if the behavior of revoking okta api tokens is expected, consider adding exceptions to this rule to filter false positives.

t1531
okta
elastic

Techniques

T1531

Sample rules

Attempt to Revoke Okta API Token

source: elastic
technicques:
- T1531

Description

Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization’s business operations.

Detection logic

event.dataset:okta.system and event.action:system.api_token.revoke