-
Notifications
You must be signed in to change notification settings - Fork 2.9k
/
ImpersonationSession.yaml
31 lines (31 loc) · 1.48 KB
/
ImpersonationSession.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
id: 96fb9b37-e2b7-45f6-9b2a-cb9cdfd2b0fc
name: Initiate impersonation session (Okta)
description: |
'User.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach.'
description-detailed: |
'User.session.impersonation are generally speaking rare events normally triggered when an Okta Support person requests admin access for troubleshooting. This query searches for impersonation events used in LAPSUS$ breach.
Please review user.session.impersonation events and co-relate that with legitimate opened Okta support tickets to determine if these are anomalous.
Refrence: https://developer.okta.com/docs/reference/api/event-types/
Refrence: https://twitter.com/JimmyVo/status/1506306703788326915
Refrence: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/'
requiredDataConnectors:
- connectorId: OktaSSO
dataTypes:
- Okta_CL
- connectorId: OktaSSOv2
dataTypes:
- OktaSSO
tactics:
- InitialAccess
relevantTechniques:
- T1195
query: |
let Events = dynamic(["user.session.impersonation.initiate", "user.session.impersonation.grant", "user.session.impersonation.extend", "user.session.impersonation.end", "user.session.impersonation.revoke"]);
OktaSSO
| where eventType_s in (Events)
| where outcome_result_s =~ "SUCCESS"
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: actor_displayName_s