Okta Impersonation

okta

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1199-trusted-relationship

Set up the okta integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect an Okta session impersonation.

Strategy

This rule lets you monitor the following Okta events to detect a user session impersonation:

  • user.session.impersonation.initiate
  • user.session.impersonation.end
  • user.session.impersonation.grant
  • user.session.impersonation.extend
  • user.session.impersonation.revoke

These events indicate that the user: {{@usr.email}} has the effective permissions of the impersonated user. This is likely to occur through Okta support access. This blog illustrates the potential impact an attacker can cause by impersonation session.

Triage and response

  1. Contact your Okta administrator to ensure the user: {{@usr.email}} is authorized to impersonate a user session.
  2. If the user impersonation session is not legitimate:
    • Task your Okta administrator to end the impersonation session.
    • Investigate the actions taken by the user {{@usr.email}} during the session and revert back to the last known good state.
    • Begin your company’s incident response process and investigate.