heroui logo

Auth0: MFA Device Update Failure

Anvilogic Forge

View Source
Summary
The detection rule 'Auth0: MFA Device Update Failure' is designed to identify unauthorized attempts to enroll or activate a device linked to an Auth0 account where multi-factor authentication (MFA) is employed. In environments utilizing MFA, threat actors may try to bypass these security controls by enrolling a malicious device to maintain access to a compromised account. This rule specifically targets failed attempts to authorize or activate a device, logging occurrences of device authorization request failures as indicated by specific trigger strings ("Device authorization request failed", "fdeaz", "Failed to activate device", "fdeac") in the authentication data collected from Auth0 logs. By applying conditions to filter for device activation errors, the rule compiles relevant event data such as timestamps, user accounts, geographic locations, and source IPs, allowing security teams to identify potentially malicious activities that compromise account integrity. The overall goal is to enhance the organization's security posture against account manipulation and maintain the effectiveness of MFA measures.
Categories
  • Identity Management
  • Cloud
  • Application
Data Sources
  • User Account
  • Application Log
ATT&CK Techniques
  • T1078
  • T1098.005
Created: 2025-02-28