This detection rule focuses on identifying user impersonation events within Okta, particularly triggered by requests from Okta Support personnel seeking admin access to user sessions. The logic utilizes a defined range of user session impersonation event types such as 'initiate', 'grant', 'extend', 'end', and 'revoke'. The rule captures and displays relevant data such as the time of the event, the host and user involved, action taken, source IP, and the signature of the event. By aggregating this information over a 1-second interval, security teams can effectively monitor for potential unauthorized access or suspicious activities linked to user impersonation.