heroui logo

Auth0: Potential Token Reuse

Anvilogic Forge

View Source
Summary
This detection rule is designed to identify potential token reuse attacks in an Auth0 environment. Threat actors often exploit authentication factors, including passwords, passkeys, OTPs, recovery codes, or refresh tokens, to gain unauthorized access—especially by using stolen session tokens. The rule specifically looks for instances of successful access token use from multiple IP addresses within a single hour, which may indicate that an attacker is leveraging stolen session tokens to maintain persistent access to user accounts. The detection logic is implemented using Splunk, where it retrieves authentication data from Auth0, isolates specific event types, and then groups events by user across the specified timeframe. Analyzing the distinct count of source IPs associated with each user, the rule flags instances where more than one unique source IP is observed, highlighting potential suspicious behavior. This approach allows for timely identification of unauthorized access attempts through token reuse mechanisms.
Categories
  • Cloud
  • Identity Management
Data Sources
  • User Account
  • Application Log
ATT&CK Techniques
  • T1078
Created: 2024-02-09