In the Okta logs, there is a threatSuspected field under debugData. I can’t find documentation on this anywhere. What does it mean? How is it related to ThreatInsights?
Example:
I believe it indicates whether Okta thinks the login attempt was part of a password spray attack or if the request came from a suspicious IP address, which is part of ThreatInsights.
From what I understand, even if threatSuspected=true the request may not be blocked. Maybe an example of this could be the user logs in from a new IP address and they enter the wrong credentials. If they keep entering the wrong password, then the request could be blocked once it reaches a certain threshold. For requests that are blocked, you would see the event security.threat.detected.
I reached out to Okta support for more clarification, and this is what they said:
threatSuspected == true means that the event has met enough criteria to be considered a threat and the IP address either is already on the Okta database denylist, or it will be added within 24 hours
threatSuspected == false means that either the IP is not on the Okta database denylist or the IP is on the Okta database denylist but it will be removed within 24 hours