diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta).yaml b/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta).yaml
index 35c4bd169d3..54b7d03c0d0 100644
--- a/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta).yaml	
+++ b/Solutions/Okta Single Sign-On/Analytic Rules/User Session Impersonation(Okta).yaml	
@@ -16,10 +16,9 @@ queryPeriod: 6h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - PrivilegeEscalation
+  - DefenseEvasion
 relevantTechniques:
-  - T1134
-  - T1134.003
+  - T1656
 query: |
   Okta_CL
   | where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"