Attack protection features manipulation - some attack protection features have been disabled.

title: Attack protection features manipulation - some attack protection features have been disabled.
id: 0325e11e-12ce-44e7-8d1f-3a64700a000a
status: experimental
description: |
    This detection alerts when attack protection features have been disabled in the tenant's settings.
    This detection covers Suspicious IP Throttling, Breached Password Detection, and Brute-force protection.
author: Okta
date: 2025-07-11
modified: 2025-09-01
logsource:
    product: auth0
detection:
    selection:
        data.type: sapi
        data.description:
            - Update Brute-force settings
            - Create or update the anomaly detection captcha
            - Update Suspicious IP Throttling settings
        data.details.request.body.enabled: 'false'
    filter:
        data.details.response.body.enabled:
            - false
    condition: selection and filter
explanation: >
    The query collects the events indicating modification of settings for the three listed features.
    When the response body contains 'enabled' set to 'false', this indicates that a corresponding feature has been turned off.
    The Splunk query below lists the attack protection features that has been turned off.
splunk: |
    index=auth0 data.tenant_name="{your-tenant-name}"
    data.type=sapi data.description IN ("Update Suspicious IP Throttling settings",
    "Update Breached Password Detection settings", "Update Brute-force settings")
    | eval feature_type = case(
      'data.description'="Update Suspicious IP Throttling settings", "Suspicious IP Throttling",
      'data.description'="Update Breached Password Detection settings", "Breached Password Detection",
      'data.description'="Update Brute-force settings", "Brute-force"
      )
    ```Take only the last modifications of settings for each feature```
    | sort -_time
    | dedup feature_type
    | eval status = case ('data.details.response.body.enabled' = "false", "disabled",
    'data.details.response.body.enabled' = "true", "enabled")
    | fields _time, status, feature_type, data.ip
    ``` for reporting purposes remove the "where" clause below and it will display the current
    status of all three protection features```
    | where status = "disabled"
    ``` Display the results printing out timestamp, modifying IP, feature reference, and its status```
    | stats by _time, data.ip, feature_type, status
comments:
    - The Splunk query above shall be tuned to reflect a valid tenant name.
    - Adjust the detection to monitor the attack feature in use.
    - Additionally, you can use this detection for reporting of all changes of the breached password
     detection settings by removing the "where", "sort", and "dedubp" clauses.
tenant_logs: |
    type: "sapi" AND (description: "Update Suspicious IP Throttling settings"
    OR description: "Update Breached Password Detection settings"
    OR description: "Update Brute-force settings")
prevention:
    - Control tenant admins, i.e. "Admin", as this role has permissions to modify attack protection settings.
    - Enforce MFA for tenant admins to reduce the risk of an adversary gaining access.
    - Control Management API scopes that allow modification of attack protection features - update:attack_protection.
    - Control usage of Management API from only trusted IPs by applying Network ACL scoped to "management".
falsepositives:
    - Legitimate updates by an administrator. This rule is designed for threat hunting and to be a starting point for further investigation.
level: medium
tags:
    - attack.defense-evasion
    - attack.t1562
    - attack.t1562.007