YuiT.38950 (Customer) asked a question.
Question about removing an IP from Network Zone after resolving a ThreatInsight block
Hi,
I have a question regarding how ThreatInsight behaves after resolving a block.
A user in our organization was blocked by Okta ThreatInsight with the category "Request from suspicious actor". The root cause was multiple failed login attempts due to the user entering an incorrect password repeatedly. I have already confirmed that the activity was performed by the legitimate user.
To allow the user to log in, I temporarily added the user's IP address to a Network Zone. After doing so, the user was able to authenticate successfully.
My question is:
- Is it safe to remove the IP address from the Network Zone after the user has logged in successfully?
Or
- Will ThreatInsight immediately block the same IP again once it is removed from the zone?
I would appreciate any guidance or best practices for handling this situation.
Thank you!
Hi @YuiT.38950 (Customer) , Thank you for reaching out to the Okta Community!
I could not find any documented confirmation on this specific use case and I would not want to make any assumption with regard to the back-end functionality of the ThreatInsight feature that would lead to a negative user experience.
I recommend opening a case to discuss the matter as they can engage to internal team for confirmation if needed.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added