User Session ImpersonationOkta
| Id | 35846296-4052-4de2-8098-beb6bb5f2203 |
| Rulename | User Session Impersonation(Okta) |
| Description | A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested. |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1134 T1134.003 |
| Required data connectors | OktaSSO OktaSSOv2 |
| Kind | Scheduled |
| Query frequency | 6h |
| Query period | 6h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml |
| Version | 1.0.0 |
| Arm template | 35846296-4052-4de2-8098-beb6bb5f2203.json |
Okta_CL
| where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"
// Expand the JSON array in 'target_s' field to extract detailed information about the event
| mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array
// Enhance visibility by extending columns with extracted details for better analysis
| extend TargetUser_id = tostring(parsed_json.id),
TargetUser_type = tostring(parsed_json.type),
TargetUser_alternateId = tostring(parsed_json.alternateId),
TargetUser_displayName = tostring(parsed_json.displayName),
Target_detailEntry = tostring(parsed_json.detailEntry)
// Project event details to gain insights into the security context, including actor and target user information
| project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId,
TargetUser_displayName, TargetUser_type, TargetUser_id,
eventType_s, outcome_result_s
relevantTechniques:
- T1134
- T1134.003
name: User Session Impersonation(Okta)
triggerThreshold: 0
tactics:
- PrivilegeEscalation
severity: Medium
id: 35846296-4052-4de2-8098-beb6bb5f2203
status: Available
requiredDataConnectors:
- dataTypes:
- Okta_CL
connectorId: OktaSSO
- dataTypes:
- OktaSSO
connectorId: OktaSSOv2
kind: Scheduled
query: |
Okta_CL
| where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"
// Expand the JSON array in 'target_s' field to extract detailed information about the event
| mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array
// Enhance visibility by extending columns with extracted details for better analysis
| extend TargetUser_id = tostring(parsed_json.id),
TargetUser_type = tostring(parsed_json.type),
TargetUser_alternateId = tostring(parsed_json.alternateId),
TargetUser_displayName = tostring(parsed_json.displayName),
Target_detailEntry = tostring(parsed_json.detailEntry)
// Project event details to gain insights into the security context, including actor and target user information
| project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId,
TargetUser_displayName, TargetUser_type, TargetUser_id,
eventType_s, outcome_result_s
description: |
'A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml
triggerOperator: gt
queryPeriod: 6h
queryFrequency: 6h
version: 1.0.0
entityMappings:
- entityType: Account
fieldMappings:
- columnName: actor_alternateId_s
identifier: Name
- columnName: actor_displayName_s
identifier: DisplayName