Skip to content

Previously Disabled Token Has Been Reactivated

Eco-system support

  • AWS IAM Access token

  • Azure app registration token

Description

Once a token is disabled, it should no longer be used for its original purpose. A reactivation of this token could be a security threat. It's important to be aware of this and take the necessary precautions to ensure that token activity is legitimate.

Detection Triggers

  • “Disabled” token is switched to “Enabled”.

  • Token wasn’t “Enabled” in the recent 30 days.

  • The token must be currently enabled.

Mitigation

Review abnormal activity

A previously disabled token becoming enabled again after a long time is considered an anomaly.

Review this activity by following these steps:

  1. Review the "activity" tab to check its activity for the following behavior.

    • Is his new activity aligned with his previous one, or is it used to perform new actions.

    • Is the workload IP and client identical to its previous usage

  2. Investigate the actor's identity, to understand if it's legitimate and expected.

    • If legitimate, move this risk status to 'approved'.

    • Otherwise, consider revoking the token and investigating the actors.