detection.wiki

Detection rules › Panther

Auth0 Rapid Dynamic Client Creation

Severity
high
Log types
Auth0.Events
Reference
https://github.com/auth0/auth0-customer-detections/blob/main/detections/rapid_creation_of_clients_with_dynamic_registration.yml
Source
github.com/panther-labs/panther-analysis

Detects a spike in registered dynamic clients. This can indicate attempts to use such dynamic clients for malicious purposes.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1136 Create Account

Rule body yaml

AnalysisType: rule
RuleID: "Auth0.Rapid.DynamicClient.Creation"
Filename: auth0_rapid_dynamic_client_creation.py
LogTypes:
  - Auth0.Events
DisplayName: "Auth0 Rapid Dynamic Client Creation"
Description: Detects a spike in registered dynamic clients. This can indicate attempts to use such dynamic clients for malicious purposes.
Severity: High
Reports:
  MITRE ATT&CK:
    - TA0003:T1136
Enabled: True
Reference: https://github.com/auth0/auth0-customer-detections/blob/main/detections/rapid_creation_of_clients_with_dynamic_registration.yml
DedupPeriodMinutes: 60
Threshold: 15
Tests:
  - ExpectedResult: true
    Log:
      data:
        client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
        client_name: ""
        date: "2025-10-10 10:27:51.149000000"
        description: Dynamic client registration
        details:
          request:
            auth:
              credentials:
                jti: 0000000000311abf72f7a0ce7a303592
              strategy: jwt
              user:
                email: denethor@lotr.com
                name: Homer Simpson
                user_id: google-oauth2|105261262156475850461
            body:
              integration_id: 64bee519-818f-4473-ab08-7c380f28da77
            channel: https://manage.auth0.com/
            ip: 12.12.12.12
            method: post
            path: /api/v2/integrations/installed
            query: {}
            userAgent: >-
              Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
              (KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
          response:
            body:
              integration_id: 64bee519-818f-4473-ab08-7c380f28da77
              client_id: 64bee519-818f-4473-ab08-7c380f28da77
            statusCode: 200
        ip: 12.12.12.12
        log_id: "90020230523204756343781000000000000001223372037583230452"
        type: sapi
        user_agent: >-
          Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
          like Gecko) Chrome/1.2.3.4 Safari/537.36
        user_id: google-oauth2|105261262156475850461
      log_id: "90020230523204756343781000000000000001223372037583230452"
    Name: Auth0 Excessive Number of Dynamic Client Registered
  - ExpectedResult: false
    Log:
      data:
        client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
        client_name: ""
        date: "2025-10-10 10:27:51.149000000"
        description: Guardian - Enrollment complete (sms)
        details:
          request:
            auth:
              credentials:
                jti: 0000000000311abf72f7a0ce7a303592
              strategy: jwt
              user:
                email: denethor@lotr.com
                name: Homer Simpson
                user_id: google-oauth2|105261262156475850461
            body:
              integration_id: 64bee519-818f-4473-ab08-7c380f28da77
            channel: https://manage.auth0.com/
            ip: 12.12.12.12
            method: post
            path: /api/v2/integrations/installed
            query: {}
            userAgent: >-
              Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
              (KHTML, like Gecko) Chrome/1.2.3.4 Safari/537.36
          response:
            body:
              integration_id: 64bee519-818f-4473-ab08-7c380f28da77
              client_id: 64bee519-818f-4473-ab08-7c380f28da77
            statusCode: 200
        ip: 12.12.12.12
        log_id: "90020230523204756343781000000000000001223372037583230452"
        type: sapi
        user_agent: >-
          Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
          like Gecko) Chrome/1.2.3.4 Safari/537.36
        user_id: google-oauth2|105261262156475850461
      log_id: "90020230523204756343781000000000000001223372037583230452"
    Name: Other Event

Detection logic

Condition

data.details.request.channel eq "https://manage.auth0.com/"
data.type eq "sapi"
data.description eq "Dynamic client registration"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
data.descriptioneq
  • Dynamic client registration
data.details.request.channeleq
  • https://manage.auth0.com/
data.typeeq
  • sapi

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
descriptiondata.description
client_iddata.details.response.body.client_id
p_source_label