Auth0 user authenticating from multiple countries
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

Auth0 user authenticating from multiple countries

auth0

Classification:

attack

Tactic:

TA0006-credential-access

Set up the auth0 integration.

Overview

Goal:

Detect log ins from the same user from multiple countries within a short time frame.

Strategy:

Utilize geo-ip data to detect when a user logs in from two IP addresses which are in different countries within a short time frame.

Triage & Response:

  1. See if 2FA was used for authentication.
  2. Contact the user and see if this behavior is expected.
  3. If the user was compromised, rotate the user credentials.