Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects Salesforce OAuth token authentication from previously unseen network domains.

Strategy

This rule monitors Salesforce login events where @evt.name is Login or LoginEvent with @login_sub_type containing oauthrefreshtoken or OAuth Refresh Token and @login_type is Remote Access 2.0. It uses new value detection to identify when applications authenticate from network domains @network.client.geoip.as.domain that have not been previously observed for that specific application. OAuth refresh tokens are long-lived credentials that allow applications to maintain access without user interaction, making them attractive targets for attackers who have compromised application credentials or stolen tokens from legitimate applications.

Triage & Response

• Examine the network domain and geographic location associated with the new OAuth token usage for {{@application}} to determine if it represents a legitimate deployment or suspicious activity.
• Review the application’s typical usage patterns and authorized deployment locations to verify if the new network is expected.
• Check if there have been recent changes to the application’s infrastructure, deployment, or hosting providers that would explain the new network domain.
• Analyze the timing of the OAuth token usage to identify any correlation with suspicious user activity or potential credential compromise.
• Verify with the application owner or development team whether the OAuth token usage from the new network domain was authorized.