Attempt to Revoke Okta API Token | Elastic Security Solution [8.13]

› ›

« High Number of Okta User Password Reset or Unlock Attempts Attempt to Deactivate an Okta Application »

Attempt to Revoke Okta API Tokenedit

Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization’s business operations.

Rule type: query

Rule indices:

filebeat-*
logs-okta*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Identity
Okta
Continuous Monitoring
SecOps
Monitoring

Version: 102

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guideedit

Rule queryedit

event.dataset:okta.system and event.action:system.api_token.revoke

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
Technique:
- Name: Account Access Removal
- ID: T1531
- Reference URL: https://attack.mitre.org/techniques/T1531/

« High Number of Okta User Password Reset or Unlock Attempts Attempt to Deactivate an Okta Application »