diff --git a/queries/auth0_queries/auth0_cic_credential_stuffing_query.yml b/queries/auth0_queries/auth0_cic_credential_stuffing_query.yml new file mode 100644 index 000000000..c5d00e012 --- /dev/null +++ b/queries/auth0_queries/auth0_cic_credential_stuffing_query.yml @@ -0,0 +1,11 @@ +AnalysisType: saved_query +QueryName: "Auth0 CIC Credential Stuffing Query" +Description: Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15, 2024. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events. https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks +Query: |- + SELECT + * + FROM + panther_logs.public.auth0_events + WHERE + data:type in ('fcoa', 'scoa', 'pwd_leak') + and p_occurs_between('2024-04-14', current_timestamp) diff --git a/rules/auth0_rules/auth0_cic_credential_stuffing.py b/rules/auth0_rules/auth0_cic_credential_stuffing.py new file mode 100644 index 000000000..585f787e9 --- /dev/null +++ b/rules/auth0_rules/auth0_cic_credential_stuffing.py @@ -0,0 +1,27 @@ +from panther_auth0_helpers import auth0_alert_context + +SUSPICIOUS_EVENT_TYPES = ( + "scoa", + "fcoa", + "pwd_leak", +) + + +def rule(event): + return event.deep_get("data", "type") in SUSPICIOUS_EVENT_TYPES + + +def title(event): + event_type = event.deep_get("data", "type") + user = event.deep_get( + "data", "details", "request", "auth", "user", "email", default="" + ) + p_source_label = event.deep_get("p_source_label", default="") + return ( + f"Auth0 User [{user}] had a suspicious [{event_type}] event in " + f"your organization's tenant [{p_source_label}]." + ) + + +def alert_context(event): + return auth0_alert_context(event) diff --git a/rules/auth0_rules/auth0_cic_credential_stuffing.yml b/rules/auth0_rules/auth0_cic_credential_stuffing.yml new file mode 100644 index 000000000..4b68e5cee --- /dev/null +++ b/rules/auth0_rules/auth0_cic_credential_stuffing.yml @@ -0,0 +1,229 @@ +AnalysisType: rule +LogTypes: + - Auth0.Events +RuleID: "Auth0.CIC.Credential.Stuffing" +Filename: auth0_cic_credential_stuffing.py +DisplayName: "Auth0 CIC Credential Stuffing" +Description: Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15, 2024. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events. +Enabled: true +Severity: High +Runbook: If a user password was compromised in a credential stuffing attack, the user's credentials should be rotated immediately out of an abundance of caution. +Reference: https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - ExpectedResult: true + Log: + data: + client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr + client_name: "" + date: "2023-05-23 20:47:51.149000000" + description: Someone behind the IP address ip attempted to login with a leaked password. + details: + request: + auth: + credentials: + jti: e6343ec1d24a41e6bd43a6be748cac11 + strategy: jwt + user: + email: homer.simpson@yourcompany.com + name: Homer Simpson + user_id: google-oauth2|105261262156475850461 + body: + integration_id: 64bee519-818f-4473-ab08-7c380f28da77 + channel: https://manage.auth0.com/ + ip: 12.12.12.12 + method: post + path: /api/v2/integrations/installed + query: {} + userAgent: >- + Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 + (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 + response: + body: + integration_id: 64bee519-818f-4473-ab08-7c380f28da77 + statusCode: 200 + ip: 12.12.12.12 + log_id: "90020230523204756343781000000000000001223372037583230452" + type: pwd_leak + user_agent: >- + Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, + like Gecko) Chrome/113.0.0.0 Safari/537.36 + user_id: google-oauth2|105261262156475850461 + log_id: "90020230523204756343781000000000000001223372037583230452" + Name: Auth0 Credential Stuffing Event + - ExpectedResult: false + Log: + data: + client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr + client_name: "" + date: "2023-05-23 20:47:51.149000000" + description: Install an available integration + details: + request: + auth: + credentials: + jti: 949869e066205b5076e6df203fdd7b9b + scopes: + - create:actions + - create:actions_log_sessions + - create:authentication_methods + - create:client_credentials + - create:client_grants + - create:clients + - create:connections + - create:custom_domains + - create:email_provider + - create:email_templates + - create:guardian_enrollment_tickets + - create:integrations + - create:log_streams + - create:organization_connections + - create:organization_invitations + - create:organization_member_roles + - create:organization_members + - create:organizations + - create:requested_scopes + - create:resource_servers + - create:roles + - create:rules + - create:shields + - create:signing_keys + - create:tenant_invitations + - create:test_email_dispatch + - create:users + - delete:actions + - delete:anomaly_blocks + - delete:authentication_methods + - delete:branding + - delete:client_credentials + - delete:client_grants + - delete:clients + - delete:connections + - delete:custom_domains + - delete:device_credentials + - delete:email_provider + - delete:email_templates + - delete:grants + - delete:guardian_enrollments + - delete:integrations + - delete:log_streams + - delete:organization_connections + - delete:organization_invitations + - delete:organization_member_roles + - delete:organization_members + - delete:organizations + - delete:owners + - delete:requested_scopes + - delete:resource_servers + - delete:roles + - delete:rules + - delete:rules_configs + - delete:shields + - delete:tenant_invitations + - delete:tenant_members + - delete:tenants + - delete:users + - read:actions + - read:anomaly_blocks + - read:attack_protection + - read:authentication_methods + - read:branding + - read:checks + - read:client_credentials + - read:client_grants + - read:client_keys + - read:clients + - read:connections + - read:custom_domains + - read:device_credentials + - read:email_provider + - read:email_templates + - read:email_triggers + - read:entity_counts + - read:grants + - read:guardian_factors + - read:insights + - read:integrations + - read:log_streams + - read:logs + - read:mfa_policies + - read:organization_connections + - read:organization_invitations + - read:organization_member_roles + - read:organization_members + - read:organizations + - read:prompts + - read:requested_scopes + - read:resource_servers + - read:roles + - read:rules + - read:rules_configs + - read:shields + - read:signing_keys + - read:stats + - read:tenant_invitations + - read:tenant_members + - read:tenant_settings + - read:triggers + - read:users + - run:checks + - update:actions + - update:attack_protection + - update:authentication_methods + - update:branding + - update:client_credentials + - update:client_grants + - update:client_keys + - update:clients + - update:connections + - update:custom_domains + - update:email_provider + - update:email_templates + - update:email_triggers + - update:guardian_factors + - update:integrations + - update:log_streams + - update:mfa_policies + - update:organization_connections + - update:organizations + - update:prompts + - update:requested_scopes + - update:resource_servers + - update:roles + - update:rules + - update:rules_configs + - update:shields + - update:signing_keys + - update:tenant_members + - update:tenant_settings + - update:triggers + - update:users + strategy: jwt + user: + email: user.name@yourcompany.io + name: User Name + user_id: google-oauth2|105261262156475850461 + body: + AfterAuthentication: false + channel: https://manage.auth0.com/ + ip: 12.12.12.12 + method: patch + path: /api/v2/risk-assessment/config + query: {} + userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 + response: + body: + AfterAuthentication: false + BeforeLoginPrompt: false + BeforeLoginPromptMonitoring: false + statusCode: 200 + ip: 12.12.12.12 + log_id: "90020230523204756343781000000000000001223372037583230452" + type: sapi + user_agent: >- + Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, + like Gecko) Chrome/113.0.0.0 Safari/537.36 + user_id: google-oauth2|105261262156475850461 + log_id: "90020230523204756343781000000000000001223372037583230452" + Name: Other Event