What Changed
The Okta session impersonation detection rule was updated to use the OktaSSO parser instead of directly querying the legacy Okta_CL table. This change restores detection capability after the Okta connector migration to the CCF-based data source.
Detection Logic
The rule queries OktaSSO parser data and filters for eventType_s == user.session.impersonation.initiate with successful outcomes. It extracts actor details from the target_s JSON array and maps Account and IP entities for correlation. Version bumped from 1.0.0 to 1.1.0.
Security Impact
Critical detection gap fixed: Per the PR description, without the change the query does not take effect for the latest version of the data connector, which writes its log and event data into the OktaV2_CL table. Deployments running Okta CCF connector had zero visibility into privileged session impersonation attempts — a significant blind spot for detecting credential abuse and privilege escalation via T1134 (Access Token Manipulation).
MITRE Mapping
- T1134 - Access Token Manipulation
- T1134.003 - Make and Impersonate Token
Affected Files
Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml
(packaging artefacts: 3.1.7.zip, ReleaseNotes.md, mainTemplate.json)