<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D51Y0000AOgClnSQFOkta Classic EngineAdministrationAnswered2026-04-01T09:00:20.000Z2021-02-03T12:35:17.000Z2021-02-05T16:31:51.000Z

ctbyj (ctbyj) asked a question.

theatsuspected flag trigger condition

in the okta system logs there is a data value that relates to "threatsuspected" i want to have an an alert triggered if this condition is "true". we do not have the supscription with threatinsights (yet) so can i count on this to actually trigger on anything if any threatsuspected signin activity happens?


  • k5fuw (k5fuw)

    ThreatInsight will log and, optionally (once you enable it), block connections that originate from suspicious IP addresses. And if ThreatInsight blocks a connection, the user never even gets to your login page, instead they immediately got a 403 error page. In Okta, there's no alert, it just blocks and logs the connection attempt.

     

    Unless you're using a SIEM to pull and filter your Okta system logs, I'm not sure how you would create an alert every time a threat is detected. Or even if you would want to, because there's bound to be a lot of them, depending on your business and the apps you use.

     

    I can tell you that we have ThreatInsight blocking enabled, and over the month of December, ThreatInsight blocked somewhere in the neighborhood of 150,000 attempted connections to our org. 99% of those were bad actors targeting our O365 tenant, not our Okta org directly.

     

    I created a custom query/report in Okta to easily review those connection attempts that were blocked:

     

    eventType sw "security.threat" and outcome.result eq "DENY"

     

    Also, in all the time we've had ThreatInsight enabled and blocking, I've received zero complaints from my end users, so no false positives.

    Expand Post
This question is closed.
Loading
theatsuspected flag trigger condition