IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« High Number of Okta User Password Reset or Unlock Attempts Attempt to Deactivate an Okta Application »

› ›

Attempt to Revoke Okta API Token

edit

Attempt to Revoke Okta API Token

edit

Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization’s business operations.

Rule type: query

Rule indices:

filebeat-*
logs-okta*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Identity
Okta
Continuous Monitoring
SecOps
Monitoring

Version: 9

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

## Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:okta.system and event.action:system.api_token.revoke

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
Technique:
- Name: Account Access Removal
- ID: T1531
- Reference URL: https://attack.mitre.org/techniques/T1531/

« High Number of Okta User Password Reset or Unlock Attempts Attempt to Deactivate an Okta Application »