Anomalous number of Auth0 Attack Protection events

Set up the auth0 integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect an anomalous number of Attack Protection events for a hostname.

Strategy

This rule allows you to monitor Auth0 logs and detect when there is an anomalous number of Attack Protection events for a host. Attack Protection is a feature that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication. Abnormally high volumes of attack protection events may be an indicator of an ongoing credential based attack like credential stuffing.

Triage and response

  1. Determine if the spike in Attack Protection events are abnormal for your application:
    • Is the spike related to a single IP (@network.client.ip) or user agent (@http.useragent)?
    • Is it coming from unexpected geo-locations (@network.client.geoip.country.name) for your application?
    • Is it comming from a set of unexpected autonomous systems (AS)?
  2. If it’s deemed to be an attack:
    • Filter for any successful authentications (@evt.name:success_login) from the attackers infrastructure.
    • If any accounts have been compromised, begin your organization’s incident response process and investigate.
PREVIEWING: brett0000FF/node-compatibility