Attempt to Revoke Okta API Token | Elastic Security Solution [8.6]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

« High Number of Okta User Password Reset or Unlock Attempts Attempt to Deactivate an Okta Application »

Attempt to Revoke Okta API Tokenedit

Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization’s business operations.

Rule type: query

Rule indices:

filebeat-*
logs-okta*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact

Version: 103

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guideedit

Rule queryedit

event.dataset:okta.system and event.action:system.api_token.revoke

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
Technique:
- Name: Account Access Removal
- ID: T1531
- Reference URL: https://attack.mitre.org/techniques/T1531/

« High Number of Okta User Password Reset or Unlock Attempts Attempt to Deactivate an Okta Application »