Detection rules › Panther
Auth0 Attack Protection Monitoring Disabled
An attack protection monitoring configuration was changed.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562 Impair Defenses |
Rule body yaml
AnalysisType: rule
Description: An attack protection monitoring configuration was changed.
DisplayName: "Auth0 Attack Protection Monitoring Disabled"
Enabled: true
Filename: auth0_attack_protection_disabled.py
Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
Reference: https://github.com/auth0/auth0-customer-detections/tree/main/detections
Severity: High
Reports:
MITRE ATT&CK:
- TA0005:T1562
DedupPeriodMinutes: 60
LogTypes:
- Auth0.Events
RuleID: "Auth0.AttackProtection.Disabled"
Threshold: 1
Tests:
# IP Throttling
- ExpectedResult: true
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2025-10-03 14:09:32.149000000"
description: "Update Suspicious IP Throttling settings"
details:
request:
auth:
credentials:
jti: 0000000000ecaf1bfbadb06900d22049
strategy: jwt
user:
email: denethor@lotr.com
name: Homer Simpson
user_id: google-oauth2|105261262156475850461
body:
enabled: true
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: post
path: /v2/attack-protection/suspicious-ip-throttling
query: {}
userAgent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body:
enabled: false
statusCode: 200
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: sapi
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
p_any_ip_addresses:
- 12.12.12.12
p_any_usernames:
- google-oauth2|105261262156475850461
p_event_time: "2023-05-23 20:47:51.149"
p_log_type: Auth0.Events
p_parse_time: "2023-05-23 20:49:28.671"
p_row_id: 00000000004a745ce33b57be383c543e
p_schema_version: 0
p_source_id: b9031579-b2c5-45c2-b15c-632b995a4e36
p_source_label: Org Auth0 Tenant Label
Name: Auth0 IP Throttling Disabled
- ExpectedResult: false
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2025-10-03 14:09:32.149000000"
description: "Update Suspicious IP Throttling settings"
details:
request:
auth:
credentials:
jti: 0000000000ecaf1bfbadb06900d22049
strategy: jwt
user:
email: denethor@lotr.com
name: Homer Simpson
user_id: google-oauth2|105261262156475850461
body:
enabled: true
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: post
path: /v2/attack-protection/suspicious-ip-throttling
query: {}
userAgent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body:
enabled: true
statusCode: 400
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: sapi
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
p_any_ip_addresses:
- 12.12.12.12
p_any_usernames:
- google-oauth2|105261262156475850461
p_event_time: "2023-05-23 20:47:51.149"
p_log_type: Auth0.Events
p_parse_time: "2023-05-23 20:49:28.671"
p_row_id: 00000000004a745ce33b57be383c543e
p_schema_version: 0
p_source_id: b9031579-b2c5-45c2-b15c-632b995a4e36
p_source_label: Org Auth0 Tenant Label
Name: Failed IP Throttling Update Event
# Breached Password
- ExpectedResult: true
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2025-10-03 14:09:32.149000000"
description: "Update Breached Password Detection settings"
details:
request:
auth:
credentials:
jti: 0000000000ecaf1bfbadb06900d22049
strategy: jwt
user:
email: denethor@lotr.com
name: Homer Simpson
user_id: google-oauth2|105261262156475850461
body:
enabled: true
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: post
path: /v2/attack-protection/breached-password-detection
query: {}
userAgent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body:
enabled: false
statusCode: 200
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: sapi
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
p_any_ip_addresses:
- 12.12.12.12
p_any_usernames:
- google-oauth2|105261262156475850461
p_event_time: "2023-05-23 20:47:51.149"
p_log_type: Auth0.Events
p_parse_time: "2023-05-23 20:49:28.671"
p_row_id: 00000000004a745ce33b57be383c543e
p_schema_version: 0
p_source_id: b9031579-b2c5-45c2-b15c-632b995a4e36
p_source_label: Org Auth0 Tenant Label
Name: Auth0 Breached Password Protection Disabled
- ExpectedResult: false
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2025-10-03 14:09:32.149000000"
description: "Update Breached Password Detection settings"
details:
request:
auth:
credentials:
jti: 0000000000ecaf1bfbadb06900d22049
strategy: jwt
user:
email: denethor@lotr.com
name: Homer Simpson
user_id: google-oauth2|105261262156475850461
body:
enabled: true
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: post
path: /v2/attack-protection/breached-password-detection
query: {}
userAgent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body:
enabled: true
statusCode: 400
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: sapi
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
p_any_ip_addresses:
- 12.12.12.12
p_any_usernames:
- google-oauth2|105261262156475850461
p_event_time: "2023-05-23 20:47:51.149"
p_log_type: Auth0.Events
p_parse_time: "2023-05-23 20:49:28.671"
p_row_id: 00000000004a745ce33b57be383c543e
p_schema_version: 0
p_source_id: b9031579-b2c5-45c2-b15c-632b995a4e36
p_source_label: Org Auth0 Tenant Label
Name: Failed Breached Password Update Event
# Brute-Force
- ExpectedResult: true
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2025-10-03 14:09:32.149000000"
description: "Update Brute-force settings"
details:
request:
auth:
credentials:
jti: 0000000000ecaf1bfbadb06900d22049
strategy: jwt
user:
email: denethor@lotr.com
name: Homer Simpson
