Okta Identity Threat Protection
For SpyCloud Workforce Threat Protection
🛡️ Enterprise Protection for Okta Identity Threat Protection (ITP)
SpyCloud's integration with Okta Identity Threat Protection (ITP) enables organizations to automatically detect and respond to identity exposures in real time. Using the Shared Signals Framework (SSF), SpyCloud converts recaptured darknet identity data into actionable risk signals that Okta ITP ingests to update user risk levels, trigger adaptive authentication, and initiate automated remediations.
Together, SpyCloud + Okta ITP close the loop between identity threat detection and response — empowering enterprises to maintain continuous identity assurance aligned with Zero Trust principles.
RequirementSpyCloud Workforce Threat Protection license is required to use this integration with Okta Identity Threat Protection.
🚀 Benefits
- ⏱️ Real-Time Risk Response - Expand the capabilities of real-time risk assessment and response based on real data from active threats, like detecting exposed credentials before cybercriminals can exploit them.
- 🛡️ Adaptive Protection - Implement real-time adaptive identity threat responses and automations via SSF, like universal session termination and automated SOC alerts. Configure policies and risk levels that align with your organization's security requirements.
- 🤖 Automated Workflows - Customize workflows to step-down privileges or step-up authentication for proactive asset protection and filter out weak or irrelevant exposures to maintain signal quality.
Bottom line: proactively protect workforce identities and corporate assets with automated, adaptive identity threat protection powered by SpyCloud's recaptured darknet data.
🛠️ How it works
The Okta ITP integration transforms SpyCloud recaptured darknet identity data into actionable risk classifications via SSF to proactively protect workforce identities and corporate assets.
- 📋Collect – SpyCloud collects and enriches identity exposure data.
- 🔍Evaluate – Exposure records are evaluated against configurable risk criteria.
- 📡Signal – SpyCloud sends signed risk updates (JWT-based Security Event Tokens) to Okta ITP.
- 🦾Automate – Okta consumes these signals, updates the user's risk level, and triggers policy-based automations.
📊 Data-to-Risk Conversion
Instead of pushing raw exposure data, SpyCloud translates each identity event into configurable risk levels that align with customer-configured policy thresholds. Risk levels per exposure type are configurable in SpyCloud Connect.
| Exposure Type | Default Risk | Description |
|---|---|---|
| ⚠️ Third-party breach | Low | Employee credentials exposed in an external data breach. |
| 🎣 Phishing exposure | Medium | Credentials harvested from an active phishing kit. |
| 🪲 Malware / infostealer exposure | High | Credentials or session cookies captured by infostealer malware. |
| 🚨 Malware exposure including Okta URL | Critical | Malware-infected devices contained Okta session data – immediate high risk. |
🔎 Leveraging risk data in Okta ITP
Entity Risk Policy
The entity risk policy monitors your organization for changes in user entity risk related to identity-based threats. These threats include scenarios like residual session risk from session hijacking, brute-force attacks, or sign-ins from high-risk IP addresses.
Events are recorded in the System Log as user.risk.detect. You can configure multiple rules under a single entity risk policy. Rules can be configured to log activity only, sign users out of Okta and applications, or trigger Okta Workflows. Rules can be deactivated to evaluate configurations without generating System Log entries.
Workflows for Identity Threat Protection
When Identity Threat Protection identifies a risk that requires additional action, you can configure entity risk policies to trigger delegated workflows. Using Okta Workflows connectors, you can notify users or administrators, deactivate users, remove users from privileged groups, move users to restricted groups, quarantine devices, submit incident tickets, or call third-party APIs using custom API action cards. Different workflows can be triggered for different risk scenarios.
Universal Logout
Universal Logout allows you to terminate user sessions and revoke tokens for supported applications when Identity Threat Protection detects a change in risk. Universal Logout can be triggered automatically through entity risk or session protection policies, or manually by an administrator. It supports generic SAML and OpenID Connect applications.
Session Protection
Session protection is part of the ITP risk engine and continuously monitors active user sessions to detect potential session hijacking. It uses a session violation detection policy and a session violation enforcement policy to determine when session conditions change and whether those changes require action.
During an active session, ITP logs IP and device changes as user.session.context.change events. These events do not imply risk on their own. When a policy re-evaluation fails, a session violation is recorded as policy.auth_reevaluate.fail.
If session protection is in Monitoring mode, violations are logged but no action is taken. If session protection is in Enforced mode, users with session violations are logged out, prompted for MFA, and any additional configured actions such as app logout or workflows are executed.
🎛️ Noise Reduction Controls
Admins can fine-tune signal sensitivity to maintain high signal-to-noise ratio:
- Minimum password length threshold
- Enable/disable detection types
- Adjust risk levels per exposure type
🔁 Automated Risk Updates — Ongoing Runtime Flow
- Scheduled polling — SpyCloud queries its darknet database for new exposures against your configured domains on a recurring cadence.
- Match & classify — Matches to your watched domains are evaluated against enabled detection types and assigned to your configured risk levels.
- Noise reduction — A minimum password length filter drops low-value hits before signaling, ensuring weak or irrelevant exposures are filtered out.
- Signal packaging — Matched events are converted from JSON exposure data into JWT-based SETs per the SSF specification.
