Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. User Session ImpersonationOkta

User Session ImpersonationOkta

Back
Id35846296-4052-4de2-8098-beb6bb5f2203
RulenameUser Session Impersonation(Okta)
DescriptionA user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1134
T1134.003
Required data connectorsOktaSSO
OktaSSOv2
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml
Version1.0.0
Arm template35846296-4052-4de2-8098-beb6bb5f2203.json
Deploy To Azure
Okta_CL
| where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"
// Expand the JSON array in 'target_s' field to extract detailed information about the event
| mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array
// Enhance visibility by extending columns with extracted details for better analysis
| extend TargetUser_id = tostring(parsed_json.id), 
         TargetUser_type = tostring(parsed_json.type), 
         TargetUser_alternateId = tostring(parsed_json.alternateId), 
         TargetUser_displayName = tostring(parsed_json.displayName), 
         Target_detailEntry = tostring(parsed_json.detailEntry) 
// Project event details to gain insights into the security context, including actor and target user information
| project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId, 
               TargetUser_displayName, TargetUser_type, TargetUser_id, 
               eventType_s, outcome_result_s

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml
requiredDataConnectors:
- connectorId: OktaSSO
  dataTypes:
  - Okta_CL
- connectorId: OktaSSOv2
  dataTypes:
  - OktaSSO
query: |
  Okta_CL
  | where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"
  // Expand the JSON array in 'target_s' field to extract detailed information about the event
  | mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array
  // Enhance visibility by extending columns with extracted details for better analysis
  | extend TargetUser_id = tostring(parsed_json.id), 
           TargetUser_type = tostring(parsed_json.type), 
           TargetUser_alternateId = tostring(parsed_json.alternateId), 
           TargetUser_displayName = tostring(parsed_json.displayName), 
           Target_detailEntry = tostring(parsed_json.detailEntry) 
  // Project event details to gain insights into the security context, including actor and target user information
  | project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId, 
                 TargetUser_displayName, TargetUser_type, TargetUser_id, 
                 eventType_s, outcome_result_s  
id: 35846296-4052-4de2-8098-beb6bb5f2203
severity: Medium
queryFrequency: 6h
relevantTechniques:
- T1134
- T1134.003
tactics:
- PrivilegeEscalation
triggerThreshold: 0
description: |
    'A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.'
status: Available
name: User Session Impersonation(Okta)
version: 1.0.0
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: actor_alternateId_s
  - identifier: DisplayName
    columnName: actor_displayName_s
  entityType: Account
kind: Scheduled
triggerOperator: gt
queryPeriod: 6h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/35846296-4052-4de2-8098-beb6bb5f2203')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/35846296-4052-4de2-8098-beb6bb5f2203')]",
      "properties": {
        "alertRuleTemplateName": "35846296-4052-4de2-8098-beb6bb5f2203",
        "customDetails": null,
        "description": "'A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.'\n",
        "displayName": "User Session Impersonation(Okta)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "actor_alternateId_s",
                "identifier": "Name"
              },
              {
                "columnName": "actor_displayName_s",
                "identifier": "DisplayName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml",
        "query": "Okta_CL\n| where eventType_s == \"user.session.impersonation.initiate\" and outcome_result_s == \"SUCCESS\"\n// Expand the JSON array in 'target_s' field to extract detailed information about the event\n| mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array\n// Enhance visibility by extending columns with extracted details for better analysis\n| extend TargetUser_id = tostring(parsed_json.id), \n         TargetUser_type = tostring(parsed_json.type), \n         TargetUser_alternateId = tostring(parsed_json.alternateId), \n         TargetUser_displayName = tostring(parsed_json.displayName), \n         Target_detailEntry = tostring(parsed_json.detailEntry) \n// Project event details to gain insights into the security context, including actor and target user information\n| project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId, \n               TargetUser_displayName, TargetUser_type, TargetUser_id, \n               eventType_s, outcome_result_s\n",
        "queryFrequency": "PT6H",
        "queryPeriod": "PT6H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1134"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}