Anomalous number of Auth0 Attack Protection events
Set up the auth0 integration.
Goal
Detect an anomalous number of Attack Protection events for a hostname.
Strategy
This rule allows you to monitor Auth0 logs and detect when there is an anomalous number of Attack Protection events for a host. Attack Protection is a feature that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication. Abnormally high volumes of attack protection events may be an indicator of an ongoing credential based attack like credential stuffing.
Triage and response
- Determine if the spike in Attack Protection events are abnormal for your application:
- Is the spike related to a single IP (
@network.client.ip
) or user agent (@http.useragent
)? - Is it coming from unexpected geo-locations (
@network.client.geoip.country.name
) for your application? - Is it comming from a set of unexpected autonomous systems (AS)?
- If it’s deemed to be an attack:
- Filter for any successful authentications (
@evt.name:success_login
) from the attackers infrastructure. - If any accounts have been compromised, begin your organization’s incident response process and investigate.