Attempt to Revoke Okta API Token

Elastic Stack Serverless Security

Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization’s business operations.

Rule type: query

Rule indices:

• filebeat-*
• logs-okta*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: None (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

• https://developer.okta.com/docs/reference/api/system-log/
• https://developer.okta.com/docs/reference/api/event-types/
• https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy

Tags:

• Elastic
• Identity
• Okta
• Continuous Monitoring
• SecOps
• Monitoring

Version: 102

Rule authors:

• Elastic

Rule license: Elastic License v2

event.dataset:okta.system and event.action:system.api_token.revoke

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Impact
  • ID: TA0040
  • Reference URL: https://attack.mitre.org/tactics/TA0040/

• Technique:

  • Name: Account Access Removal
  • ID: T1531
  • Reference URL: https://attack.mitre.org/techniques/T1531/