Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when a failed OAuth login occurs due to a potential nonce replay or when the access token generation limit is exceeded.

Strategy

Salesforce tracks the outcomes of failed logins, which are available in @login_status or @status depending on your logging tier.

This rule monitors for the following status messages in login events:

• LOGIN_OAUTH_INVALID_NONCE
• LOGIN_OAUTH_NONCE_REPLAY
• LOGIN_OAUTH_EXCEED_GET_AT_LMT

To learn more about the variety of error messaging available for login events, refer to Salesforce documentation.

Triage and response

• Examine the IP address, ASN, and geographic location associated with the login attempts for the associated user account.
• Review the account and connected application for successful events.
• If the IP address or user account demonstrate evidence of suspicious activities, initiate your incident response plan.