How do I write a detection in Panther that will alert the team when a deactivated user attempts to log in to Okta?
You can use a Lookup Table to store the login information for deactivated users, then build the detection using that Lookup Table.
For example, suppose your Lookup Table data looks something like this:
id,name,active 00u4m5brdnTG8zRAq123,Bob Smith,true 00u4m5brdnTG8zRAq789,Jane Smith,false
id field is the user's
id in Okta. You can then configure a Lookup Table to match against this data and your Okta SystemLogs. The Lookup Table Associated Log Types would look for the
actor.id field of your incoming Okta logs:
Your Table Schema would use the
id field as the primary key (where the Custom.OktaUsers is a custom schema that was created from your CSV data above):
You can then write a rule detection that will check for all incoming Okta SystemLog events, and will alert if there was a log in attempt, and if the user who attempted to log in is not an active user:
from panther_base_helpers import deep_get def rule(event): is_active = deep_get(event, 'p_enrichment', 'okta_active_users', 'actor.id', 'active') is_login_attempt = event.get('eventType') == 'user.session.start' return is_login_attempt and not is_active