
Summary
This rule monitors for failed WebAuthn authentication attempts within the Auth0 framework. WebAuthn is a strong authentication method that enables users to authenticate using cryptographic keys generated by their devices, thus providing an additional layer of security beyond traditional username and password combinations. Threat actors may try to bypass this multi-factor authentication (MFA) mechanism but typically fail due to incorrect credentials, lack of required hardware (like security tokens), or other security controls in place. The detection captures any events where the verification of the WebAuthn factor fails, which may indicate an attacker's effort to gain unauthorized access or may simply reflect legitimate users encountering issues with their multi-factor authentication process. It focuses specifically on events where the system logs show a failure to verify the web authentication challenge, enabling security teams to investigate further. The detection logic used in Splunk identifies event types categorized under failed WebAuthn challenges, offering security analysts insight into potential security incidents.
Categories
- Web
- Identity Management
- Cloud
- Application
Data Sources
- Web Credential
- Application Log
- Process
ATT&CK Techniques
- T1621
Created: 2025-02-28