Okta one-time refresh token reused
Set up the okta integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when an Okta refresh token is reused.
Strategy
This rule lets you monitor the following Okta events when token reuse is detected:
app.oauth2.token.detect_reuse
app.oauth2.as.token.detect_reuse
An attacker that has access to a refresh token could query the organization’s authorization server /token
endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.
Triage and response
- Determine if the source IP
{{@network.client.ip}}
is anomalous within the organization:- Does threat intelligence indicate that this IP has been associated with malicious activity?
- Is the geo-location or ASN uncommon for the organization?
- Has the IP created a
app.oauth2.token.detect_reuse
or app.oauth2.as.token.detect_reuse
event previously?
- If the token reuse event has been determined to be malicious, carry out the following actions:
- Revoke compromised tokens.
- Recycle the credentials of any impacted clients.
- Begin your company’s incident response process and investigate.