The rule 'Okta Support Access Granted' detects if an admin has granted access to Okta Support for a user’s account, indicating potential exposure to unauthorized support operations. This alert captures the 'user.session.impersonation.grant' event type logged in the Okta System Log, which specifies that impersonation has been enabled by the admin. The rule also defines key attributes to monitor including 'eventType', 'severity', and 'displayMessage', among others. The severity of this event is categorized as Medium, highlighting that while it is a standard action, it merits scrutiny because it may indicate a trusted relationship which could potentially be exploited. The associated MITRE ATT&CK mapping identifies this action as part of initial access tactics. The alert includes a reference link for additional context and a suggested runbook instructing users to contact an admin to verify if this activity was authorized. Continuous monitoring is essential as this activity could indicate either a normal operation or a possible security breach depending on the context in which the access was granted.