Anomalous number of Auth0 Attack Protection events

Set up the auth0 integration.

Goal

Detect an anomalous number of Attack Protection events for a hostname.

Strategy

This rule allows you to monitor Auth0 logs and detect when there is an anomalous number of Attack Protection events for a host. Attack Protection is a feature that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication. Abnormally high volumes of attack protection events may be an indicator of an ongoing credential based attack like credential stuffing.

Triage and response

  1. Determine if the spike in Attack Protection events are abnormal for your application:
    • Is the spike related to a single IP (@network.client.ip) or user agent (@http.useragent)?
    • Is it coming from unexpected geo-locations (@network.client.geoip.country.name) for your application?
    • Is it comming from a set of unexpected autonomous systems (AS)?
  2. If it’s deemed to be an attack:
    • Filter for any successful authentications (@evt.name:success_login) from the attackers infrastructure.
    • If any accounts have been compromised, begin your organization’s incident response process and investigate.