In the dynamic landscape of digital security, effective defense requires more than just identifying threats—it demands actionable intelligence. Security professionals require a comprehensive understanding of threats, their context, and clear strategies for prevention. With an ever-expanding list of emerging threats, continuously developing detection rules to safeguard systems is a relentless cycle. What if you could stop playing defense and get ahead of the threats instead?
Auth0 is excited to announce the public release of the Auth0 Security Detection Catalog on GitHub. This powerful new open-source resource is designed to help you stay ahead of real-world threats.
Read the official announcement on the Okta Security blog.
What is the Auth0 Security Detection Catalog
The Auth0 Security Detection Catalog is a powerful resource that significantly boosts your security efforts and should be an essential part of your security toolkit.
Each detection provides actionable intelligence with valuable metadata, such as threat descriptions and recommended preventions, giving security analysts the context they need for a fast and effective response. The catalog will receive proactive threat updates based on our analysis of real-world threats, which ensures you stay ahead of new attack techniques. As an open-source resource, it benefits from the collective expertise of the security community, which helps spread new detection strategies quickly and makes everyone more resilient.
The detections are compatible with Sigma rules, a universal signature format that, in combination with Sigma CLI, provides detections in various Security Information and Event Management (SIEM) and log analysis tool formats. This saves you from rewriting rules and allows for quick deployment. Additionally, we provide queries in the Lucene Syntax, which is used by the Auth0 Dashboard, as well as directly in Splunk Search Processing Language for fine-tuning.
How it works
Auth0 generates comprehensive event data encompassing user activity, administrative actions, and support events from a wide variety of logs. This rich telemetry can be reviewed, queried, or filtered directly within the Auth0 Dashboard using the Lucene Syntax. Each log entry is characterized by a specific event type, which is enriched with a number of attributes providing detailed information on the event and its context.
For security operations, it's highly recommended that you import Auth0 logs into external tools, services, and pipes, such as a SIEM, with the help of Auth0 log streaming in near real-time. Alternatively, you can use Log APIs to pull logs themselves; however, this will have an impact on rate limits. Beyond providing extended data retention (which varies by subscription), these integrations enable security teams to perform more sophisticated threat hunting and analysis.
What is available today
The initial release includes 23 detections, which were shared by the Okta Identity Defense team.
Each detection is a simple YAML file containing everything you need to detect suspicious events and respond to them. The detection rules in the detections/ directory are compatible with the Sigma rule specification v2.0.0. Each detection contains standard Sigma fields as well as additional attribution.
Here is an example of a detection for the MFA attack known as SMS pumping or SMS bombarding.
title: MFA attack - bombarding a user with SMS for MFA
id: 74a1ddea-7172-11f0-ace0-723487b9527c
status: experimental
description: >
A threat actor can try to bombard a user with SMS messages for MFA in order to deplete the customer's SMS quota leading to Denial of Service.
author: Okta
date: 2025-07-11
modified: 2025-08-04
logsource:
product: auth0
service: mfa
detection:
selection:
data.type: gd_send_sms
data.description: "Guardian - Second factor sms sent"
condition: selection
explanation: >
The query collects events issued when a sms is sent.
The splunk detection is based on the number of SMS sent to a single user in a given period of time.
If a number of SMS sent to a user exceeds a threshold, it is likely that the user is bombarded with SMS messages.
The threshold can be adjusted based on the customer's environment and the expected number of SMS messages sent to a user.
The query prints the affected users.
splunk: >
index=auth0 data.tenant_name="{your-tenant-name}"
data.description="Guardian - Second factor sms sent"
```The period of observations - adjust```
| bin _time span=1h
| stats count as sms_per_user by data.user_id
| where sms_per_user > {threshold_for_max_sms}
comments: >
The splunk query above shall be tuned to reflect a valid tenant_name, threshold, e.g. 10, and the span of the considered time period, e.g. set to 1 hour by default.
tenant_logs: >
type: "gd_send_sms" AND description: "Guardian - Second factor sms sent"
prevention:
- Limit the number of SMS messages sent to a user in a given period of time.
- Consider using alternative MFA methods, such as push notifications or authenticator apps, to reduce the reliance on SMS for MFA.
- Deploy a send-phone-message action implementing a throttling logic to prevent excessive sms notifications, e.g. exceeding 10 SMS sent per hour.
falsepositives:
- Legitimate users requesting multiple SMS messages in a short period of time, e.g. due to lost or delayed messages.
level: medium
tags:
- attack.impact
- attack.t1499.002
The Sigma format contains the following fields, which provide more context and, more importantly, prevention alternatives for each detection.
| Field Name | Description |
|---|---|
| tenant_logs | Raw Auth0 log queries |
| prevention | Human-readable suggestions on how to prevent the attack in the detection rule |
| explanation | Human-readable long-form explanation of the Sigma and Splunk queries |
| splunk | Highly detailed example Splunk query beyond what Sigma automatically generates |
| comments | Additional information on the rule |
Get started
The README file provides instructions on how to adopt and start using the rules.
- Each detection can be converted into the format of any SIEM platform supported by Sigma and deployed in the corresponding tools.
- Or you can parse YAML files using your own parser, such as a Python YAML parser, extracting the custom fields, such as a Splunk Search Procesing Language query, and automating the deployment.
Security threats are a concern for everyone, and the good news is that we are all in this together. The Okta Identity Defense team regularly updates the catalog with new detections, and we invite the community to contribute and expand the list.