change over time, the exact threshold may be changed in the future.

     While Okta does pool the Suspicious IPs from the entire customer base, the Password Spray events should be specific to your tenant, meaning that Okta should log and block login attempts that are coming from the detected suspicious IP(s) and hitting your tenant directly.

     As for Password Spray events, Okta detects events based on a set of specific criteria that involves the percentage of failed login attempts over a specific period of time against the same IP or set of IPs, and more, however, since the rules and percentage or time values may be subject to change over time, the exact threshold may be changed in the future.

     

    As a summary, the threatinsight system is ever evolving and if the number of suspicious actors increased at one point in time, it's expected that the number will decrease in the future as any past classified suspicious logins would get automatically blocked by the system.

     

    If you do require further assistance with us, please let us know via a case.

    Expand Post
    Selected as Best
This question is closed.
Loading
Has anyone else noticed a drastic decrease in ThreatInsight events?