View Anomaly Detection Events
The tenant logs contain useful data that you can use to build charts to look at the profile of the traffic going through your tenant. This is helpful when evaluating anomaly detection activity.
Authentication failure events
You can use the log data
event field to view the tenant traffic data. We recommend building a daily histogram of failure events of the following types:
||Failed cross-origin authentication|
||Failed silent authentication|
||Failed login (invalid email/username)|
These failure events depend on the flow you have set up with Auth0.
The following example shows a credential stuffing attack on 11/20, with a large surge of events of type
fu which is a failed username (typical of a credential stuffing attack).
Authenticaton failure events from distinct IPs
You can use the
ip event to see the number of distinct IPs that your failure traffic is coming from, in this case, the number of distinct IPs that correspond to your
fu event traffic.
Anomaly detection events
You can perform the same type of analysis with the events corresponding to anomaly detection events to see how many times they are triggered. Use the following log events which correspond to brute force detection with many accounts, one account, and breached password detection:
||Blocked IP address|
Here's an example of what that data might look like.