- Signal transmission — SpyCloud posts the SETs to your Okta SSF receiver endpoint.
- Risk ingestion — Okta ITP updates the user's entity risk level and logs the event in the System Log.
- Policy response — Your Okta ITP entity risk policy executes configured actions immediately: step-up authentication, session revocation, password reset, or Workflow triggers.
Security teams can investigate exposure details directly in the Okta System Log, including exposed email, plaintext password presence, and Okta tenant URL (if captured by malware).
📋 Example Scenarios
Malware-Exposed Credentials
- 🔍 Detection: SpyCloud identifies credentials exposed by malware containing the Okta tenant URL.
- 📡 Signal: Risk = Critical
- 🔁 Okta Action:
- Elevate user entity risk to High
- Revoke active sessions
- Enforce password reset and step-up authentication
Third-Party Breach
- 🔍 Detection: SpyCloud detects an employee's corporate password in an external breach.
- 📡 Signal: Risk = Low
- 🔁 Okta Action:
- Notify user of exposure
- Prompt password update at next login
- Optional: Step-up MFA enforcement
Phishing Kit Exposure
- 🔍 Detection: SpyCloud detects credentials stolen via an active phishing campaign.
- 📡 Signal: Risk = Medium
- 🔁 Okta Action:
- Immediate MFA challenge
- Revoke sessions from suspicious IPs
- Log exposure for SOC review
Repeated Identity Exposures
- 🔍 Detection: SpyCloud detects multiple exposures for a single identity within 60 days.
- 📡 Signal: Risk = High
- 🔁 Okta Action:
- Elevate user entity risk to High
- Enforce continuous MFA
- Notify SOC via webhook
🧭 Getting Started
Requirements
SpyCloud Workforce Threat Protection
- Provisioned Employee ATO API Key required
- Validate at portal.spycloud.com/api
Domains loaded and verified in SpyCloud Watchlist
- Validate at portal.spycloud.com/watchlist
Okta with Okta Identity Engine organization with ITP enabled
- Role required: Super Admin OR Custom Admin
- Required permissions for Custom Admin: Manage shared signals framework receiver streams, All shared signals framework receivers resource set
🔧 Setup
Step 1: Confirm Entitlements
Confirm that both SpyCloud Employee ATO Prevention and Okta ITP entitlements are active on your accounts. Contact your SpyCloud Technical Account Manager to register your account for SpyCloud Connect access. This registration step is required before proceeding.
Step 2: Configure Okta as SSF Receiver
- Sign in to the Okta Admin Console.
- Navigate to Security > Device Integrations.
- Select the Receive Shared Signals tab and click Create Stream.
- For Integration name, enter
SpyCloudITP. - Select Set up integration with > Issuer URL & JWKS URL and enter the following values:
- Issuer:
https://spycloud.com/ - JWKS URL:
https://spycloud.com/verification-key.json
- Issuer:
- Click Create.
If the stream is created successfully, it will appear in the stream list with status set to Active by default.
Step 3: Configure the Integration in SpyCloud Connect
SpyCloud Connect is used to complete the integration configuration. Your SpyCloud Technical Account Manager must register your account before you can access SpyCloud Connect.
- Navigate to https://spycloud-connect.spycloud.com/pages/itp_sign_in/.
- Sign in using your email address and follow the email verification process.
- Enter the unique registration code when prompted to complete sign-in.
- Enter your SpyCloud Enterprise API key to complete initial configuration.
- Configure your Threat Detection settings:
- Enable or disable individual detection feeds
- Assign risk levels to each detection type (SpyCloud defaults will apply if not changed — see the default risk levels table above)
- Set your minimum password length threshold
Email Notifications
By default, you will receive an email notification when new data has been pushed to your Okta instance. You may also optionally enable notifications to receive alerts each time your Okta ITP configuration runs.
⚠️ Error Handling
| Error | Resolution |
|---|---|
| Registration failed | Your Technical Account Manager must register your account before access is granted. Contact them to complete this step. |
| SpyCloud API key error | Your API key may not be enabled for Workforce Threat Protection, or your IP allow list may need to be updated. Contact [email protected]. |
| Organization creation error | Contact your SpyCloud Technical Account Manager. |
Need help? Contact SpyCloud Support at [email protected]
📊 What to Expect After Configuration
As SpyCloud discovers and ingests new exposure data, SpyCloud Connect periodically checks for new identity artifacts related to your organization. When new exposures are identified, SSF signals are sent to your Okta instance based on your configuration.
Signals update the affected user's entity risk level in Okta. Additional metadata is included with each signal and can be used to build advanced automations.
Okta System Logs display exposure details such as:
- Exposed email address
- Exposure source (breach, malware, phishing)
- Password presence (hashed/plaintext)
- Okta tenant URL (if present in malware logs)
Example Okta Log Entry:
System Log Entry > Event > System > DebugData > Risk
{previousLevel=MEDIUM, level=MEDIUM, detectionName=Security Events
Provider Reported Risk, reasons=This email address was found with a plaintext
password as a result of a malware infection., issuer=https://spycloud.com}As data is ingested, affected users will inherit an increased entity risk level. You can view SSF activity and configuration details in Reports > System Logs.
🔗 Related Resources
Updated 2 days ago