This detection rule identifies instances where a user account assumes the identity of another user within OneLogin, which could indicate potentially unauthorized access or lateral movement within the network. The rule is specifically triggered by event type IDs associated with user assumption activities, particularly focusing on scenarios where an actor account assumes another user's account without proper authorization. This mechanism is crucial for detecting misuse of account credentials and maintaining integrity within user access management. Respondents are advised to review the logs related to this event to assess whether the access was sanctioned or needed further investigation. An analysis of the associated attributes such as account_id, user_name, and user_id is essential for identifying the involved users and their actions. Guidance provided in the runbook suggests a thorough review of the context surrounding the assumption to verify legitimacy.