This detection rule identifies attempts to revoke an Okta API token, which is critical for the authentication process in integrations with various services. The rule is designed to alert cybersecurity teams when such revocation attempts occur, as they can indicate malicious activity aimed at disrupting organizational operations. The rule employs a KQL query to monitor specific events in Okta's system logs that correspond to API token revocations. Key elements of the rule include various investigation steps, false positive analysis, and response recommendations, ensuring that security teams have a comprehensive process for handling these alerts. The rule is tagged for use cases related to identity and access audits and is linked to the MITRE ATT&CK framework under tactics related to impact and account access removal. This highlights its relevance in understanding the implications of token revocation actions in relation to security posture and integrity of organizational processes.