---
title: Okta OAuth client secrets read from suspicious IP
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Okta OAuth client secrets read from
  suspicious IP
---

# Okta OAuth client secrets read from suspicious IP
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1528-steal-application-access-token](https://attack.mitre.org/techniques/T1528) 
## Goal{% #goal %}

Detects when an Okta Administrator reads OAuth client secrets for three or more distinct applications from a suspicious or malicious IP address within a short period.

## Strategy{% #strategy %}

This rule monitors Okta logs for successful `app.oauth2.client.read_client_secret` events originating from IP addresses identified as suspicious or malicious by the Datadog Security Research team. As detailed by the team at [Okta](https://github.com/okta/customer-detections) adversary with access to an Okta Administrator may attempt to read an application's client secret to perform impersonation, token theft or replay attacks.

## Triage and response{% #triage-and-response %}

- Review the source IP address and threat intelligence context to understand why the IP is flagged as suspicious or malicious.
- Identify which OAuth applications had their client secrets read by `{{@usr.email}}` by examining the `@debugContext.debugData.requestUri` values.
- Determine if `{{@usr.email}}` has a legitimate administrative need to access client secrets for the affected applications.
- Check recent authentication activity for `{{@usr.email}}` to identify signs of account compromise, such as logins from unfamiliar locations or devices.
- Assess whether any of the exposed OAuth applications have been used to make unauthorized API calls since the secrets were read.
- Rotate the client secrets for all affected OAuth applications and revoke any active tokens issued using the compromised credentials.