Detection rules › Panther
Auth0 Fraud Risk by Volume
Detects a surge in either failed, successful or suspicious login attempts using leaked passwords over a window of time and a threshold. Exceeding set threshold may indicate potential fraud.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1136 Create Account |
Rule body yaml
AnalysisType: rule
RuleID: "Auth0.FraudRisk.Volume"
Filename: auth0_fraud_risk_volume.py
LogTypes:
- Auth0.Events
DisplayName: "Auth0 Fraud Risk by Volume"
Description: Detects a surge in either failed, successful or suspicious login attempts using leaked passwords over a window of time and a threshold. Exceeding set threshold may indicate potential fraud.
Enabled: true
Severity: High
Reports:
MITRE ATT&CK:
- TA0003:T1136
Reference: https://github.com/auth0/auth0-customer-detections/blob/main/detections/risk_of_signup_fraud_by_volume.yml
DedupPeriodMinutes: 60
Threshold: 20
Tests:
- ExpectedResult: true
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2025-10-10 10:27:51.149000000"
description: Someone behind the IP address ip attempted to login with a leaked password.
details:
request:
auth:
credentials:
jti: 0000000000311abf72f7a0ce7a303592
strategy: jwt
user:
email: denethor@lotr.com
name: Homer Simpson
user_id: google-oauth2|105261262156475850461
body:
integration_id: 64bee519-818f-4473-ab08-7c380f28da77
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: post
path: /api/v2/integrations/installed
query: {}
userAgent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body:
integration_id: 64bee519-818f-4473-ab08-7c380f28da77
statusCode: 200
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: signup_pwd_leak
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
Name: Auth0 Sign-up Password Leak Event
- ExpectedResult: false
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2023-05-23 20:47:51.149000000"
description: Install an available integration
details:
request:
auth:
credentials:
jti: 0000000000326251194afdc164440a73
scopes:
- create:actions
- create:actions_log_sessions
- create:authentication_methods
- create:client_credentials
- create:client_grants
- create:clients
- create:connections
- create:custom_domains
- create:email_provider
- create:email_templates
- create:guardian_enrollment_tickets
- create:integrations
- create:log_streams
- create:organization_connections
- create:organization_invitations
- create:organization_member_roles
- create:organization_members
- create:organizations
- create:requested_scopes
- create:resource_servers
- create:roles
- create:rules
- create:shields
- create:signing_keys
- create:tenant_invitations
- create:test_email_dispatch
- create:users
- delete:actions
- delete:anomaly_blocks
- delete:authentication_methods
- delete:branding
- delete:client_credentials
- delete:client_grants
- delete:clients
- delete:connections
- delete:custom_domains
- delete:device_credentials
- delete:email_provider
- delete:email_templates
- delete:grants
- delete:guardian_enrollments
- delete:integrations
- delete:log_streams
- delete:organization_connections
- delete:organization_invitations
- delete:organization_member_roles
- delete:organization_members
- delete:organizations
- delete:owners
- delete:requested_scopes
- delete:resource_servers
- delete:roles
- delete:rules
- delete:rules_configs
- delete:shields
- delete:tenant_invitations
- delete:tenant_members
- delete:tenants
- delete:users
- read:actions
- read:anomaly_blocks
- read:attack_protection
- read:authentication_methods
- read:branding
- read:checks
- read:client_credentials
- read:client_grants
- read:client_keys
- read:clients
- read:connections
- read:custom_domains
- read:device_credentials
- read:email_provider
- read:email_templates
- read:email_triggers
- read:entity_counts
- read:grants
- read:guardian_factors
- read:insights
- read:integrations
- read:log_streams
- read:logs
- read:mfa_policies
- read:organization_connections
- read:organization_invitations
- read:organization_member_roles
- read:organization_members
- read:organizations
- read:prompts
- read:requested_scopes
- read:resource_servers
- read:roles
- read:rules
- read:rules_configs
- read:shields
- read:signing_keys
- read:stats
- read:tenant_invitations
- read:tenant_members
- read:tenant_settings
- read:triggers
- read:users
- run:checks
- update:actions
- update:attack_protection
- update:authentication_methods
- update:branding
- update:client_credentials
- update:client_grants
- update:client_keys
- update:clients
- update:connections
- update:custom_domains
- update:email_provider
- update:email_templates
- update:email_triggers
- update:guardian_factors
- update:integrations
- update:log_streams
- update:mfa_policies
- update:organization_connections
- update:organizations
- update:prompts
- update:requested_scopes
- update:resource_servers
- update:roles
- update:rules
- update:rules_configs
- update:shields
- update:signing_keys
- update:tenant_members
- update:tenant_settings
- update:triggers
- update:users
strategy: jwt
user:
email: john@justice.org
name: User Name
user_id: google-oauth2|105261262156475850461
body:
AfterAuthentication: false
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: patch
path: /api/v2/risk-assessment/config
query: {}
userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body:
AfterAuthentication: false
BeforeLoginPrompt: false
BeforeLoginPromptMonitoring: false
statusCode: 200
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: sapi
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
Name: Other Event
Detection logic
Condition
data.type in ["fs", "ss", "signup_pwd_leak"]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
data.type | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
email | data.details.request.auth.user.email |
type | data.type |
p_source_label |