Previously Inactive Token Is Now Active Again
Eco-system support
-
AWS IAM Access token
-
Azure app registration token
Description
When a token that has been inactive for a period of time becomes active again, it could potentially pose a security threat to your organization.
It's important to be aware of this and take the necessary precautions to ensure that token activity is legitimate.
Detection Triggers
-
Inactive (idle) token status is switched to “active” (used).
-
Token is becoming Idle after not being used for X days- 30 by default, however, this configuration of “Idle” can be set on Liminal’s risks settings.
-
The token must be enabled.
Mitigation
Inactive tokens becoming active again after a long time is considered an anomaly.
Review this activity by following these steps:
-
Review the “activity” tab to check its activity for the following behavior.
-
Is his new activity aligned with his previous one, or is it used to perform new actions?
-
Is the workload IP and client identical to its previous usage?
-
-
Investigate the actor’s identity, to understand if it’s legitimate and expected.
-
If legitimate, move this risk status to 'approved'.
-
Otherwise, consider revoking the token and investigating the actors.
-