Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is
generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but
the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an
adversary is attempting to obtain an access token for unauthorized scopes. This is a New
Terms rule where the
okta.actor.display_name
field value has not been seen in the last 14 days regarding this event.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/11"
3integration = ["okta"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.15.0"
7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is
13generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but
14the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an
15adversary is attempting to obtain an access token for unauthorized scopes. This is a [New
16Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule where the
17`okta.actor.display_name` field value has not been seen in the last 14 days regarding this event.
18"""
19from = "now-9m"
20index = ["filebeat-*", "logs-okta*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials"
24references = [
25 "https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/",
26 "https://developer.okta.com/docs/reference/api/event-types/",
27 "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
28 "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
29]
30risk_score = 47
31rule_id = "6649e656-6f85-11ef-8876-f661ea17fbcc"
32severity = "medium"
33tags = [
34 "Domain: SaaS",
35 "Data Source: Okta",
36 "Use Case: Threat Detection",
37 "Use Case: Identity and Access Audit",
38 "Tactic: Defense Evasion",
39 "Resources: Investigation Guide",
40]
41timestamp_override = "event.ingested"
42type = "new_terms"
43
44query = '''
45event.dataset: okta.system
46 and event.action: "app.oauth2.as.token.grant"
47 and okta.actor.type: "PublicClientApp"
48 and okta.debug_context.debug_data.flattened.grantType: "client_credentials"
49 and okta.outcome.result: "FAILURE"
50 and not okta.client.user_agent.raw_user_agent: "Okta-Integrations"
51 and not okta.actor.display_name: (Okta* or Datadog)
52 and not okta.debug_context.debug_data.flattened.requestedScopes: ("okta.logs.read" or "okta.eventHooks.read" or "okta.inlineHooks.read")
53 and okta.outcome.reason: "no_matching_scope"
54'''
55note = """## Triage and analysis
56
57> **Disclaimer**:
58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
59
60### Investigating Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
61
62OAuth 2.0 is a protocol for authorization, allowing apps to access resources on behalf of users. Public client apps, lacking secure storage, use client credentials for token grants. Adversaries may exploit compromised credentials to request unauthorized scopes. The detection rule identifies failed token grants due to scope mismatches, signaling potential misuse of client credentials.
63
64### Possible investigation steps
65
66- Review the `okta.actor.display_name` field to identify the public client app involved in the failed token grant attempt and determine if it is a known or expected application.
67- Examine the `okta.debug_context.debug_data.flattened.requestedScopes` field to understand which unauthorized scopes were requested and assess their potential impact if accessed.
68- Investigate the `okta.actor.type` field to confirm that the actor is indeed a public client app, which lacks secure storage, and evaluate the risk of compromised credentials.
69- Check the `okta.outcome.reason` field for "no_matching_scope" to verify that the failure was due to a scope mismatch, indicating an attempt to access unauthorized resources.
70- Analyze the `okta.client.user_agent.raw_user_agent` field to ensure the request did not originate from known Okta integrations, which are excluded from the rule, to rule out false positives.
71- Correlate the event with other security logs or alerts to identify any patterns or additional suspicious activities related to the same client credentials or IP address.
72
73### False positive analysis
74
75- Frequent legitimate access attempts by known public client apps may trigger false positives. To manage this, consider creating exceptions for specific `okta.actor.display_name` values that are known to frequently request scopes without malicious intent.
76- Automated processes or integrations that use client credentials might occasionally request scopes not typically associated with their function. Review these processes and, if deemed non-threatening, exclude their `okta.client.user_agent.raw_user_agent` from triggering the rule.
77- Development or testing environments often simulate various OAuth 2.0 token grant scenarios, which can result in false positives. Identify and exclude these environments by their `okta.actor.display_name` or other distinguishing attributes.
78- Regularly review and update the list of non-threatening scopes in `okta.debug_context.debug_data.flattened.requestedScopes` to ensure that legitimate scope requests are not flagged as unauthorized.
79
80### Response and remediation
81
82- Immediately revoke the compromised client credentials to prevent further unauthorized access attempts.
83- Conduct a thorough review of the affected public client app's access logs to identify any successful unauthorized access or data exfiltration attempts.
