Okta one-time refresh token reused
Set up the okta integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when an Okta refresh token is reused.
Strategy
This rule lets you monitor the following Okta events when token reuse is detected:
app.oauth2.token.detect_reuse
app.oauth2.as.token.detect_reuse
An attacker that has access to a refresh token could query the organization’s authorization server /token
endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.
Triage and response
- Determine if the source IP
{{@network.client.ip}}
is anomalous within the organization:- Does threat intelligence indicate that this IP has been associated with malicious activity?
- Is the geo-location or ASN uncommon for the organization?
- Has the IP created a
app.oauth2.token.detect_reuse
or app.oauth2.as.token.detect_reuse
event previously?
- If the token reuse event has been determined to be malicious, carry out the following actions:
- Revoke compromised tokens.
- Recycle the credentials of any impacted clients.
- Begin your company’s incident response process and investigate.