Okta actions indicating impersonation
Description
AlphaSOC detected Okta actions that indicate user impersonation. This occurs when an administrator or privileged user initiates an impersonation session to access the Okta environment as another user. While this feature has legitimate administrative purposes such as troubleshooting and support, it can be exploited by threat actors to masquerade as legitimate users.
Impact
Unauthorized impersonation can enable threat actors to access sensitive data and systems while appearing as legitimate users. The scope of potential damage depends on the impersonated user's privileges, which could include data exfiltration, system configuration changes, or lateral movement within the organization's infrastructure.
Severity
| Severity | Condition |
|---|---|
Informational | Okta actions indicating impersonation |
Investigation and Remediation
Verify whether the impersonation action was authorized. If unauthorized, immediately terminate the impersonation session, reset credentials for the impersonating account, and review the actions taken during the impersonation session.