For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-cew.md. A documentation index is available at /llms.txt.

Okta OAuth client secrets read from suspicious IP

okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1528-steal-application-access-token

Goal

Detects when an Okta Administrator reads OAuth client secrets for three or more distinct applications from a suspicious or malicious IP address within a short period.

Strategy

This rule monitors Okta logs for successful app.oauth2.client.read_client_secret events originating from IP addresses identified as suspicious or malicious by the Datadog Security Research team. As detailed by the team at Okta adversary with access to an Okta Administrator may attempt to read an application’s client secret to perform impersonation, token theft or replay attacks.

Triage and response

  • Review the source IP address and threat intelligence context to understand why the IP is flagged as suspicious or malicious.
  • Identify which OAuth applications had their client secrets read by {{@usr.email}} by examining the @debugContext.debugData.requestUri values.
  • Determine if {{@usr.email}} has a legitimate administrative need to access client secrets for the affected applications.
  • Check recent authentication activity for {{@usr.email}} to identify signs of account compromise, such as logins from unfamiliar locations or devices.
  • Assess whether any of the exposed OAuth applications have been used to make unauthorized API calls since the secrets were read.
  • Rotate the client secrets for all affected OAuth applications and revoke any active tokens issued using the compromised credentials.