From 6d044a819791f130cc8757bfd95e66f05d64dde0 Mon Sep 17 00:00:00 2001
From: praveenthepro <99244859+praveenthepro@users.noreply.github.com>
Date: Fri, 29 Dec 2023 12:14:12 +0530
Subject: [PATCH] Update User Session Impersonation(Okta)

---
 .../Analytic Rules/User Session Impersonation(Okta)             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta) b/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta)
index 82ce3635fcf..3b0cb496c53 100644
--- a/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta)	
+++ b/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta)	
@@ -21,7 +21,7 @@ relevantTechniques:
   - T1098
 query: |
   // Filter for security events involving Okta user session impersonation initiation with successful outcomes
-  Okta_CL
+  OktaSSO
   | where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"
   // Expand the JSON array in 'target_s' field to extract detailed information about the event
   | mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array