
ctbyj (ctbyj) asked a question.
in the okta system logs there is a data value that relates to "threatsuspected" i want to have an an alert triggered if this condition is "true". we do not have the supscription with threatinsights (yet) so can i count on this to actually trigger on anything if any threatsuspected signin activity happens?

ThreatInsight will log and, optionally (once you enable it), block connections that originate from suspicious IP addresses. And if ThreatInsight blocks a connection, the user never even gets to your login page, instead they immediately got a 403 error page. In Okta, there's no alert, it just blocks and logs the connection attempt.
Unless you're using a SIEM to pull and filter your Okta system logs, I'm not sure how you would create an alert every time a threat is detected. Or even if you would want to, because there's bound to be a lot of them, depending on your business and the apps you use.
I can tell you that we have ThreatInsight blocking enabled, and over the month of December, ThreatInsight blocked somewhere in the neighborhood of 150,000 attempted connections to our org. 99% of those were bad actors targeting our O365 tenant, not our Okta org directly.
I created a custom query/report in Okta to easily review those connection attempts that were blocked:
eventType sw "security.threat" and outcome.result eq "DENY"
Also, in all the time we've had ThreatInsight enabled and blocking, I've received zero complaints from my end users, so no false positives.