Classification:

attack

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the auth0 integration.

Goal

Detect when a Auth0 tenant invitation has been sent to a user.

Strategy

This rule allows you to monitor Auth0 logs and detect when a Auth0 tenant invitation has been sent to a user. This invitation gives the user access to Auth0’s primary administrator interface in which you can register applications or APIs, connect to a user store or another identity provider, and configure Auth0 services. When new tenant members are added they can be assigned roles to moderate levels of access.

Triage and response

1. Determine if user {{@usr.email}} should have invited {{@data.details.response.body.email}} to the Auth0 tenant.
2. If the invitation was not created by the user:
   • Rotate user credentials.
   • Determine what other actions were carried out by user {{@usr.email}}.
   • Remove the invited member {{@data.details.response.body.email}} from the tenant and investigate any actions taken by this user.
3. If the invitation was created by the user and the assigned role includes write access:
   • Confirm with user {{@usr.email}} that this level of access is required for the invited user.