Previously Disabled Token Has Been Reactivated
Eco-system support
-
AWS IAM Access token
-
Azure app registration token
Description
Once a token is disabled, it should no longer be used for its original purpose. A reactivation of this token could be a security threat. It's important to be aware of this and take the necessary precautions to ensure that token activity is legitimate.
Detection Triggers
-
“Disabled” token is switched to “Enabled”.
-
Token wasn’t “Enabled” in the recent 30 days.
-
The token must be currently enabled.
Mitigation
Review abnormal activity
A previously disabled token becoming enabled again after a long time is considered an anomaly.
Review this activity by following these steps:
-
Review the "activity" tab to check its activity for the following behavior.
-
Is his new activity aligned with his previous one, or is it used to perform new actions.
-
Is the workload IP and client identical to its previous usage
-
-
Investigate the actor's identity, to understand if it's legitimate and expected.
-
If legitimate, move this risk status to 'approved'.
-
Otherwise, consider revoking the token and investigating the actors.
-