Salesforce previously unseen network for application OAuth token login
Goal
Detects Salesforce OAuth token authentication from previously unseen network domains.
Strategy
This rule monitors Salesforce login events where @evt.name is Login or LoginEvent with @login_sub_type containing oauthrefreshtoken or OAuth Refresh Token and @login_type is Remote Access 2.0. It uses new value detection to identify when applications authenticate from network domains @network.client.geoip.as.domain that have not been previously observed for that specific application. OAuth refresh tokens are long-lived credentials that allow applications to maintain access without user interaction, making them attractive targets for attackers who have compromised application credentials or stolen tokens from legitimate applications.
Triage & Response
- Examine the network domain and geographic location associated with the new OAuth token usage for
{{@application}} to determine if it represents a legitimate deployment or suspicious activity. - Review the application’s typical usage patterns and authorized deployment locations to verify if the new network is expected.
- Check if there have been recent changes to the application’s infrastructure, deployment, or hosting providers that would explain the new network domain.
- Analyze the timing of the OAuth token usage to identify any correlation with suspicious user activity or potential credential compromise.
- Verify with the application owner or development team whether the OAuth token usage from the new network domain was authorized.