user_id: google-oauth2|105261262156475850461
body:
enabled: true
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: post
path: /v2/attack-protection/brute-force-protection
query: {}
userAgent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body:
enabled: false
statusCode: 200
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: sapi
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
p_any_ip_addresses:
- 12.12.12.12
p_any_usernames:
- google-oauth2|105261262156475850461
p_event_time: "2023-05-23 20:47:51.149"
p_log_type: Auth0.Events
p_parse_time: "2023-05-23 20:49:28.671"
p_row_id: 00000000004a745ce33b57be383c543e
p_schema_version: 0
p_source_id: b9031579-b2c5-45c2-b15c-632b995a4e36
p_source_label: Org Auth0 Tenant Label
Name: Auth0 Brute-Force Monitoring Disabled
- ExpectedResult: false
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2025-10-03 14:09:32.149000000"
description: "Update Brute-force settings"
details:
request:
auth:
credentials:
jti: 0000000000ecaf1bfbadb06900d22049
strategy: jwt
user:
email: denethor@lotr.com
name: Homer Simpson
user_id: google-oauth2|105261262156475850461
body:
enabled: true
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: post
path: /v2/attack-protection/brute-force-protection
query: {}
userAgent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body:
enabled: true
statusCode: 400
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: sapi
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
p_any_ip_addresses:
- 12.12.12.12
p_any_usernames:
- google-oauth2|105261262156475850461
p_event_time: "2023-05-23 20:47:51.149"
p_log_type: Auth0.Events
p_parse_time: "2023-05-23 20:49:28.671"
p_row_id: 00000000004a745ce33b57be383c543e
p_schema_version: 0
p_source_id: b9031579-b2c5-45c2-b15c-632b995a4e36
p_source_label: Org Auth0 Tenant Label
Name: Failed Brute-Force Monitoring Disabled
# Block shield disabled
- ExpectedResult: true
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2025-10-03 14:09:32.149000000"
description: "Update Suspicious IP Throttling settings"
details:
request:
auth:
credentials:
jti: 0000000000ecaf1bfbadb06900d22049
strategy: jwt
user:
email: denethor@lotr.com
name: Homer Simpson
user_id: google-oauth2|105261262156475850461
body:
enabled: true
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: post
path: /v2/attack-protection/suspicious-ip-throttling
query: {}
userAgent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body:
enabled: true
shields: "user_notification"
statusCode: 200
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: sapi
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
p_any_ip_addresses:
- 12.12.12.12
p_any_usernames:
- google-oauth2|105261262156475850461
p_event_time: "2023-05-23 20:47:51.149"
p_log_type: Auth0.Events
p_parse_time: "2023-05-23 20:49:28.671"
p_row_id: 00000000004a745ce33b57be383c543e
p_schema_version: 0
p_source_id: b9031579-b2c5-45c2-b15c-632b995a4e36
p_source_label: Org Auth0 Tenant Label
Name: Disable Block Shield
- ExpectedResult: false
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2025-10-03 14:09:32.149000000"
description: "Update Suspicious IP Throttling settings"
details:
request:
auth:
credentials:
jti: 0000000000ecaf1bfbadb06900d22049
strategy: jwt
user:
email: denethor@lotr.com
name: Homer Simpson
user_id: google-oauth2|105261262156475850461
body:
enabled: true
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: post
path: /v2/attack-protection/suspicious-ip-throttling
query: {}
userAgent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body:
enabled: true
shields: "block"
statusCode: 400
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: sapi
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
p_any_ip_addresses:
- 12.12.12.12
p_any_usernames:
- google-oauth2|105261262156475850461
p_event_time: "2023-05-23 20:47:51.149"
p_log_type: Auth0.Events
p_parse_time: "2023-05-23 20:49:28.671"
p_row_id: 00000000004a745ce33b57be383c543e
p_schema_version: 0
p_source_id: b9031579-b2c5-45c2-b15c-632b995a4e36
p_source_label: Org Auth0 Tenant Label
Name: Block Event Already Enabled
Detection logic
Condition
data.type eq "sapi"
(data.description contains "Suspicious IP Throttling" and data.details.request.path eq "/v2/attack-protection/suspicious-ip-throttling") or (data.description contains "Brute-force" and data.details.request.path eq "/v2/attack-protection/brute-force-protection") or (data.description contains "Breached Password Detection" and data.details.request.path eq "/v2/attack-protection/breached-password-detection")
data.details.response.body.enabled eq "False" or data.details.response.body.enabled eq "disabled" or ((data.details.response.body.enabled eq "True" or data.details.response.body.enabled eq "enabled") and data.details.response.body.shields ne "block")
data.details.response.statusCode eq "200"
data.details.request.channel eq "https://manage.auth0.com/"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
data.description | contains |
|
data.details.request.channel | eq |
|
data.details.request.path | eq |
|
data.details.response.body.enabled | eq |
|
data.details.response.body.shields | ne |
|
data.details.response.statusCode | eq |
|
data.type | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
email | data.details.request.auth.user.email |
shields | data.details.response.body.shields |
enabled | data.details.response.body.enabled |
description | data.description |
p_source_label |