How do I write a detection in Panther that will alert the team when a deactivated user attempts to log in to Okta?
You can use a Lookup Table to store the login information for deactivated users, then build the detection using that Lookup Table.
For example, suppose your Lookup Table data looks something like this:
id,name,active
00u4m5brdnTG8zRAq123,Bob Smith,true
00u4m5brdnTG8zRAq789,Jane Smith,false
Where the id
field is the user's id
in Okta. You can then configure a Lookup Table to match against this data and your Okta SystemLogs. The Lookup Table Associated Log Types would look for the actor.id
field of your incoming Okta logs:
Your Table Schema would use the id
field as the primary key (where the Custom.OktaUsers is a custom schema that was created from your CSV data above):
You can then write a rule detection that will check for all incoming Okta SystemLog events, and will alert if there was a log in attempt, and if the user who attempted to log in is not an active user:
from panther_base_helpers import deep_get
def rule(event):
is_active = deep_get(event, 'p_enrichment', 'okta_active_users', 'actor.id', 'active')
is_login_attempt = event.get('eventType') == 'user.session.start'
return is_login_attempt and not is_active