Bot detection - the feature is turned off completely or some policies.

title: Bot detection - the feature is turned off completely or some policies.
id: dc37e695-df6f-439c-82aa-fe7127c5a3c3
status: experimental
description: |
    Detect when the Bot detection feature is not enforcing protection on any of the supported flows.
    This can allow malicious actors to conduct scripted attacks without being detected and blocked.
author: Okta
date: 2025-07-11
modified: 2025-09-01
logsource:
    product: auth0
detection:
    selection:
        data.type: sapi
        data.description:
            - Create or update the anomaly detection captcha
        data.details.response.statusCode:
            - 200
    filter_1:
        data.details.response.body.password_reset_policy: 'off'
    filter_2:
        data.details.response.body.passwordless_policy: 'off'
    filter_3:
        data.details.response.body.policy: 'off'
    condition: selection and (filter_1 or filter_2 or filter_3)
explanation: >
    The query collects the events indicating modification of settings for the Bot Detection.
    When the response body contains "policy", "passwordless_policy", or "password_reset_policy" set to "off",
    this indicates that a protection is turned off for the respective flow, i.e. password login, passwordless login, or password reset.
    The Splunk query provides details about IPs, where the change was done from, and values for the listed policies.
splunk: |
    index=auth0 data.tenant_name="{your-tenant-name}"
    data.type=sapi data.details.response.statusCode=200
    data.description="Create or update the anomaly detection captcha"
    | fields data.ip, data.details.response.body.policy, data.details.response.body.passwordless_policy,
    data.details.response.body.password_reset_policy
    ```Take only the last change of configurations that reflects the current settings```
    | sort -_time
    | head 1
    | rename data.details.response.body.policy as pwd_login_signup
    | rename data.details.response.body.passwordless_policy as pwdless_login_signup
    | rename data.details.response.body.password_reset_policy as password_reset
    | fields _time, data.ip, pwd_login_signup, pwdless_login_signup, password_reset
    ``` Capturing only events where bot detection features have been turned off```
    | where ('pwd_login_signup'="off" OR 'pwdless_login_signup'="off" OR 'password_reset'="off")
    ```Display the information```
    | stats by _time, data.ip, pwd_login_signup, pwdless_login_signup, password_reset
comments:
    - The Splunk query above shall be tuned to reflect a valid tenant name.
    - Limit the detection to actions conducted from not white-listed IPs and/or particular users.
    - A possible extension of this detection is to monitor if CAPTCHA changes from, e.g. Auth Challenge,
      to a simple one degradating the strength of protection.
    - Additionally, you can use this detection for reporting of all changes of the bot detection
      settings by removing the "where" and "head" clauses.
tenant_logs: |
    type:"sapi" AND description: "Create or update the anomaly detection captcha"
prevention:
    - Control tenant admins, i.e. "Admin", as this role has permissions to modify any application.
    - Enforce MFA for tenant admins to reduce the risk of an adversary gaining access.
    - Control Management API scopes that allow modification of attack protection features - update:attack_protection.
    - Control usage of Management API from only trusted IPs by applying Network ACL scoped to "management".
falsepositives:
    - Legitimate updates by an administrator. This rule is designed for threat hunting and to be a starting point for further investigation.
level: medium
tags:
    - attack.defense-evasion
    - attack.t1562
    - attack.t1562.007