---
title: Okta one-time refresh token reused
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Okta one-time refresh token reused
---

# Okta one-time refresh token reused
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1528-steal-application-access-token](https://attack.mitre.org/techniques/T1528) 
## Goal{% #goal %}

Detect when an Okta [refresh token](https://developer.okta.com/docs/guides/refresh-tokens/main/) is reused.

## Strategy{% #strategy %}

This rule lets you monitor the following Okta events when token reuse is detected:

- `app.oauth2.token.detect_reuse`
- `app.oauth2.as.token.detect_reuse`

An attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.

## Triage and response{% #triage-and-response %}

1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:
   - Does threat intelligence indicate that this IP has been associated with malicious activity?
   - Is the geo-location or ASN uncommon for the organization?
   - Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?
1. If the token reuse event has been determined to be malicious, carry out the following actions:
   - [Revoke compromised tokens](https://developer.okta.com/docs/guides/revoke-tokens/main/).
   - Recycle the credentials of any impacted clients.
   - Begin your company's incident response process and investigate.