Classification:

attack

Tactic:

TA0006-credential-access

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the okta integration.

Goal

Detect when an Okta refresh token is reused.

Strategy

This rule lets you monitor the following Okta events when token reuse is detected:

• app.oauth2.token.detect_reuse
• app.oauth2.as.token.detect_reuse

An attacker that has access to a refresh token could query the organization’s authorization server /token endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.

Triage and response

1. Determine if the source IP {{@network.client.ip}} is anomalous within the organization:
   • Does threat intelligence indicate that this IP has been associated with malicious activity?
   • Is the geo-location or ASN uncommon for the organization?
   • Has the IP created a app.oauth2.token.detect_reuse or app.oauth2.as.token.detect_reuse event previously?
2. If the token reuse event has been determined to be malicious, carry out the following actions:
   • Revoke compromised tokens.
   • Recycle the credentials of any impacted clients.
   • Begin your company’s incident response process and investigate.