Skip to main content
Panther Knowledge Base

Why is the "Potentially stolen Okta Session" detection suddenly firing alerts in Panther?


I am suddenly seeing an uptick in alerts for the "Potentially stolen user session" Okta rule. Is this a legitimate breach or a false positive? 


Please upgrade panther-analysis to version 3.38.0 to resolve this issue.


Okta made code changes in Feburary 2024 that affected the way Panther's "Potentially stolen user session" detection functions. While we cannot rule out that you are having a security incident, if you are on a version of panther-analysis earlier than 3.38.0 then it is likely that a sudden uptick in these alerts is being caused by the Okta update.

If you are on version 3.38.0 or later of panther-analysis, then it is possible that the alerts could be appearing due to a legitimate security incident.