<  Back to rules search

Credential stuffing attack on Auth0

auth0

Classification:

attack

Tactic:

Technique:

Set up the auth0 integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect Account Take Over (ATO) through credential stuffing attack.

Strategy

To determine a successful attempt: Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a HIGH severity signal.

To determine an unsuccessful attempt: Detect a high number of failed logins from at least ten unique users. This generates an INFO severity signal.

Triage and response

  1. Inspect the logs to see if this was a valid login attempt.
  2. See if 2FA was authenticated
  3. If the user was compromised, rotate user credentials.

Changelog

13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.