Risk for misconfiguration - use of Auth0 tenant name URL.

Status: experimental
Severity: medium
Log source: product auth0
Author: Okta
Source: github.com/auth0/auth0-customer-detections

Detect the use of Auth0 canonical domain/tenant name url, when a custom domain is configured. When a custom domain is configured, there is often no reason for legitimate applications to use the default Auth0 domain. An attempt to access the tenant using the default Auth0 domain that may indicate a misconfiguration or an attack. Bypassing of a custom domain can lead to circumventing of such protections as WAF, IP filters, and advanced logging.

MITRE ATT&CK coverage

Tactic	Techniques
Stealth	`T1562.007` Impair Defenses: Disable or Modify Cloud Firewall

Rule body yaml

title: Risk for misconfiguration - use of Auth0 tenant name URL.
id: 466073e8-7171-11f0-858f-723487b9527c
status: experimental
description: |
    Detect the use of Auth0 canonical domain/tenant name url, when a custom domain is configured.
    When a custom domain is configured, there is often no reason for legitimate applications to use the default Auth0 domain.
    An attempt to access the tenant using the default Auth0 domain that may indicate a misconfiguration or an attack.
    Bypassing of a custom domain can lead to circumventing of such protections as WAF, IP filters, and advanced logging.
author: Okta
date: 2025-07-11
modified: 2025-09-02
logsource:
    product: auth0
detection:
    selection:
        data.type:
            - s  # successful login
            - f  # failed login
            - fs # failed signup
            - ss # successful signup
            - w # warning during login
            - fp # failed login (incorrect password)
            - scoa # successful cross-origin authentication
            - fcoa # failed cross-origin authentication
            - sepft # successful exchange of password for token
            - fepft # failed exchange of password for token
        data.hostname: "{your-tenant-url}"  # e.g. your-tenant.auth0.com
    condition: selection
explanation: >
  The query below collects log entries corresponding to authentication events, e.g. s-successful login, f-failed login, etc.
  It filters those requests that use the Auth0 tenant name URL by checking "data.hostname".
  The Splunk query below displays clints/applications and log references.
splunk: |
    index=auth0 data.tenant_name="{your-tenant-name}"
    data.type IN (s, f, fs, ss, w, fp, scoa, fcoa, sepft, fepft)
    data.hostname="{your-tenant-url}"
    | fields data.client_id, data.client_name, data.log_id
    | table _time, data.client_id, data.client_name, data.log_id
comments:
    - The Splunk query above shall be tuned to reflect a valid tenant name and tenant url.
tenant_logs: |
    type: (s f fs ss f u fp scoa fcoa sepft fepft) AND hostname: {your-tenant-url}
prevention:
    - When any sort of a reverse proxy (e.g. WAF) is used in front of the tenant and IPs of this proxy can be listed,
      Auth0 Network ACL (Access Control List) can be applied to block any entries from unrecognized IPs.
falsepositives:
    - Legitimate use of the Auth0 tenant name URL, e.g. during testing or white-listed applications.
    - Misconfiguration of applications that are using the Auth0 tenant name URL instead of a custom domain.
level: medium
tags:
    - attack.defense-evasion
    - attack.t1562
    - attack.t1562.007

Stages and Predicates

Stage 0: `condition`

selection

Stage 1: `selection`

selection:
    data.type:
        - s
        - f
        - fs
        - ss
        - w
        - fp
        - scoa
        - fcoa
        - sepft
        - fepft
    data.hostname: "{your-tenant-url}"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`data.hostname`	eq	`{your-tenant-url}`
`data.type`	eq	`f` `fcoa` `fepft` `fp` `fs` `s` `scoa` `sepft` `ss` `w`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Risk for misconfiguration - use of Auth0 tenant name URL.

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection`

Indicators

Keyboard shortcuts

Search operators

Risk for misconfiguration - use of Auth0 tenant name URL.

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection

Indicators

Stage 0: `condition`

Stage 1: `selection`