How can I write a Panther detection to alert me when a deactivated Okta user tries to log in?

QUESTION

 How do I write a detection in Panther that will alert the team when a deactivated user attempts to log in to Okta? 

ANSWER

You can use a Lookup Table to store the login information for deactivated users, then build the detection using that Lookup Table. 

For example, suppose your Lookup Table data looks something like this:

id,name,active
00u4m5brdnTG8zRAq123,Bob Smith,true
00u4m5brdnTG8zRAq789,Jane Smith,false

Where the id field is the user's id in Okta. You can then configure a Lookup Table to match against this data and your Okta SystemLogs. The Lookup Table Associated Log Types would look for the actor.id field of your incoming Okta logs:

Your Table Schema would use the id field as the primary key (where the Custom.OktaUsers is a custom schema that was created from your CSV data above):

You can then write a rule detection that will check for all incoming Okta SystemLog events, and will alert if there was a log in attempt, and if the user who attempted to log in is not an active user:

from panther_base_helpers import deep_get


def rule(event):
    is_active = deep_get(event, 'p_enrichment', 'okta_active_users', 'actor.id', 'active')
    is_login_attempt = event.get('eventType') == 'user.session.start'
    return is_login_attempt and not is_active