Okta one-time refresh token reused

Set up the okta integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an Okta refresh token is reused.

Strategy

This rule lets you monitor the following Okta events when token reuse is detected:

  • app.oauth2.token.detect_reuse
  • app.oauth2.as.token.detect_reuse

An attacker that has access to a refresh token could query the organization’s authorization server /token endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.

Triage and response

  1. Determine if the source IP {{@network.client.ip}} is anomalous within the organization:
    • Does threat intelligence indicate that this IP has been associated with malicious activity?
    • Is the geo-location or ASN uncommon for the organization?
    • Has the IP created a app.oauth2.token.detect_reuse or app.oauth2.as.token.detect_reuse event previously?
  2. If the token reuse event has been determined to be malicious, carry out the following actions:
    • Revoke compromised tokens.
    • Recycle the credentials of any impacted clients.
    • Begin your company’s incident response process and investigate.
PREVIEWING: rtrieu/product-analytics-ui-changes