MatthewH.10249 (State of Iowa) asked a question.
We have a few IPs being blocked by ThreatInsight because they have been identified as "Password Spray HIGH". In the following documentation it states... "However, if an IP address is suspected of malicious activity and the threat level detected is high, authentication requests from the IP address are blocked." My question is for how long?
https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight.htm
We have a couple of users that we have identified with those IPs and they have legit needs authenticate. Not sure if they personally are password spraying or exactly what is going on but we are trying to figure out if they are going to be permanently blocked or if ThreatInsight will revoke the block after some period of time.
Update: One of the users who's IP was blocked because of "Password Spray HIGH" events on 10/24-25 is working fine today. So it does appear the IP blocking is not permanent so now I would just like to know the amount of time it takes before an IP becomes unblocked.