Salesforce previously unseen network for application OAuth token login
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects Salesforce OAuth token authentication from previously unseen network domains.
Strategy
This rule monitors Salesforce login events where @evt.name is Login or LoginEvent with @login_sub_type containing oauthrefreshtoken or OAuth Refresh Token and @login_type is Remote Access 2.0. It uses new value detection to identify when applications authenticate from network domains @network.client.geoip.as.domain that have not been previously observed for that specific application. OAuth refresh tokens are long-lived credentials that allow applications to maintain access without user interaction, making them attractive targets for attackers who have compromised application credentials or stolen tokens from legitimate applications.
Triage & Response
- Examine the network domain and geographic location associated with the new OAuth token usage for
{{@application}} to determine if it represents a legitimate deployment or suspicious activity. - Review the application’s typical usage patterns and authorized deployment locations to verify if the new network is expected.
- Check if there have been recent changes to the application’s infrastructure, deployment, or hosting providers that would explain the new network domain.
- Analyze the timing of the OAuth token usage to identify any correlation with suspicious user activity or potential credential compromise.
- Verify with the application owner or development team whether the OAuth token usage from the new network domain was authorized.
