Salesforce previously unseen network for application OAuth login

salesforce

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1671-cloud-application-integration

Goal

Detects Salesforce OAuth token authentication from previously unseen network domains.

Strategy

This rule monitors Salesforce login events through both Event Log File (ELF) and Real Time Event Monitoring (RTEM) logging tiers.

For @evt.name:Login events, this rule monitors for @login_status:"LOGIN_NO_ERROR", indicating a successful login. Within the log, @login_type and @login_sub_type filter on OAuth-related attempts.

For @evt.name:LoginEvent events, this rule monitors for a @status:Success result. Within the log, @login_type and @login_sub_type filter on OAuth-related attempts.

It uses new value detection to identify when applications authenticate from network domains (@network.client.geoip.as.domain) that have not been previously observed for that specific application.

OAuth refresh tokens are long-lived credentials that allow applications to maintain access without user interaction, making them attractive targets for attackers who have compromised application credentials or stolen tokens from legitimate applications.

Triage & Response

  • Examine the network domain and geographic location associated with the new OAuth token usage for the application and connected user account to determine if it represents a legitimate deployment or suspicious activity. RTEM events will include an @application log field; however, ELF does not.
  • Review the connected application’s typical usage patterns and authorized deployment locations to verify if the new network is expected.
  • Check if there have been recent changes to the application’s infrastructure, deployment, or hosting providers that would explain the new network domain.
  • Analyze the timing of the OAuth token usage to identify any correlation with suspicious user activity or potential credential compromise.
  • Verify with the application owner or development team whether the OAuth token usage from the new network domain was authorized.

This detection is based on data from Drift/Salesforce Security Update and Widespread Data Theft Targets Salesforce Instances via Salesloft Drift.