creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/detecting-oauth-token-theft/references/api-reference.md
T

1.6 KiB
Raw Blame History

API Reference: Detecting OAuth Token Theft

Microsoft Graph Sign-In Logs

# Query sign-in logs
curl -H "Authorization: Bearer $MS_TOKEN" \
  "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=createdDateTime ge 2025-01-01&\$top=100"

Sign-In Event Fields

Field Description
userPrincipalName User email/UPN
ipAddress Source IP address
location.city Geo city
location.geoCoordinates Lat/lon
deviceDetail.deviceId Device identifier
resourceDisplayName Target resource
status.errorCode 0 = success
riskState none, confirmedCompromised, remediated

Okta System Log API

# Query events
curl -H "Authorization: SSWS $OKTA_TOKEN" \
  "https://your-org.okta.com/api/v1/logs?filter=eventType eq \"user.session.start\"&since=2025-01-01"

Detection Logic

Detection Method
Impossible travel Haversine distance / time > 900 km/h
Token replay Same user, 3+ IPs within 5 min window
New device Device ID not in known device inventory
Suspicious scopes 2+ sensitive OAuth scopes requested

Sensitive OAuth Scopes (Microsoft)

Scope Risk
Mail.ReadWrite Email access
Mail.Send Send-as capability
Files.ReadWrite.All Full file access
Directory.ReadWrite.All AD modification
Application.ReadWrite.All App registration

MITRE ATT&CK Mapping

Technique Description
T1528 Steal Application Access Token
T1550.001 Application Access Token reuse
T1078.004 Cloud Accounts
Reference in New Issue View Git Blame Copy Permalink