This alert detects when an account is blocked because a user reached the maximum logins per time period from the same IP address. Impact Multiple login attempts in a short time frame might indicate a brute-force attack against the relevant account/s. Mitigation Investigate the login attempts and verify if the login attempts were legitimate or not. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert triggers when the multi-factor authentication has been disabled. Impact An adversary may disable MFA enforcement in order to weaken an organization’s security controls. Mitigation Re-enable MFA and investigate the user who disabled the service and all actions performed by users in the given time when MFA was disabled. MITRE Tactic: TA0006 MITRE Technique: T1556 MITRE sUB-Technique: 006

This alert detects when the MFA risk assessment setting for your organization's tenant has been disabled. Impact An adversary may disable MFA enforcement in order to weaken an organization’s security controls. Mitigation Re-enable the MFA risk assessment setting and investigate the user who disabled the service and all actions performed by users in the given time when this setting was disabled. MITRE Tactic: TA0006 MITRE Technique: T1556 MITRE Sub-Technique: 006

This alert detects when the origin is not in the allowed origins list for the specified application. Please see the below link for more detail on CORS (cross-origin resource sharing) https://portswigger.net/web-security/cors Impact Threat actors can make access requests to restricted resources. Mitigation Verify if the request is legitimate. If not, investigate it further and check for any other suspicious activities. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert detects when a user is deleted. Impact User deletion actions should be reviewed and validated as authorized. An adversary can delete a user to harm or evade detection. Mitigation Verify with the user that initiated the deletion action that it was intentional and legitimate, revert and investigate further if not. MITRE Tactic: TA0040 MITRE Technique: T1531

This alert detects a login from a new country based on the geolocation of previous logins. This might be an indication of an external actor attempting to gain access. Impact Login attempts from an unfamiliar country might be an indicator of malicious activity. Mitigation Investigate the user activity and verify the cause of the login attempt from an unfamiliar geo-location. It might be an indicator of malicious activity. MITRE Tactic: TA0001 MITRE Technique: T1078

This alert detects when Multi-factor authentication failed more than 3 times in a 5 minute interval. This could happen due to incorrect input with respect to SMS/Voice/Email/TOTP verification, or a system failure. Impact Multiple failed login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Investigate the failed login attempts and verify if the action is being performed by a legitimate user. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert is triggered when more than 3 failed login attempts are observed in a 5-minute interval from a specific source. This alert covers Event Codes- f - Failed Login fp - Failed Login (Incorrect Password) fu - Failed Login (Invalid Email/Username) Impact Many failed login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Investigate the failed login attempts and verify the root cause. It might be an indicator of malicious activity. Ensure that MFA is in place. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert detects when a user attempts to login or signup with a leaked password. Impact Credential information may be exposed to adversaries via leaks to online or other accessible data sets (ex: Search Engines, breach dumps, code repositories, etc.). Adversaries may also purchase credentials from the dark web or other black markets. Mitigation Check if the login/signup was performed by the legitimate user and if the user is aware of it. If not, investigate further. Also, make sure that in case of login with a leaked password, immediately update the credentials. Administrators can also conduct regular audits of user credentials (passwords) as part of any assessment to ensure that they have not been leaked or breached. MITRE Tactic: TA0043 MITRE Technique: T1589 MITRE Sub Technique: 001

This rule detects if there are no logs in the last 36 hours for Auth0 in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This alert detects a new account creation in auth0. Impact The creation of a new user might involve assigning particular access privileges, potentially providing entry to sensitive data or critical systems. Consequently, unauthorized user creation can result in persistence, posing a potential security risk. Mitigation Implement RBAC to ensure that new users receive the minimum necessary access privileges based on their roles. Also check if the user created follows the necessary approvals/policies as per org. MITRE Tactic : ta0006 MITRE Technique : t1136

This alert is triggered when a user rejected multiple Multi-factor authentication requests via push-notification. Impact Repeatedly rejecting MFA prompts may indicate that the user's credentials (such as the password) have been compromised. The user might be aware of unauthorized access attempts and is denying the MFA requests to prevent access by an attacker. Mitigation Check with the user and change the user password if compromised. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert detects when a user sends more than 10 requests to their device within one hour. Impact Multiple login attempts in a short time frame might indicate a brute-force attack against the relevant account/s. Mitigation Investigate the login attempts and verify if the login attempts were legitimate or not. MITRE Tactic: TA0006 MITRE Technique: T1110