Detection rules › Sigma
Rapid creation of clients with the dynamic client registration endpoint
Detect when a large number of clients are created in a short period of time using dynamic client registration. This can indicate an attempt to create multiple clients for malicious purposes, such as denial of service, resource exhaustion, phishing (consent phishing) by creating look-alike applications, and causing admin fatigue by overwhelming the admin with clients.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566 Phishing |
| Impact | T1499 Endpoint Denial of Service |
Rule body yaml
title: Rapid creation of clients with the dynamic client registration endpoint
id: 4bf28f3a-716c-11f0-9932-723487b9527c
status: experimental
description: |
Detect when a large number of clients are created in a short period of time using dynamic client registration.
This can indicate an attempt to create multiple clients for malicious purposes, such as denial of service, resource exhaustion,
phishing (consent phishing) by creating look-alike applications, and causing admin fatigue by overwhelming the admin with clients.
author: Okta
date: 2025-07-11
modified: 2025-09-02
logsource:
product: auth0
detection:
selection:
data.type: sapi
data.description: "Dynamic client registration"
condition: selection
explanation: >
The query collects log entries captured when a client is created using dynamic client registration.
The Splunk detection below observes the number of clients created within a specified time window.
It alerts if an excessive number of clients, denoted by threshold_for_max_clients_created, have been created within a specified time window.
splunk: |
index=auth0 data.tenant_name="{your-tenant-name}"
data.type=sapi data.description="Dynamic client registration"
| fields data.details.response.body.client_id
| eval original_time = _time
```Adapt the time span to your needs, e.g. 10 min, 1 hour, 1 day, etc.```
| bin _time span=1h
| stats count as count_clients, max(original_time) as max_time,
min(original_time) as min_time, values(data.details.response.body.client_id) as created_clients by _time
| eval created_within_mininutes = (max_time - min_time)/60
```Filter out clients created within a given time period, e.g. 60 minutes```
| where created_within_mininutes < {threshold_for_observed_time_window_in_minutes}
```Count clients created within the time window```
| where count_clients > {threshold_for_max_clients_created}
```Display the information in a table```
| table created_clients, created_within_mininutes, count_clients
comments:
- The Splunk query above shall be tuned to reflect a valid tenant name, the threshold for the maximum number of clients created within a specified time window,
i.e. {threshold_for_max_clients_created}, and the time window to observe, i.e. {threshold_for_observed_time_window_in_minutes}.
- The time window can be adjusted based on the customer's environment and the expected number of clients.
tenant_logs: |
type:sapi AND description:"Dynamic client registration"
prevention:
- Harden access to the dynamic client registration (DCR) endpoint with Auth0 Tenant ACL or by placing a specialised WAF in front of your tenant.
- Disable temporary the DCR end point
- Consider adopting OAuth Client ID Metadata Document standard (adopted by IETF Oct 2025)
https://datatracker.ietf.org/doc/draft-parecki-oauth-client-id-metadata-document/
falsepositives:
- None
level: medium
tags:
- attack.impact
- attack.credential-access
- attack.t1499
- attack.t1566
Stages and Predicates
Stage 0: condition
selectionStage 1: selection
selection:
data.type: sapi
data.description: "Dynamic client registration"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
data.description | eq |
|
data.type | eq |
|