panther-labs · arielkr256 · May 30, 2024 · May 30, 2024
diff --git a/queries/auth0_queries/auth0_cic_credential_stuffing_query.yml b/queries/auth0_queries/auth0_cic_credential_stuffing_query.yml
@@ -0,0 +1,11 @@
+AnalysisType: saved_query
+QueryName: "Auth0 CIC Credential Stuffing Query"
+Description: Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks.  Okta has observed suspicious activity that started on April 15, 2024.  Review tenant logs for unexpected fcoa, scoa, and pwd_leak events.  https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks
+Query: |-
+  SELECT
+   *
+  FROM
+       panther_logs.public.auth0_events
+  WHERE
+       data:type in ('fcoa', 'scoa', 'pwd_leak')
+       and p_occurs_between('2024-04-14', current_timestamp)
diff --git a/rules/auth0_rules/auth0_cic_credential_stuffing.py b/rules/auth0_rules/auth0_cic_credential_stuffing.py
@@ -0,0 +1,27 @@
+from panther_auth0_helpers import auth0_alert_context
+
+SUSPICIOUS_EVENT_TYPES = (
+    "scoa",
+    "fcoa",
+    "pwd_leak",
+)
+
+
+def rule(event):
+    return event.deep_get("data", "type") in SUSPICIOUS_EVENT_TYPES
+
+
+def title(event):
+    event_type = event.deep_get("data", "type")
+    user = event.deep_get(
+        "data", "details", "request", "auth", "user", "email", default="<NO_USER_FOUND>"
+    )
+    p_source_label = event.deep_get("p_source_label", default="<NO_P_SOURCE_LABEL_FOUND>")
+    return (
+        f"Auth0 User [{user}] had a suspicious [{event_type}] event in "
+        f"your organization's tenant [{p_source_label}]."
+    )
+
+
+def alert_context(event):
+    return auth0_alert_context(event)
diff --git a/rules/auth0_rules/auth0_cic_credential_stuffing.yml b/rules/auth0_rules/auth0_cic_credential_stuffing.yml
@@ -0,0 +1,229 @@
+AnalysisType: rule
+LogTypes:
+  - Auth0.Events
+RuleID: "Auth0.CIC.Credential.Stuffing"
+Filename: auth0_cic_credential_stuffing.py
+DisplayName: "Auth0 CIC Credential Stuffing"
+Description: Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks.  Okta has observed suspicious activity that started on April 15, 2024.  Review tenant logs for unexpected fcoa, scoa, and pwd_leak events.
+Enabled: true
+Severity: High
+Runbook: If a user password was compromised in a credential stuffing attack, the user's credentials should be rotated immediately out of an abundance of caution.
+Reference: https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - ExpectedResult: true
+    Log:
+      data:
+        client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
+        client_name: ""
+        date: "2023-05-23 20:47:51.149000000"
+        description: Someone behind the IP address ip attempted to login with a leaked password.
+        details:
+          request:
+            auth:
+              credentials:
+                jti: e6343ec1d24a41e6bd43a6be748cac11
+              strategy: jwt
+              user:
+                email: homer.simpson@yourcompany.com
+                name: Homer Simpson
+                user_id: google-oauth2|105261262156475850461
+            body:
+              integration_id: 64bee519-818f-4473-ab08-7c380f28da77
+            channel: https://manage.auth0.com/
+            ip: 12.12.12.12
+            method: post
+            path: /api/v2/integrations/installed
+            query: {}
+            userAgent: >-
+              Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
+              (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+          response:
+            body:
+              integration_id: 64bee519-818f-4473-ab08-7c380f28da77
+            statusCode: 200
+        ip: 12.12.12.12
+        log_id: "90020230523204756343781000000000000001223372037583230452"
+        type: pwd_leak
+        user_agent: >-
+          Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
+          like Gecko) Chrome/113.0.0.0 Safari/537.36
+        user_id: google-oauth2|105261262156475850461
+      log_id: "90020230523204756343781000000000000001223372037583230452"
+    Name: Auth0 Credential Stuffing Event
+  - ExpectedResult: false
+    Log:
+      data:
+        client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr
+        client_name: ""
+        date: "2023-05-23 20:47:51.149000000"
+        description: Install an available integration
+        details:
+          request:
+            auth:
+              credentials:
+                jti: 949869e066205b5076e6df203fdd7b9b
+                scopes:
+                  - create:actions
+                  - create:actions_log_sessions
+                  - create:authentication_methods
+                  - create:client_credentials
+                  - create:client_grants
+                  - create:clients
+                  - create:connections
+                  - create:custom_domains
+                  - create:email_provider
+                  - create:email_templates
+                  - create:guardian_enrollment_tickets
+                  - create:integrations
+                  - create:log_streams
+                  - create:organization_connections
+                  - create:organization_invitations
+                  - create:organization_member_roles
+                  - create:organization_members
+                  - create:organizations
+                  - create:requested_scopes
+                  - create:resource_servers
+                  - create:roles
+                  - create:rules
+                  - create:shields
+                  - create:signing_keys
+                  - create:tenant_invitations
