Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Auth0

Auth0
Auth0 icon

Out-of-the-Box Security For Auth0 Includes:

Dashboards - 1

Gain instantaneous visualization of all your Auth0 data.

Auth0 E2M Dashboard
Auth0 E2M Dashboard

Alerts - 13

Stay on top of Auth0 key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

An Account Was Blocked

This alert detects when an account is blocked because a user reached the maximum logins per time period from the same IP address. Impact Multiple login attempts in a short time frame might indicate a brute-force attack against the relevant account/s. Mitigation Investigate the login attempts and verify if the login attempts were legitimate or not. MITRE Tactic: TA0006 MITRE Technique: T1110

MFA Disabled

This alert triggers when the multi-factor authentication has been disabled. Impact An adversary may disable MFA enforcement in order to weaken an organization’s security controls. Mitigation Re-enable MFA and investigate the user who disabled the service and all actions performed by users in the given time when MFA was disabled. MITRE Tactic: TA0006 MITRE Technique: T1556 MITRE sUB-Technique: 006

MFA Risk Assessment Disabled

This alert detects when the MFA risk assessment setting for your organization's tenant has been disabled. Impact An adversary may disable MFA enforcement in order to weaken an organization’s security controls. Mitigation Re-enable the MFA risk assessment setting and investigate the user who disabled the service and all actions performed by users in the given time when this setting was disabled. MITRE Tactic: TA0006 MITRE Technique: T1556 MITRE Sub-Technique: 006

Access Failed By CORS Policy

This alert detects when the origin is not in the allowed origins list for the specified application. Please see the below link for more detail on CORS (cross-origin resource sharing) https://portswigger.net/web-security/cors Impact Threat actors can make access requests to restricted resources. Mitigation Verify if the request is legitimate. If not, investigate it further and check for any other suspicious activities. MITRE Tactic: TA0001 MITRE Technique: T1190

User Was Deleted

This alert detects when a user is deleted. Impact User deletion actions should be reviewed and validated as authorized. An adversary can delete a user to harm or evade detection. Mitigation Verify with the user that initiated the deletion action that it was intentional and legitimate, revert and investigate further if not. MITRE Tactic: TA0040 MITRE Technique: T1531

Successful Login Observed From an Unfamiliar Country

This alert detects a login from a new country based on the geolocation of previous logins. This might be an indication of an external actor attempting to gain access. Impact Login attempts from an unfamiliar country might be an indicator of malicious activity. Mitigation Investigate the user activity and verify the cause of the login attempt from an unfamiliar geo-location. It might be an indicator of malicious activity. MITRE Tactic: TA0001 MITRE Technique: T1078

Authentication via MFA Failed

This alert detects when Multi-factor authentication failed more than 3 times in a 5 minute interval. This could happen due to incorrect input with respect to SMS/Voice/Email/TOTP verification, or a system failure. Impact Multiple failed login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Investigate the failed login attempts and verify if the action is being performed by a legitimate user. MITRE Tactic: TA0006 MITRE Technique: T1110

Multiple Failed Login Attempts Observed

This alert is triggered when more than 3 failed login attempts are observed in a 5-minute interval from a specific source. This alert covers Event Codes- f - Failed Login fp - Failed Login (Incorrect Password) fu - Failed Login (Invalid Email/Username) Impact Many failed login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Investigate the failed login attempts and verify the root cause. It might be an indicator of malicious activity. Ensure that MFA is in place. MITRE Tactic: TA0006 MITRE Technique: T1110

Login/Signup Attempted With a Breached Password

This alert detects when a user attempts to login or signup with a leaked password. Impact Credential information may be exposed to adversaries via leaks to online or other accessible data sets (ex: Search Engines, breach dumps, code repositories, etc.). Adversaries may also purchase credentials from the dark web or other black markets. Mitigation Check if the login/signup was performed by the legitimate user and if the user is aware of it. If not, investigate further. Also, make sure that in case of login with a leaked password, immediately update the credentials. Administrators can also conduct regular audits of user credentials (passwords) as part of any assessment to ensure that they have not been leaked or breached. MITRE Tactic: TA0043 MITRE Technique: T1589 MITRE Sub Technique: 001

No logs from Auth0

This rule detects if there are no logs in the last 36 hours for Auth0 in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

New User Created

This alert detects a new account creation in auth0. Impact The creation of a new user might involve assigning particular access privileges, potentially providing entry to sensitive data or critical systems. Consequently, unauthorized user creation can result in persistence, posing a potential security risk. Mitigation Implement RBAC to ensure that new users receive the minimum necessary access privileges based on their roles. Also check if the user created follows the necessary approvals/policies as per org. MITRE Tactic : ta0006 MITRE Technique : t1136

Multiple MFA Auth Rejected by User

This alert is triggered when a user rejected multiple Multi-factor authentication requests via push-notification. Impact Repeatedly rejecting MFA prompts may indicate that the user's credentials (such as the password) have been compromised. The user might be aware of unauthorized access attempts and is denying the MFA requests to prevent access by an attacker. Mitigation Check with the user and change the user password if compromised. MITRE Tactic: TA0006 MITRE Technique: T1110

OTP Rate Limit Exceeded

This alert detects when a user sends more than 10 requests to their device within one hour. Impact Multiple login attempts in a short time frame might indicate a brute-force attack against the relevant account/s. Mitigation Investigate the login attempts and verify if the login attempts were legitimate or not. MITRE Tactic: TA0006 MITRE Technique: T1110

Documentation

Learn more about Coralogix's out-of-the-box integration with Auth0 in our documentation.

Read More
Schedule Demo