84- Notify the application owner and relevant security teams about the incident to ensure coordinated response efforts.
85- Implement additional monitoring on the affected app and associated user accounts to detect any further suspicious activities.
86- Update and enforce stricter access controls and scope permissions for public client apps to minimize the risk of unauthorized scope requests.
87- Consider implementing multi-factor authentication (MFA) for accessing sensitive resources to add an additional layer of security.
88- Escalate the incident to the security operations center (SOC) for further investigation and to determine if broader organizational impacts exist."""
89
90
91[[rule.threat]]
92framework = "MITRE ATT&CK"
93[[rule.threat.technique]]
94id = "T1550"
95name = "Use Alternate Authentication Material"
96reference = "https://attack.mitre.org/techniques/T1550/"
97[[rule.threat.technique.subtechnique]]
98id = "T1550.001"
99name = "Application Access Token"
100reference = "https://attack.mitre.org/techniques/T1550/001/"
101
102
103
104[rule.threat.tactic]
105id = "TA0005"
106name = "Defense Evasion"
107reference = "https://attack.mitre.org/tactics/TA0005/"
108
109[rule.new_terms]
110field = "new_terms_fields"
111value = ["okta.actor.display_name"]
112[[rule.new_terms.history_window_start]]
113field = "history_window_start"
114value = "now-14d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
OAuth 2.0 is a protocol for authorization, allowing apps to access resources on behalf of users. Public client apps, lacking secure storage, use client credentials for token grants. Adversaries may exploit compromised credentials to request unauthorized scopes. The detection rule identifies failed token grants due to scope mismatches, signaling potential misuse of client credentials.
Possible investigation steps
- Review the
okta.actor.display_name
field to identify the public client app involved in the failed token grant attempt and determine if it is a known or expected application. - Examine the
okta.debug_context.debug_data.flattened.requestedScopes
field to understand which unauthorized scopes were requested and assess their potential impact if accessed. - Investigate the
okta.actor.type
field to confirm that the actor is indeed a public client app, which lacks secure storage, and evaluate the risk of compromised credentials. - Check the
okta.outcome.reason
field for "no_matching_scope" to verify that the failure was due to a scope mismatch, indicating an attempt to access unauthorized resources. - Analyze the
okta.client.user_agent.raw_user_agent
field to ensure the request did not originate from known Okta integrations, which are excluded from the rule, to rule out false positives. - Correlate the event with other security logs or alerts to identify any patterns or additional suspicious activities related to the same client credentials or IP address.
False positive analysis
- Frequent legitimate access attempts by known public client apps may trigger false positives. To manage this, consider creating exceptions for specific
okta.actor.display_name
values that are known to frequently request scopes without malicious intent. - Automated processes or integrations that use client credentials might occasionally request scopes not typically associated with their function. Review these processes and, if deemed non-threatening, exclude their
okta.client.user_agent.raw_user_agent
from triggering the rule. - Development or testing environments often simulate various OAuth 2.0 token grant scenarios, which can result in false positives. Identify and exclude these environments by their
okta.actor.display_name
or other distinguishing attributes. - Regularly review and update the list of non-threatening scopes in
okta.debug_context.debug_data.flattened.requestedScopes
to ensure that legitimate scope requests are not flagged as unauthorized.
Response and remediation
- Immediately revoke the compromised client credentials to prevent further unauthorized access attempts.
- Conduct a thorough review of the affected public client app's access logs to identify any successful unauthorized access or data exfiltration attempts.
- Notify the application owner and relevant security teams about the incident to ensure coordinated response efforts.
- Implement additional monitoring on the affected app and associated user accounts to detect any further suspicious activities.
- Update and enforce stricter access controls and scope permissions for public client apps to minimize the risk of unauthorized scope requests.
- Consider implementing multi-factor authentication (MFA) for accessing sensitive resources to add an additional layer of security.
- Escalate the incident to the security operations center (SOC) for further investigation and to determine if broader organizational impacts exist.
References
Related rules
- Successful Application SSO from Rare Unknown Client Device
- Attempt to Deactivate an Okta Network Zone
- Attempt to Deactivate an Okta Policy
- Attempt to Deactivate an Okta Policy Rule
- Attempt to Delete an Okta Network Zone