Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials

Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an adversary is attempting to obtain an access token for unauthorized scopes. This is a New Terms rule where the okta.actor.display_name field value has not been seen in the last 14 days regarding this event.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/09/11"
  3integration = ["okta"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.15.0"
  7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is
 13generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but
 14the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an
 15adversary is attempting to obtain an access token for unauthorized scopes. This is a [New
 16Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule where the
 17`okta.actor.display_name` field value has not been seen in the last 14 days regarding this event.
 18"""
 19from = "now-9m"
 20index = ["filebeat-*", "logs-okta*"]
 21language = "kuery"
 22license = "Elastic License v2"
 23name = "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials"
 24references = [
 25    "https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/",
 26    "https://developer.okta.com/docs/reference/api/event-types/",
 27    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
 28    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
 29]
 30risk_score = 47
 31rule_id = "6649e656-6f85-11ef-8876-f661ea17fbcc"
 32severity = "medium"
 33tags = [
 34    "Domain: SaaS",
 35    "Data Source: Okta",
 36    "Use Case: Threat Detection",
 37    "Use Case: Identity and Access Audit",
 38    "Tactic: Defense Evasion",
 39    "Resources: Investigation Guide",
 40]
 41timestamp_override = "event.ingested"
 42type = "new_terms"
 43
 44query = '''
 45event.dataset: okta.system
 46    and event.action: "app.oauth2.as.token.grant"
 47    and okta.actor.type: "PublicClientApp"
 48    and okta.debug_context.debug_data.flattened.grantType: "client_credentials"
 49    and okta.outcome.result: "FAILURE"
 50    and not okta.client.user_agent.raw_user_agent: "Okta-Integrations"
 51    and not okta.actor.display_name: (Okta* or Datadog)
 52    and not okta.debug_context.debug_data.flattened.requestedScopes: ("okta.logs.read" or "okta.eventHooks.read" or "okta.inlineHooks.read")
 53    and okta.outcome.reason: "no_matching_scope"
 54'''
 55note = """## Triage and analysis
 56
 57> **Disclaimer**:
 58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 59
 60### Investigating Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
 61
 62OAuth 2.0 is a protocol for authorization, allowing apps to access resources on behalf of users. Public client apps, lacking secure storage, use client credentials for token grants. Adversaries may exploit compromised credentials to request unauthorized scopes. The detection rule identifies failed token grants due to scope mismatches, signaling potential misuse of client credentials.
 63
 64### Possible investigation steps
 65
 66- Review the `okta.actor.display_name` field to identify the public client app involved in the failed token grant attempt and determine if it is a known or expected application.
 67- Examine the `okta.debug_context.debug_data.flattened.requestedScopes` field to understand which unauthorized scopes were requested and assess their potential impact if accessed.
 68- Investigate the `okta.actor.type` field to confirm that the actor is indeed a public client app, which lacks secure storage, and evaluate the risk of compromised credentials.
 69- Check the `okta.outcome.reason` field for "no_matching_scope" to verify that the failure was due to a scope mismatch, indicating an attempt to access unauthorized resources.
 70- Analyze the `okta.client.user_agent.raw_user_agent` field to ensure the request did not originate from known Okta integrations, which are excluded from the rule, to rule out false positives.
 71- Correlate the event with other security logs or alerts to identify any patterns or additional suspicious activities related to the same client credentials or IP address.
 72
 73### False positive analysis
 74
 75- Frequent legitimate access attempts by known public client apps may trigger false positives. To manage this, consider creating exceptions for specific `okta.actor.display_name` values that are known to frequently request scopes without malicious intent.
 76- Automated processes or integrations that use client credentials might occasionally request scopes not typically associated with their function. Review these processes and, if deemed non-threatening, exclude their `okta.client.user_agent.raw_user_agent` from triggering the rule.
 77- Development or testing environments often simulate various OAuth 2.0 token grant scenarios, which can result in false positives. Identify and exclude these environments by their `okta.actor.display_name` or other distinguishing attributes.
 78- Regularly review and update the list of non-threatening scopes in `okta.debug_context.debug_data.flattened.requestedScopes` to ensure that legitimate scope requests are not flagged as unauthorized.
 79
 80### Response and remediation
 81
 82- Immediately revoke the compromised client credentials to prevent further unauthorized access attempts.
 83- Conduct a thorough review of the affected public client app's access logs to identify any successful unauthorized access or data exfiltration attempts.
 84- Notify the application owner and relevant security teams about the incident to ensure coordinated response efforts.
 85- Implement additional monitoring on the affected app and associated user accounts to detect any further suspicious activities.
 86- Update and enforce stricter access controls and scope permissions for public client apps to minimize the risk of unauthorized scope requests.
 87- Consider implementing multi-factor authentication (MFA) for accessing sensitive resources to add an additional layer of security.
 88- Escalate the incident to the security operations center (SOC) for further investigation and to determine if broader organizational impacts exist."""
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1550"
 95name = "Use Alternate Authentication Material"
 96reference = "https://attack.mitre.org/techniques/T1550/"
 97[[rule.threat.technique.subtechnique]]
 98id = "T1550.001"
 99name = "Application Access Token"
100reference = "https://attack.mitre.org/techniques/T1550/001/"
101
102
103
104[rule.threat.tactic]
105id = "TA0005"
106name = "Defense Evasion"
107reference = "https://attack.mitre.org/tactics/TA0005/"
108
109[rule.new_terms]
110field = "new_terms_fields"
111value = ["okta.actor.display_name"]
112[[rule.new_terms.history_window_start]]
113field = "history_window_start"
114value = "now-14d"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials

