---
title: Auth0 tenant invitation sent to user
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Auth0 tenant invitation sent to user
---

# Auth0 tenant invitation sent to user
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a Auth0 tenant invitation has been sent to a user.

## Strategy{% #strategy %}

This rule allows you to monitor Auth0 logs and detect when a Auth0 tenant invitation has been sent to a user. This invitation gives the user access to Auth0's primary administrator interface in which you can register applications or APIs, connect to a user store or another identity provider, and configure Auth0 services. When new tenant members are added they can be assigned [roles](https://auth0.com/docs/get-started/manage-dashboard-access/feature-access-by-role#dashboard-roles) to moderate levels of access.

## Triage and response{% #triage-and-response %}

1. Determine if user `{{@usr.email}}` should have invited `{{@data.details.response.body.email}}` to the Auth0 tenant.
1. If the invitation was not created by the user:
   - Rotate user credentials.
   - Determine what other actions were carried out by user `{{@usr.email}}`.
   - Remove the invited member `{{@data.details.response.body.email}}` from the tenant and investigate any actions taken by this user.
1. If the invitation was created by the user and the assigned role includes write access:
   - Confirm with user `{{@usr.email}}` that this level of access is required for the invited user.