Auth0 tenant invitation sent to user

auth0

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a Auth0 tenant invitation has been sent to a user.

Strategy

This rule allows you to monitor Auth0 logs and detect when a Auth0 tenant invitation has been sent to a user. This invitation gives the user access to Auth0’s primary administrator interface in which you can register applications or APIs, connect to a user store or another identity provider, and configure Auth0 services. When new tenant members are added they can be assigned roles to moderate levels of access.

Triage and response

  1. Determine if user {{@usr.email}} should have invited {{@data.details.response.body.email}} to the Auth0 tenant.
  2. If the invitation was not created by the user:
    • Rotate user credentials.
    • Determine what other actions were carried out by user {{@usr.email}}.
    • Remove the invited member {{@data.details.response.body.email}} from the tenant and investigate any actions taken by this user.
  3. If the invitation was created by the user and the assigned role includes write access:
    • Confirm with user {{@usr.email}} that this level of access is required for the invited user.