Salesforce OAuth login errors

salesforce

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a failed OAuth login occurs due to a potential nonce replay or when the access token generation limit is exceeded.

Strategy

Salesforce tracks the outcomes of failed logins, which are available in @login_status or @status depending on your logging tier.

This rule monitors for the following status messages in login events:

  • LOGIN_OAUTH_INVALID_NONCE
  • LOGIN_OAUTH_NONCE_REPLAY
  • LOGIN_OAUTH_EXCEED_GET_AT_LMT

To learn more about the variety of error messaging available for login events, refer to Salesforce documentation.

Triage and response

  • Examine the IP address, ASN, and geographic location associated with the login attempts for the associated user account.
  • Review the account and connected application for successful events.
  • If the IP address or user account demonstrate evidence of suspicious activities, initiate your incident response plan.