1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", 6 "false_positives": [ 7 "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." 8 ], 9 "index": [ 10 "filebeat-*", 11 "logs-okta*" 12 ], 13 "language": "kuery", 14 "license": "Elastic License v2", 15 "name": "Attempt to Revoke Okta API Token", 16 "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", 17 "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", 18 "references": [ 19 "https://developer.okta.com/docs/reference/api/system-log/", 20 "https://developer.okta.com/docs/reference/api/event-types/" 21 ], 22 "risk_score": 21, 23 "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", 24 "severity": "low", 25 "tags": [ 26 "Elastic", 27 "Identity", 28 "Okta", 29 "Continuous Monitoring", 30 "SecOps", 31 "Monitoring" 32 ], 33 "threat": [ 34 { 35 "framework": "MITRE ATT&CK", 36 "tactic": { 37 "id": "TA0040", 38 "name": "Impact", 39 "reference": "https://attack.mitre.org/tactics/TA0040/" 40 }, 41 "technique": [ 42 { 43 "id": "T1531", 44 "name": "Account Access Removal", 45 "reference": "https://attack.mitre.org/techniques/T1531/" 46 } 47 ] 48 } 49 ], 50 "timestamp_override": "event.ingested", 51 "type": "query", 52 "version": 6 53} 54