OAuth 2.0 is a protocol for authorization, allowing apps to access resources on behalf of users. Public client apps, lacking secure storage, use client credentials for token grants. Adversaries may exploit compromised credentials to request unauthorized scopes. The detection rule identifies failed token grants due to scope mismatches, signaling potential misuse of client credentials.

Possible investigation steps

  • Review the okta.actor.display_name field to identify the public client app involved in the failed token grant attempt and determine if it is a known or expected application.
  • Examine the okta.debug_context.debug_data.flattened.requestedScopes field to understand which unauthorized scopes were requested and assess their potential impact if accessed.
  • Investigate the okta.actor.type field to confirm that the actor is indeed a public client app, which lacks secure storage, and evaluate the risk of compromised credentials.
  • Check the okta.outcome.reason field for "no_matching_scope" to verify that the failure was due to a scope mismatch, indicating an attempt to access unauthorized resources.
  • Analyze the okta.client.user_agent.raw_user_agent field to ensure the request did not originate from known Okta integrations, which are excluded from the rule, to rule out false positives.
  • Correlate the event with other security logs or alerts to identify any patterns or additional suspicious activities related to the same client credentials or IP address.

False positive analysis

  • Frequent legitimate access attempts by known public client apps may trigger false positives. To manage this, consider creating exceptions for specific okta.actor.display_name values that are known to frequently request scopes without malicious intent.
  • Automated processes or integrations that use client credentials might occasionally request scopes not typically associated with their function. Review these processes and, if deemed non-threatening, exclude their okta.client.user_agent.raw_user_agent from triggering the rule.
  • Development or testing environments often simulate various OAuth 2.0 token grant scenarios, which can result in false positives. Identify and exclude these environments by their okta.actor.display_name or other distinguishing attributes.
  • Regularly review and update the list of non-threatening scopes in okta.debug_context.debug_data.flattened.requestedScopes to ensure that legitimate scope requests are not flagged as unauthorized.

Response and remediation

  • Immediately revoke the compromised client credentials to prevent further unauthorized access attempts.
  • Conduct a thorough review of the affected public client app's access logs to identify any successful unauthorized access or data exfiltration attempts.
  • Notify the application owner and relevant security teams about the incident to ensure coordinated response efforts.
  • Implement additional monitoring on the affected app and associated user accounts to detect any further suspicious activities.
  • Update and enforce stricter access controls and scope permissions for public client apps to minimize the risk of unauthorized scope requests.
  • Consider implementing multi-factor authentication (MFA) for accessing sensitive resources to add an additional layer of security.
  • Escalate the incident to the security operations center (SOC) for further investigation and to determine if broader organizational impacts exist.

References

Related rules

to-top