Okta Impersonation

okta

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1199-trusted-relationship

Set up the okta integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect an Okta session impersonation.

Strategy

This rule lets you monitor the following Okta events to detect a user session impersonation:

  • user.session.impersonation.initiate
  • user.session.impersonation.end
  • user.session.impersonation.grant
  • user.session.impersonation.extend
  • user.session.impersonation.revoke

These events indicate that the user: {{@usr.email}} has the effective permissions of the impersonated user. This is likely to occur through Okta support access. This blog illustrates the potential impact an attacker can cause by impersonation session.

Triage and response

  1. Contact your Okta administrator to ensure the user: {{@usr.email}} is authorized to impersonate a user session.
  2. If the user impersonation session is not legitimate:
    • Task your Okta administrator to end the impersonation session.
    • Investigate the actions taken by the user {{@usr.email}} during the session and revert back to the last known good state.
    • Begin your company’s incident response process and investigate.
PREVIEWING: drodriguezhdez/add_public_docs_log_summarization