How can I find a record of all Logins to Okta for a specific user to understand patterns and ensure their behaviors are legitimate?
You can find this by using Data Explorer in the Panther Console and filtering logs by type and user.
If you want to find a record of all Logins to Okta for a specific user you would look at an ‘all logs view’ and filter by LogTypes (Okta) and user (the ID or username of the user that was acted upon to trigger the event). Okta logs provide the answers to "who", "with what device" and the "where" questions associated with an event.
This information can be used to identify suspicious behavior, for example an attacker using stolen credentials. For an example query on targeting significant changes to the client information that might indicate stolen credentials please see query examples in Panther's documentation.