Detection rules › Sigma
Breached Password Detection - critical settings manipulated
Detect when Breached Password Detection has been disabled at all or set to a monitoring mode where no blocking occurs. This can allow malicious actors to conduct credential stuffing without being detected and blocked.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562.007 Impair Defenses: Disable or Modify Cloud Firewall |
Rule body yaml
title: Breached Password Detection - critical settings manipulated
id: 2a26d75e-43fd-4bc9-afb6-d3465068d869
status: experimental
description: |
Detect when Breached Password Detection has been disabled at all or set to a monitoring mode where no blocking occurs.
This can allow malicious actors to conduct credential stuffing without being detected and blocked.
author: Okta
date: 2025-07-11
modified: 2025-09-01
logsource:
product: auth0
detection:
selection:
data.type: sapi
data.description:
- Update Breached Password Detection settings
filter_1:
data.details.response.body.enabled: false
filter_2:
data.details.response.body.shields{}: 'block'
filter_3:
data.details.response.body.stage.pre-user-registration.shields{}: 'block'
condition: (selection and filter_1) or (selection and not filter_2) or (selection and not filter_3)
explanation: >
The query filters for modification of the Breached Password Detection.
It returns a record when the feature is completely disabled, i.e. the "shields" attribute does not contain "block",
or set into a monitoring mode by disabling all responses.
The Splunk query below consideres only the last modification and displays a modifying IP, state of the protection for login and signup modes,
and if user notifications are switched on.
splunk: |
index=auth0 data.tenant_name="{your-tenant-name}"
data.type=sapi data.description="Update Breached Password Detection settings"
``` Excluding white-listed IPs```
``` NOT data.ip IN ("{white-listed-IPs}")```
| fields _time, data.ip, data.details.response.body.shields{}, data.details.response.body.enabled,
data.details.response.body.stage.pre-user-registration.shields{}
```Take only the last change of configurations that reflects the current settings```
| sort - _time
| head 1
| rename data.details.response.body.shields{} as login_shields
| rename data.details.response.body.enabled as breached_protection_enabled
| rename data.details.response.body.stage.pre-user-registration.shields{} as signup_shields
``` Encoding the logic to define what flows' protection have been disabled and enabled```
| eval user_notifications_on = if(isnotnull(mvfind(login_shields, "user_notification")), "true", "false")
| eval login_flow_is_protected = if(isnotnull(mvfind(login_shields, "block")), "true", "false")
| eval signup_flow_is_protected = if(isnotnull(mvfind(signup_shields, "block")), "true", "false")
```Alert when breached password protection is completely disabled or all responses are disabled (login, signup). Note: pwd reset is masked by now.```
| where breached_protection_enabled = "false" OR (login_flow_is_protected = "false" AND signup_flow_is_protected = "false")
```Display the information in a table```
| table _time, data.ip, breached_protection_enabled, login_flow_is_protected, signup_flow_is_protected, user_notifications_on
comments:
- The Splunk query above shall be tuned to reflect a valid tenant name.
- Limit the detection to actions conducted from not white-listed IPs and/or a particular admin user.
- If needed the "where" clause can be adjusted to alert when only one of the flows is unprotected.
- Additionally, you can use this detection for reporting of all changes of the breached password
detection settings by removing the "where" and "head" clauses.
tenant_logs: |
type: "sapi" AND description: "Update Breached Password Detection settings"
prevention:
- Control tenant admins, i.e. "Admin", as this role has permissions to modify any application.
- Enforce MFA for tenant admins to reduce the risk of an adversary gaining access.
- Control Management API scopes that allow modification of attack protection features - update:attack_protection.
- Control usage of Management API from only trusted IPs by applying Network ACL scoped to "management".
falsepositives:
- Legitimate updates by an administrator. This rule is designed for threat hunting and to be a starting point for further investigation.
level: medium
tags:
- attack.defense-evasion
- attack.t1562
- attack.t1562.007
Stages and Predicates
Stage 0: condition
(selection and filter_1) or (selection and not filter_2) or (selection and not filter_3)Stage 1: selection
selection:
data.type: sapi
data.description:
- Update Breached Password Detection settings
Stage 2: filter_1
filter_1:
data.details.response.body.enabled: false
Stage 3: selection
selection:
data.type: sapi
data.description:
- Update Breached Password Detection settings
Stage 4: not filter_2
filter_2:
data.details.response.body.shields{}: 'block'
Stage 5: selection
selection:
data.type: sapi
data.description:
- Update Breached Password Detection settings
Stage 6: not filter_3
filter_3:
data.details.response.body.stage.pre-user-registration.shields{}: 'block'
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
data.details.response.body.shields{} | eq | block |
data.details.response.body.stage.pre-user-registration.shields{} | eq | block |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
data.description | eq |
|
data.details.response.body.enabled | eq |
|
data.type | eq |
|