Anomaly Detection in OKTA Logs using Autoencoders

Okta's Behavior Detection function, which is a current offering in Okta's commercial SSO product, operates on a rules-based engine that detects potential cybersecurity events by analyzing user behavior patterns within the Okta system. While this tool can be effective at identifying certain types of anomalies, it also has several limitations that can impact its overall efficacy. One limitation to this built-in tool is that it is based on a predefined set of data and rules that may not capture all potential threat scenarios. Consequently, the tool could overlook threats that fall outside these predefined data and rules or that occur in a way that fail to trigger alerts. Additionally, as new types of threats emerge, the rules may need to be updated to effectively detect them, potentially leading to delayed detection until the rules are updated Another limitation is the restricted look-back window.