Okta Impersonation

Set up the okta integration.

Goal

Detect an Okta session impersonation.

Strategy

This rule lets you monitor the following Okta events to detect a user session impersonation:

  • user.session.impersonation.initiate
  • user.session.impersonation.end
  • user.session.impersonation.grant
  • user.session.impersonation.extend
  • user.session.impersonation.revoke

These events indicate that the user: {{@usr.email}} has the effective permissions of the impersonated user. This is likely to occur through Okta support access. This blog illustrates the potential impact an attacker can cause by impersonation session.

Triage and response

  1. Contact your Okta administrator to ensure the user: {{@usr.email}} is authorized to impersonate a user session.
  2. If the user impersonation session is not legitimate:
    • Task your Okta administrator to end the impersonation session.
    • Investigate the actions taken by the user {{@usr.email}} during the session and revert back to the last known good state.
    • Begin your company’s incident response process and investigate.