Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. User Session ImpersonationOkta

User Session ImpersonationOkta

Back
Id35846296-4052-4de2-8098-beb6bb5f2203
RulenameUser Session Impersonation(Okta)
DescriptionA user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1134
T1134.003
Required data connectorsOktaSSO
OktaSSOv2
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml
Version1.0.0
Arm template35846296-4052-4de2-8098-beb6bb5f2203.json
Deploy To Azure
Okta_CL
| where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"
// Expand the JSON array in 'target_s' field to extract detailed information about the event
| mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array
// Enhance visibility by extending columns with extracted details for better analysis
| extend TargetUser_id = tostring(parsed_json.id), 
         TargetUser_type = tostring(parsed_json.type), 
         TargetUser_alternateId = tostring(parsed_json.alternateId), 
         TargetUser_displayName = tostring(parsed_json.displayName), 
         Target_detailEntry = tostring(parsed_json.detailEntry) 
// Project event details to gain insights into the security context, including actor and target user information
| project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId, 
               TargetUser_displayName, TargetUser_type, TargetUser_id, 
               eventType_s, outcome_result_s

relevantTechniques:
- T1134
- T1134.003
name: User Session Impersonation(Okta)
requiredDataConnectors:
- dataTypes:
  - Okta_CL
  connectorId: OktaSSO
- dataTypes:
  - OktaSSO
  connectorId: OktaSSOv2
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: actor_alternateId_s
  - identifier: DisplayName
    columnName: actor_displayName_s
  entityType: Account
triggerThreshold: 0
id: 35846296-4052-4de2-8098-beb6bb5f2203
tactics:
- PrivilegeEscalation
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml
queryPeriod: 6h
kind: Scheduled
queryFrequency: 6h
severity: Medium
status: Available
description: |
    'A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.'
query: |
  Okta_CL
  | where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"
  // Expand the JSON array in 'target_s' field to extract detailed information about the event
  | mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array
  // Enhance visibility by extending columns with extracted details for better analysis
  | extend TargetUser_id = tostring(parsed_json.id), 
           TargetUser_type = tostring(parsed_json.type), 
           TargetUser_alternateId = tostring(parsed_json.alternateId), 
           TargetUser_displayName = tostring(parsed_json.displayName), 
           Target_detailEntry = tostring(parsed_json.detailEntry) 
  // Project event details to gain insights into the security context, including actor and target user information
  | project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId, 
                 TargetUser_displayName, TargetUser_type, TargetUser_id, 
                 eventType_s, outcome_result_s  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/35846296-4052-4de2-8098-beb6bb5f2203')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/35846296-4052-4de2-8098-beb6bb5f2203')]",
      "properties": {
        "alertRuleTemplateName": "35846296-4052-4de2-8098-beb6bb5f2203",
        "customDetails": null,
        "description": "'A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.'\n",
        "displayName": "User Session Impersonation(Okta)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "actor_alternateId_s",
                "identifier": "Name"
              },
              {
                "columnName": "actor_displayName_s",
                "identifier": "DisplayName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml",
        "query": "Okta_CL\n| where eventType_s == \"user.session.impersonation.initiate\" and outcome_result_s == \"SUCCESS\"\n// Expand the JSON array in 'target_s' field to extract detailed information about the event\n| mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array\n// Enhance visibility by extending columns with extracted details for better analysis\n| extend TargetUser_id = tostring(parsed_json.id), \n         TargetUser_type = tostring(parsed_json.type), \n         TargetUser_alternateId = tostring(parsed_json.alternateId), \n         TargetUser_displayName = tostring(parsed_json.displayName), \n         Target_detailEntry = tostring(parsed_json.detailEntry) \n// Project event details to gain insights into the security context, including actor and target user information\n| project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId, \n               TargetUser_displayName, TargetUser_type, TargetUser_id, \n               eventType_s, outcome_result_s\n",
        "queryFrequency": "PT6H",
        "queryPeriod": "PT6H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1134.003"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1134"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}