Classification:

attack

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the auth0 integration.

Goal

Detect when Auth0 brute-force protection is disabled.

Strategy

This rule allows you to monitor Auth0 logs and detect when Auth0 brute-force protection is disabled. Brute-force protection safeguards against a single IP address attacking a single user account. For example, when a given IP address tries and fails multiple times to log in as the same user. Disabling this feature will degrade the security posture of your application, leaving it vulnerable to credential-based attacks like brute force attacks.

Triage and response

1. Investigate the client id {{@data.client_id}} to understand if this is an expected operation.
2. Work with your tenant administrator to identify the owner of the application.
3. Speak with the owner of the application to understand if this operation is expected and approved.
4. If the owner of the application is unaware of this operation:
   • Disable the application credentials if possible.
   • Investigate any further activity from the IP {{@network.client.ip}} or the client id {{@data.client_id}}.
   • Begin your organization’s incident response process and investigate.