Attempt to Revoke Okta API Token
Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/05/21"
3integration = ["okta"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to
11disrupt an organization's business operations.
12"""
13false_positives = [
14 """
15 If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false
16 positives.
17 """,
18]
19index = ["filebeat-*", "logs-okta*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Attempt to Revoke Okta API Token"
23note = """## Triage and analysis
24
25### Investigating Attempt to Revoke Okta API Token
26
27The rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.
28
29#### Possible investigation steps:
30- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.
31- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.
32- Verify if the API token revocation was authorized or part of some planned activity.
33- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.
34- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.
35- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.
36
37### False positive analysis:
38- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.
39
40### Response and remediation:
41- If unauthorized revocation attempts are confirmed, initiate the incident response process.
42- Block the IP address or device used in the attempts, if they appear suspicious.
43- Reset the user's password and enforce MFA re-enrollment, if applicable.
44- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
45- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.
46
47## Setup
48
49The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
50"""
51references = [
52 "https://developer.okta.com/docs/reference/api/system-log/",
53 "https://developer.okta.com/docs/reference/api/event-types/",
54 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
55 "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
56 "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
57]
58risk_score = 21
59rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7"
60severity = "low"
61tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"]
62timestamp_override = "event.ingested"
63type = "query"
64
65query = '''
66event.dataset:okta.system and event.action:system.api_token.revoke
67'''
68
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1531"
74name = "Account Access Removal"
75reference = "https://attack.mitre.org/techniques/T1531/"
76
77
78[rule.threat.tactic]
79id = "TA0040"
80name = "Impact"
81reference = "https://attack.mitre.org/tactics/TA0040/"
Triage and analysis
Investigating Attempt to Revoke Okta API Token
The rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.
Possible investigation steps:
- Identify the actor associated with the API token revocation attempt. You can use the
okta.actor.alternate_id
field for this purpose. - Determine the client used by the actor. Review the
okta.client.device
,okta.client.ip
,okta.client.user_agent.raw_user_agent
,okta.client.ip_chain.ip
, andokta.client.geographical_context
fields. - Verify if the API token revocation was authorized or part of some planned activity.
- Check the
okta.outcome.result
andokta.outcome.reason
fields to see if the attempt was successful or failed. - Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.
- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.
False positive analysis:
- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.
Response and remediation:
- If unauthorized revocation attempts are confirmed, initiate the incident response process.
- Block the IP address or device used in the attempts, if they appear suspicious.
- Reset the user's password and enforce MFA re-enrollment, if applicable.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Attempt to Deactivate an Okta Application
- Attempt to Delete an Okta Application
- Attempt to Modify an Okta Application
- Possible Okta DoS Attack
- Administrator Privileges Assigned to an Okta Group