def rule(event):
    if all(
        [
            event.deep_get("eventType", default="") == "user.session.impersonation.grant",
            not any(
                [
                    "system@okta.com" in event.deep_get("actor", "alternateId", default=""),
                    "%legtimate_identifiers%" in event.deep_get("actor", "alternateId", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
