Okta Impersonation

okta

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1199-trusted-relationship

Set up the okta integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect an Okta session impersonation.

Strategy

This rule lets you monitor the following Okta events to detect a user session impersonation:

  • user.session.impersonation.initiate
  • user.session.impersonation.end
  • user.session.impersonation.grant
  • user.session.impersonation.extend
  • user.session.impersonation.revoke

These events indicate that the user: {{@usr.email}} has the effective permissions of the impersonated user. This is likely to occur through Okta support access. This blog illustrates the potential impact an attacker can cause by impersonation session.

Triage and response

  1. Contact your Okta administrator to ensure the user: {{@usr.email}} is authorized to impersonate a user session.
  2. If the user impersonation session is not legitimate:
    • Task your Okta administrator to end the impersonation session.
    • Investigate the actions taken by the user {{@usr.email}} during the session and revert back to the last known good state.
    • Begin your company’s incident response process and investigate.