Attempt to Revoke Okta API Token

edit

Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization’s business operations.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 9

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit
## Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit
event.dataset:okta.system and event.action:system.api_token.revoke

Framework: MITRE ATT&CKTM