+                  - create:test_email_dispatch
+                  - create:users
+                  - delete:actions
+                  - delete:anomaly_blocks
+                  - delete:authentication_methods
+                  - delete:branding
+                  - delete:client_credentials
+                  - delete:client_grants
+                  - delete:clients
+                  - delete:connections
+                  - delete:custom_domains
+                  - delete:device_credentials
+                  - delete:email_provider
+                  - delete:email_templates
+                  - delete:grants
+                  - delete:guardian_enrollments
+                  - delete:integrations
+                  - delete:log_streams
+                  - delete:organization_connections
+                  - delete:organization_invitations
+                  - delete:organization_member_roles
+                  - delete:organization_members
+                  - delete:organizations
+                  - delete:owners
+                  - delete:requested_scopes
+                  - delete:resource_servers
+                  - delete:roles
+                  - delete:rules
+                  - delete:rules_configs
+                  - delete:shields
+                  - delete:tenant_invitations
+                  - delete:tenant_members
+                  - delete:tenants
+                  - delete:users
+                  - read:actions
+                  - read:anomaly_blocks
+                  - read:attack_protection
+                  - read:authentication_methods
+                  - read:branding
+                  - read:checks
+                  - read:client_credentials
+                  - read:client_grants
+                  - read:client_keys
+                  - read:clients
+                  - read:connections
+                  - read:custom_domains
+                  - read:device_credentials
+                  - read:email_provider
+                  - read:email_templates
+                  - read:email_triggers
+                  - read:entity_counts
+                  - read:grants
+                  - read:guardian_factors
+                  - read:insights
+                  - read:integrations
+                  - read:log_streams
+                  - read:logs
+                  - read:mfa_policies
+                  - read:organization_connections
+                  - read:organization_invitations
+                  - read:organization_member_roles
+                  - read:organization_members
+                  - read:organizations
+                  - read:prompts
+                  - read:requested_scopes
+                  - read:resource_servers
+                  - read:roles
+                  - read:rules
+                  - read:rules_configs
+                  - read:shields
+                  - read:signing_keys
+                  - read:stats
+                  - read:tenant_invitations
+                  - read:tenant_members
+                  - read:tenant_settings
+                  - read:triggers
+                  - read:users
+                  - run:checks
+                  - update:actions
+                  - update:attack_protection
+                  - update:authentication_methods
+                  - update:branding
+                  - update:client_credentials
+                  - update:client_grants
+                  - update:client_keys
+                  - update:clients
+                  - update:connections
+                  - update:custom_domains
+                  - update:email_provider
+                  - update:email_templates
+                  - update:email_triggers
+                  - update:guardian_factors
+                  - update:integrations
+                  - update:log_streams
+                  - update:mfa_policies
+                  - update:organization_connections
+                  - update:organizations
+                  - update:prompts
+                  - update:requested_scopes
+                  - update:resource_servers
+                  - update:roles
+                  - update:rules
+                  - update:rules_configs
+                  - update:shields
+                  - update:signing_keys
+                  - update:tenant_members
+                  - update:tenant_settings
+                  - update:triggers
+                  - update:users
+              strategy: jwt
+              user:
+                email: user.name@yourcompany.io
+                name: User Name
+                user_id: google-oauth2|105261262156475850461
+            body:
+              AfterAuthentication: false
+            channel: https://manage.auth0.com/
+            ip: 12.12.12.12
+            method: patch
+            path: /api/v2/risk-assessment/config
+            query: {}
+            userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+          response:
+            body:
+              AfterAuthentication: false
+              BeforeLoginPrompt: false
+              BeforeLoginPromptMonitoring: false
+            statusCode: 200
+        ip: 12.12.12.12
+        log_id: "90020230523204756343781000000000000001223372037583230452"
+        type: sapi
+        user_agent: >-
+          Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
+          like Gecko) Chrome/113.0.0.0 Safari/537.36
+        user_id: google-oauth2|105261262156475850461
+      log_id: "90020230523204756343781000000000000001223372037583230452"
+    Name: Other Event