
Summary
This detection rule monitors and identifies events related to the automatic cleanup of resources in Auth0 that exceed defined operational limits. The intention behind this monitoring is to distinguish between normal system maintenance activities and potential malicious actions by threat actors. An attacker could trigger resource cleanup processes to eliminate traces of their activity, such as the creation of unauthorized accounts or alteration of configurations. By specifically targeting events associated with resource cleanups, the detection aims to raise an alert when these events occur unexpectedly or without justification, thereby assisting security analysts in investigating potential threats. The logic leverages Splunk's searching capabilities to filter through authentication data and extract relevant details when events indicating resource cleanup are logged, taking action based on predefined event types.
Categories
- Cloud
- Identity Management
Data Sources
- Cloud Service
- Application Log
ATT&CK Techniques
- T1098
Created: 2025-02-28