From d5131573233fad95cb87d5d1a85277ea5ff6fa26 Mon Sep 17 00:00:00 2001
From: Stephan <66914107+stephanwaelde@users.noreply.github.com>
Date: Sun, 26 Apr 2026 09:15:20 +0200
Subject: [PATCH] Update UserSessionImpersonation.yaml

Update query with OktaSSO parser so that the OktaV2_CL table is considered
---
 .../Analytic Rules/UserSessionImpersonation.yaml            | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml
index bd4fbad2cf4..1e3296d7dfb 100644
--- a/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml	
+++ b/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml	
@@ -21,7 +21,7 @@ relevantTechniques:
   - T1134
   - T1134.003
 query: |
-  Okta_CL
+  OktaSSO
   | where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"
   // Expand the JSON array in 'target_s' field to extract detailed information about the event
   | mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array
@@ -42,5 +42,5 @@ entityMappings:
         columnName: actor_alternateId_s
       - identifier: DisplayName
         columnName: actor_displayName_s
-version: 1.0.0
-kind: Scheduled
\ No newline at end of file
+version: 1.1.0
+kind: Scheduled