The Alerts page in Identity Threat Detection & Response (ITDR) is where your team triages, investigates, and responds to identity-based threats detected across your connected identity sources. Alerts are generated in real time when ITDR detects suspicious activity that matches known attack patterns.
If you have Managed Detection and Response (MDR), our analysts review your ITDR alerts for you. They’ll create a case on the Managed Services > Cases page to communicate with you. Cases allow analysts to provide insights, take action, or suggest steps. To let MDR analysts act on your behalf, see Configure Identity Threat Detection and Response.
Alert List
The Alerts page displays a list of all identity threat detections. Each alert entry includes:
| Column | Description |
|---|---|
| Action performed by | Admin who took action on the alert. |
| Attack technique | MITRE ATT&CK technique. For more information, see MITRE ATT&CK. |
| Category | The attack type, such as impossible travel, or login off work hours. |
| Detection type | Specific detection type triggered, such as login from Malicious IP or Kerberoasting |
| ID Source | Affected identity provider of the victim identity. |
| Identity | The affected user. |
| ITDR ID | An identifying number for the ITDR alert. |
| Outcome | Action outcome (Allowed, Challenged, Blocked, Failed, Abandoned) for certain Okta alerts, specifically authentication and behavioral events such as impossible travel, geo-location, and Multi-Factor Authentication detections. |
| Resolution | The response action applied to the related alert. |
| Severity | Critical, high, medium, or low. Resolve critical alerts immediately. |
| Status | Investigation status of the alert. New indicates it hasn't been reviewed by an admin or analyst yet. |
| Timestamp | Time of the alert, displayed in your local time zone. |
Alert Detail View
Click any alert to open the detail panel. The alert detail view includes:
- Location: Displays on a map where recent login attempts have taken place.
- Affected Identity Details: Information about the user, their user type, and risk indicators that triggered this alert.
- Event Timeline: A chronological log of the identity events that contributed to the alert.
Response Actions
Click the Actions button in the top-left to take immediate response actions against the affected identity:
| Action | Description |
|---|---|
| Disable user | Suspends access to the account. The user cannot sign in until the account is re-enabled through your IdP. The user is removed from the ITDR pages and cannot be re-enabled through OneView. Add a note so other admins understand why you disabled the user. |
| Enforce 2FA | Forces the user to set up two-factor authentication (2FA) at their next login. We recommended enforcing 2FA for all users. |
| Terminate sessions | Terminates all active sessions for the account and requires them to log in again from each device. After resetting a password, use this option to lock malicious actors out of accounts. |
| Force change password | Forces the user to set a new password the next time they sign-in. |
| Remove user from the group (Entra) | Removes the selected users from an Entra group, revoking access and permissions granted by that group. If a malicious actor has access to a privileged account, remove that user from the group granting them privileged access to revoke the permissions. |
| Mark as false positive | Flag an alert as incorrectly identified so the system can learn and improve future detections. |
| Export to .csv | Export the data in the selected rows to a CSV file. |
| Export to .xlsx | Export the data in the selected rows to a XLSX file. |
Back to ITDR Guide