Detection rules › Panther
Auth0 Push Notification Fatigue
Push notifications threshold exceeded for a user. It may indicate a push notification fatigue attempt.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1621 Multi-Factor Authentication Request Generation |
Rule body yaml
AnalysisType: rule
Description: Push notifications threshold exceeded for a user. It may indicate a push notification fatigue attempt.
DisplayName: "Auth0 Push Notification Fatigue"
Enabled: true
Filename: auth0_push_notification_fatigue.py
Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
Reference: https://github.com/auth0/auth0-customer-detections/tree/main/detections
Severity: High
Reports:
MITRE ATT&CK:
- TA0006:T1621
DedupPeriodMinutes: 30
LogTypes:
- Auth0.Events
RuleID: "Auth0.PushNotification.Fatigue"
Threshold: 5
Tests:
- ExpectedResult: true
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2025-10-03 14:09:32.149000000"
description: "Push notification for MFA successfully sent"
details:
request:
auth:
credentials:
jti: 0000000000ecaf1bfbadb06900d22049
strategy: jwt
user:
email: denethor@lotr.com
name: Homer Simpson
user_id: google-oauth2|105261262156475850461
body:
enabled: true
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: post
path: /v2/attack-protection/push-notification
query: {}
userAgent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body: []
statusCode: 200
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: "gd_send_pn"
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
p_any_ip_addresses:
- 12.12.12.12
p_any_usernames:
- google-oauth2|105261262156475850461
p_event_time: "2023-05-23 20:47:51.149"
p_log_type: Auth0.Events
p_parse_time: "2023-05-23 20:49:28.671"
p_row_id: 00000000004a745ce33b57be383c543e
p_schema_version: 0
p_source_id: b9031579-b2c5-45c2-b15c-632b995a4e36
p_source_label: Org Auth0 Tenant Label
Name: Push Notification Fatigue
- ExpectedResult: false
Log:
data:
client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
client_name: ""
date: "2025-10-03 14:09:32.149000000"
description: "Create or update the anomaly detection captcha"
details:
request:
auth:
credentials:
jti: 0000000000ecaf1bfbadb06900d22049
strategy: jwt
user:
email: denethor@lotr.com
name: Homer Simpson
user_id: google-oauth2|105261262156475850461
body:
enabled: true
channel: https://manage.auth0.com/
ip: 12.12.12.12
method: post
path: /v2/attack-protection/bot-detection
query: {}
userAgent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
response:
body:
policy: on
statusCode: 200
ip: 12.12.12.12
log_id: "90020230523204756343781000000000000001223372037583230452"
type: sapi
user_agent: >-
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/1.2.3.4 Safari/537.36
user_id: google-oauth2|105261262156475850461
log_id: "90020230523204756343781000000000000001223372037583230452"
p_any_ip_addresses:
- 12.12.12.12
p_any_usernames:
- google-oauth2|105261262156475850461
p_event_time: "2023-05-23 20:47:51.149"
p_log_type: Auth0.Events
p_parse_time: "2023-05-23 20:49:28.671"
p_row_id: 00000000004a745ce33b57be383c543e
p_schema_version: 0
p_source_id: b9031579-b2c5-45c2-b15c-632b995a4e36
p_source_label: Org Auth0 Tenant Label
Name: Other Event
Detection logic
Condition
data.type eq "gd_send_pn"
data.details.request.channel eq "https://manage.auth0.com/"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
data.details.request.channel | eq |
|
data.type | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
email | data.details.request.auth.user.email |