Skip to main content
Panther Knowledge Base

How can I write a Panther detection to alert me when a deactivated Okta user tries to log in?


 How do I write a detection in Panther that will alert the team when a deactivated user attempts to log in to Okta? 


You can use a Lookup Table to store the login information for deactivated users, then build the detection using that Lookup Table. 

For example, suppose your Lookup Table data looks something like this:

00u4m5brdnTG8zRAq123,Bob Smith,true
00u4m5brdnTG8zRAq789,Jane Smith,false

Where the id field is the user's id in Okta. You can then configure a Lookup Table to match against this data and your Okta SystemLogs. The Lookup Table Associated Log Types would look for the field of your incoming Okta logs:

Screen Shot 2022-08-11 at 4.24.35 PM.png


Your Table Schema would use the id field as the primary key (where the Custom.OktaUsers is a custom schema that was created from your CSV data above):

Screen Shot 2022-08-11 at 4.24.48 PM.png


You can then write a rule detection that will check for all incoming Okta SystemLog events, and will alert if there was a log in attempt, and if the user who attempted to log in is not an active user:

from panther_base_helpers import deep_get

def rule(event):
    is_active = deep_get(event, 'p_enrichment', 'okta_active_users', '', 'active')
    is_login_attempt = event.get('eventType') == 'user.session.start'
    return is_login_attempt and not is_active
  • Was this article helpful?