Okta one-time refresh token reused
Set up the okta integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an Okta refresh token is reused.
Strategy
This rule lets you monitor the following Okta events when token reuse is detected:
app.oauth2.token.detect_reuseapp.oauth2.as.token.detect_reuse
An attacker that has access to a refresh token could query the organization’s authorization server /token endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.
Triage and response
- Determine if the source IP
{{@network.client.ip}} is anomalous within the organization:- Does threat intelligence indicate that this IP has been associated with malicious activity?
- Is the geo-location or ASN uncommon for the organization?
- Has the IP created a
app.oauth2.token.detect_reuse or app.oauth2.as.token.detect_reuse event previously?
- If the token reuse event has been determined to be malicious, carry out the following actions:
- Revoke compromised tokens.
- Recycle the credentials of any impacted clients.
- Begin your company’s incident response process and investigate.
