What does the threatSuspected field mean?

In the Okta logs, there is a threatSuspected field under debugData. I can’t find documentation on this anywhere. What does it mean? How is it related to ThreatInsights?

    "debugContext": {
        "debugData": {
            "requestId": "YHO-B59m0@QlL9xQyRnYOQAAAdo",
            "requestUri": "/api/v1/authn",
            "threatSuspected": "false",
            "url": "/api/v1/authn?"

I believe it indicates whether Okta thinks the login attempt was part of a password spray attack or if the request came from a suspicious IP address, which is part of ThreatInsights.

Do you know which one of those two it is? Or do you know how to find out for sure?

The details on what type of threat is already tracked in another field: outcome.reason

I just used those as examples. If ThreatInsights suspects the request to be a threat, then threatSuspected will be true. Otherwise, it will be false.

Well sure, that much can be determined from the name! Does true mean that the request would have been blocked if ThreatInsights was in blocking mode?

From what I understand, even if threatSuspected=true the request may not be blocked. Maybe an example of this could be the user logs in from a new IP address and they enter the wrong credentials. If they keep entering the wrong password, then the request could be blocked once it reaches a certain threshold. For requests that are blocked, you would see the event security.threat.detected.

Huh, well it sounds like threatSuspected really isn’t very useful then :slight_smile:

I reached out to Okta support for more clarification, and this is what they said:

threatSuspected == true means that the event has met enough criteria to be considered a threat and the IP address either is already on the Okta database denylist, or it will be added within 24 hours

threatSuspected == false means that either the IP is not on the Okta database denylist or the IP is on the Okta database denylist but it will be removed within 24 hours

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.