Why is the "Potentially stolen Okta Session" detection suddenly firing alerts in Panther?

Last updated
Save as PDF

Issue

I am suddenly seeing an uptick in alerts for the "Potentially stolen user session" Okta rule. Is this a legitimate breach or a false positive?

Resolution

Please upgrade panther-analysis to version 3.38.0 to resolve this issue.

Cause

Okta made code changes in Feburary 2024 that affected the way Panther's "Potentially stolen user session" detection functions. While we cannot rule out that you are having a security incident, if you are on a version of panther-analysis earlier than 3.38.0 then it is likely that a sudden uptick in these alerts is being caused by the Okta update.

If you are on version 3.38.0 or later of panther-analysis, then it is possible that the alerts could be appearing due to a legitimate security incident.