Excessive or unexpected Management API scope grants on applications

Status: experimental
Severity: medium
Author: Okta
Source: github.com/auth0/auth0-customer-detections

Detects when applications have been granted an excessive and potentially over-permissive set of Management API scopes. Monitoring these applications helps reduce the risk of exploitation by a threat actor leveraging over-privileged compromised machine-to-machine accounts.

MITRE ATT&CK coverage

Tactic	Techniques
Stealth	`T1562.007` Impair Defenses: Disable or Modify Cloud Firewall

Rule body yaml

title: Excessive or unexpected Management API scope grants on applications
id: 93c38bb9-da49-4ca5-8d8b-4d3d997b66e8
status: experimental
description: |
    Detects when applications have been granted an excessive and potentially over-permissive set of Management API scopes.
    Monitoring these applications helps reduce the risk of exploitation by a threat actor leveraging over-privileged compromised machine-to-machine accounts.
author: Okta
date: 2025-10-31
modified: 2025-10-31
logsource:
    product: auth0
detection:
    selection:
        data.type: sapi
    filter_auth0_dashboard:
        data.client_id: {global_client_id} # The Global Client ID corresponding to the Auth0 Dashboard
    condition: selection and not filter_auth0_dashboard
explanation: >
    This detection monitors Management API (sapi) calls to capture a real-time snapshot of the effective scopes accessible by an application.
    This process allows security teams to identify applications with over-privileged access.
    The rule explicitly excludes monitoring the Auth0 Dashboard (identified by its Global Client ID) as it is inherently granted all sensitive Management API scopes for administrative purposes.
    The accompanying Splunk query offers two options for identifying high-risk applications:
    **Option 1**: Triggers an alert when the total count of granted scopes exceeds a defined threshold ({threshold_for_max_number_of_scopes}).
    This flags applications with overly broad permissions.
    **Option 2**: Reports any application found to have at least one scope from a list of highly sensitive or critical scopes ({list_of_monitored_scopes}).
splunk: |
    index=auth0 data.tenant_name="{your-tenant-name}"
    data.type = sapi
    ``` Exclude the client that corresponds to the Auth0 dashboard (Global Client ID) ```
    NOT data.client_id = {global_client_id} ``` Settings --> Advanced --> scroll to "Global Client Information" ```
    ``` Collect scopes reported in log entries ```
    | spath data.details.request.auth.credentials.scopes{}
    | rename data.details.request.auth.credentials.scopes{} as accessible_scopes
    | fields accessible_scopes data.client_id data.description
    | where isNotNull(accessible_scopes)
    ``` Option 1 - Clients with an excessive number of granted scopes (least privilege violation) ```
    | eval count_scopes = mvcount(accessible_scopes)
    | where count_scopes > {threshold_for_max_number_of_scopes} ``` e.g. 10 ```
    ``` Option 2 - Alert if highly sensitive or critical permissions are found (focus on high-risk actions) ```
    | eval excluded_scopes = {list_of_monitored_scopes} ``` for example, "delete:users,create:users" ```
    | where NOT match(accessible_scopes, replace(excluded_scopes, ",", "|"))
    ``` Print the result ```
    | table data.client_id data.description accessible_scopes count_scopes
comments:
    - The placeholders in the Splunk query —`{your-tenant-name}`, `{global_client_id}`, `{threshold_for_max_number_of_scopes}`,
      and `{list_of_monitored_scopes}`— shall be configured to reflect your valid tenant settings before deployment.
tenant_logs: |
    type: sapi
prevention:
    - Enforce the principle of Least Privilege for all applications accessing the Management API, granting only the minimum necessary scopes.
    - Strictly control and review tenant admin roles, e.g. "Admin", as these roles have permissions to modify applications.
    - Enforce MFA for tenant admins to reduce the risk of an adversary gaining access.
    - Use Auth0 Network ACL feature to limit calls to the Management API, i.e. scope "management", to only trusted, static IP ranges.
    - Minimize or prohibit the use of the most dangerous scopes, e.g., those allowing mass user/client modification/deletion, such as delete:users, update:clients.
falsepositives:
    - Legitimate activity from applications that require broad permissions for valid operational reasons.
    - A request has been generated by the Auth0 dashboard called a Global Client.
      This global client_id can be found in Settings --> Advanced --> scroll down to "Global Client Information".
level: medium
tags:
    - attack.defense-evasion
    - attack.t1562
    - attack.t1562.007

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Excessive or unexpected Management API scope grants on applications

MITRE ATT&CK coverage

Rule body yaml

Keyboard shortcuts

Search operators