From ed8ddf302e8096613a55cc03a56c30a2c96e57fb Mon Sep 17 00:00:00 2001
From: praveenthepro <99244859+praveenthepro@users.noreply.github.com>
Date: Wed, 3 Jan 2024 11:06:28 +0530
Subject: [PATCH] Update User Session Impersonation(Okta).yaml

---
 .../Analytic Rules/User Session Impersonation(Okta).yaml     | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta).yaml b/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta).yaml
index 798daf63d7..35c4bd169d 100644
--- a/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta).yaml	
+++ b/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta).yaml	
@@ -16,9 +16,10 @@ queryPeriod: 6h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Defense Evasion
+  - PrivilegeEscalation
 relevantTechniques:
-  - T1656
+  - T1134
+  - T1134.003
 query: |
   Okta_CL
   | where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"