Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
editUnauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
editIdentifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an adversary is attempting to obtain an access token for unauthorized scopes. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule where the okta.actor.display_name
field value has not been seen in the last 14 days regarding this event.
Rule type: new_terms
Rule indices:
- filebeat-*
- logs-okta*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/
- https://developer.okta.com/docs/reference/api/event-types/
- https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security
- https://www.elastic.co/security-labs/starter-guide-to-understanding-okta
Tags:
- Domain: SaaS
- Data Source: Okta
- Use Case: Threat Detection
- Use Case: Identity and Access Audit
- Tactic: Defense Evasion
Version: 105
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.dataset: okta.system and event.action: "app.oauth2.as.token.grant" and okta.actor.type: "PublicClientApp" and okta.debug_context.debug_data.flattened.grantType: "client_credentials" and okta.outcome.result: "FAILURE" and not okta.client.user_agent.raw_user_agent: "Okta-Integrations" and not okta.actor.display_name: (Okta* or Datadog) and not okta.debug_context.debug_data.flattened.requestedScopes: ("okta.logs.read" or "okta.eventHooks.read" or "okta.inlineHooks.read") and okta.outcome.reason: "no_matching_scope"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
-
Sub-technique:
- Name: Application Access Token
- ID: T1550.001
- Reference URL: https://attack.mitre.org/techniques/T1550/001/