<  Back to rules search

Okta one-time refresh token reused

okta

Classification:

attack

Tactic:

Set up the okta integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an Okta refresh token is reused.

Strategy

This rule lets you monitor the following Okta events when token reuse is detected:

  • app.oauth2.token.detect_reuse
  • app.oauth2.as.token.detect_reuse

An attacker that has access to a refresh token could query the organization’s authorization server /token endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.

Triage and response

  1. Determine if the source IP {{@network.client.ip}} is anomalous within the organization:
    • Does threat intelligence indicate that this IP has been associated with malicious activity?
    • Is the geo-location or ASN uncommon for the organization?
    • Has the IP created a app.oauth2.token.detect_reuse or app.oauth2.as.token.detect_reuse event previously?
  2. If the token reuse event has been determined to be malicious, carry out the following actions:
    • Revoke compromised tokens.
    • Recycle the credentials of any impacted clients.
    • Begin your company’s incident response process and investigate.