Forum Discussion
Question about "anomalous token" alert
Hi Everyone,
I am a security analyst working with Sentinel, and every now and again we get the alert "Anomalous token involving one user". "This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens."
I need to understand more about this. I know that malicious actors can possibly spoof these tokens, and abuse them.But I literally have no idea where else to go from here. There's very little support online with regards to further mitigations.
So just wondering if anyone deals with these and what the protocol is at your business? And any controls we can implement to limit such alerts.
1 Reply
Considering on below:
- Audit and Sign-In Logs: Regularly review audit and sign-in logs to identify any unusual activities. Look for patterns such as logins from unfamiliar locations or devices.
- Multi-Factor Authentication (MFA): Ensure that MFA is enabled for all users. This adds an extra layer of security, making it harder for attackers to use stolen tokens.
- Token Lifetime Policies: Implement strict token lifetime policies to limit the duration for which tokens are valid. This reduces the window of opportunity for attackers to misuse stolen tokens.
- Conditional Access Policies: Use conditional access policies to enforce access controls based on user location, device compliance, and risk level.
- Advanced Threat Protection: Utilize advanced threat protection tools like Microsoft Defender for Cloud Apps to detect and respond to token theft attempts.
- User Education: Educate users about the importance of security hygiene, such as recognizing phishing attempts and securing their devices.
