Security
Go to Okta.com ↗
‹ Back to blog

Using Auth0 Event Logs for Proactive Threat Detection

Maria Vasilevskaya

We are thrilled to announce the launch of the Auth0 Customer Detection Catalog, an open-source repository of detection rules designed to help the security teams at Auth0 customers to proactively identify and respond to security threats.

This catalog, now available on GitHub, is a powerful complement to Auth0’s Security Center and existing security monitoring alerting offerings. The Auth0 Customer Detection Catalog allows security teams to integrate custom, real-world detection logic directly into their log streaming and monitoring tools, enriching the detection capabilities of the Auth0 platform.

The catalog provides a growing collection of pre-built queries, contributed by Okta personnel and the wider security community, that surface suspicious activities like anomalous user behavior, potential account takeovers and misconfigurations.

This resource is ideal for a variety of users, including:

  • Tenant administrators and developers: Security-focused rules helping administrators to catch unintentional misconfigurations early.

  • DevOps teams: Incorporate advanced security monitoring into your existing operational workflows.

  • Security analysts and threat hunters: Gain a strong foundation for building sophisticated detection rules tailored to your unique environment.

Why you should use it

The Auth0 Customer Detection Catalog is a force multiplier for your security efforts. Here's why this resource is an essential addition to your toolkit:

  • Sigma-Compatible: All detections valid Sigma rules, a generic signature format that can be easily converted into a variety of SIEM and log analysis tools. This allows you to set up rules in familiar tooling without needing to rewrite them.

  • Actionable Intelligence: Each detection contains valuable metadata, including descriptions of the threat, relevant log fields, and recommended preventative actions. This provides security analysts with the context needed to respond quickly and effectively.

  • Proactive Threat Updates: The catalog is regularly updated with new detections from Okta and Auth0, based on our analysis of real-world threats. This ensures you can stay ahead of emerging attack techniques.

  • Community-Powered: By being open source, the catalog benefits from the collective expertise of the security community. This collaborative approach allows for the rapid dissemination of detection strategies, making everyone more resilient.

Putting Detections to Work

The Auth0 Customer Detection Catalog is designed for immediate use. Here's how to integrate these queries into your security workflows:

  1. Access the Catalog: The entire collection of detection rules is available in our public GitHub repository.

  2. Generate Queries from Sigma: All detections are available in the Sigma format. You can use a Sigma converter tool sigma-cli to translate these universal rules into the specific query language for your SIEM or logging tool.

  3. Integrate with Your Tooling: Extract the included queries and integrate them into your existing security monitoring and alerting workflows. This allows you to leverage your current logging tools to detect sophisticated threats against your Auth0 tenant.

  4. Explore Example Detections: To help you get started, the catalog includes a variety of examples that highlight its potential. These cover a range of threats, such as:

    • Suspicious Tenant Settings: Detections for changes to security-critical settings, like an IP being added to an allowlist or the deactivation of attack protection features.

    • Administrator Behavior: Rules for detecting suspicious activities by administrators, such as copying of the most powerful tokens and checking applications’ secrets. 

    • Attacker Behavior: Queries that identify known attack patterns, like SMS pumping attempts (e.g. sms_bombarding.yaml) or refresh token rotation failures.

Your Contribution Matters

If you identify a gap in our current detection coverage or encounter an issue, we encourage you to open a GitHub Issue and contribute directly. Even better, submit your own detection rules via a pull request to share your expertise and help the entire community become more resilient.

Mathew Woodyard contributed to this post.

Maria Vasilevskaya
Principal Security Engineer

Maria Vasilevskaya is a leading Identity Defense Security Engineer at Okta. With her extensive experience in identity security, she has held diverse roles including security executive advisory, professional consulting services, identity and security solutions architecture, and solutions engineering. Her primary objective at Okta is to empower customers in maintaining robust security postures by offering expert assistance during critical incidents and providing strategic advice on implementing security practices to prevent future crises.