Successful login correlated with suspicious JA4/JA3 TLS fingerprint

Status: experimental
Severity: medium
Log source: product auth0
Author: Okta
Source: github.com/auth0/auth0-customer-detections

Detects if there are successful logins from JA3 or JA4 signatures seen in credential stuffing patterns. This is a strong indication that the respective accounts have been compromised.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1110.004` Brute Force: Credential Stuffing

Rule body yaml

title: Successful login correlated with suspicious JA4/JA3 TLS fingerprint
id: 0c71d42b-d918-4698-a849-d5d5ee5b208b
status: experimental
description: |
    Detects if there are successful logins from JA3 or JA4 signatures seen in credential stuffing patterns.
    This is a strong indication that the respective accounts have been compromised.
author: Okta
date: 2025-10-16
modified: 2025-10-16
references:
    - https://auth0.com/docs/secure/attack-protection/view-attack-protection-events
logsource:
    product: auth0
detection:
    selection:
        data.type:
            - s # Successful login
            - scoa # Successful cross-origin authentication
    condition: selection
explanation: >
    This detection is designed to identify potential account compromise by correlating successful logins
    with the TLS fingerprint (JA4 hash) seen in recent failed attempts and requests alerted by attacked protection features.
    The Splunk query first identifies suspicious JA4 hashes by looking for IPs that generated high number of failed logins
    or attack protection events.
    Thereafter, it filters successful events (s and scoa), retaining only those that share a JA4 hash with the previously
    identified suspicious traffic.
    The final output lists the successful login, the suspicious hash, and the username,
    providing a high-fidelity indicator that an account was successfully breached using the same automated attack tool
    or infrastructure responsible for the failed attempts.

    The Sigma detection block is used only to identify the successful login events.
    The query generated by Sigma CLI, should be extended with listing JA3/JA4 fingerprints, e.g. `| table data.user_name data.security_context.ja4` in Splunk.
    Thereafter, these can be manually compared to suspicious fingerprints returned by the credential_stuffing_signals.yml detection.
    Additional steps for Sigma rule are needed due to limitations of the Sigma language, while the splunk block already implements all this correlation.
splunk: |
    index=auth0 data.tenant_name="{your-tenant-name}"
    | bin _time span=1h
    ``` Successful login events and associated JA4 ```
    | search data.type IN (s, scoa)
    | rename data.security_context.ja4 as seen_ja4_hash
    | fields _time, data.type, seen_ja4_hash, data.user_name
    ``` Filter these events using the list of JA4 hashes seen in failed events pointing to credential stuffing ```
    | join type=inner seen_ja4_hash [
        search index=auth0 data.type IN (f, fu, fp, pwd_leak, limit_wc, limit_sul, limit_mu, fcoa)
        | stats count as cnt_events_per_ip by data.security_context.ja4 data.ip
        | where cnt_events_per_ip > {threshold_events_per_ip}
        | fields data.security_context.ja4
        | rename data.security_context.ja4 as seen_ja4_hash
    ]
    ```Final output ```
    | table data.type, seen_ja4_hash, data.user_name
comments:
    - The Splunk query above shall be tuned to reflect a valid tenant name,
      and a threshold for number of events per IP, i.e. {threshold_events_per_ip}.
    - The detection can be adjusted to monitor the attack protection feature in use.
    - Failed login events (f, fu, fp, fcoa) can be considered separately from Attack protection events
     (pwd_leak, limit_wc, limit_sul, limit_mu).
    - Other patterns indicating credential stuffing attack can be plugged in in this query.
      See three signals from the detection credential_stuffing_signals.yml.
    - As an alternative to JA4, a JA3 fingerprint can be used for correlation.
     Note, that JA4 are more stable and less sensitive to small changes to violitily of TLS handshake details.
    - Filter out JA4 fingerprints from known browsers/applications/tools https://ja4db.com/
tenant_logs: |
    type: (s scoa)
prevention:
    - Block or monitor the traffic from suspicious JA4/JA3 with the Network ACL feature.
    - Initiate password reset for identified accounts.
    - General preventions applied to credential stuffing listed in credential_stuffing_signals.yml.
falsepositives:
    - JA3/JA4 might be attributed to legitimate traffic. This can happen when selected {threshold_events_per_ip} is too low and reacts on legitimate failed events.
level: medium
tags:
    - attack.credential-access
    - attack.t1110.004

Stages and Predicates

Stage 0: `condition`

selection

Stage 1: `selection`

selection:
    data.type:
        - s
        - scoa

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`data.type`	eq	`s` `scoa`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Successful login correlated with suspicious JA4/JA3 TLS fingerprint

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection`

Indicators

Keyboard shortcuts

Search operators

Successful login correlated with suspicious JA4/JA3 TLS fingerprint

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection

Indicators

Stage 0: `condition`

Stage 1: `selection`