Auth0 suspicious IP throttling disabled

auth0

Classification:

attack

Set up the auth0 integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when Auth0 suspicious IP throttling is disabled.

Strategy

This rule allows you to monitor Auth0 logs and detect when Auth0 suspicious IP throttling is disabled. Suspicious IP throttling blocks traffic from any IP address that rapidly attempts too many logins or signups. This helps protect your applications from high-velocity attacks that target multiple accounts. Disabling this feature will degrade the security posture of your application, leaving it vulnerable to credential-based attacks like brute force attacks, credential stuffing, or bulk account creation.

Triage and response

  1. Investigate the client id {{@data.client_id}} to understand if this is an expected operation.
  2. Work with your tenant administrator to identify the owner of the application.
  3. Speak with the owner of the application to understand if this operation is expected and approved.
  4. If the owner of the application is unaware of this operation:
    • Disable the application credentials if possible.
    • Investigate any further activity from the IP {{@network.client.ip}} or the client id {{@data.client_id}}.
    • Begin your organization’s incident response process and investigate.