Rules by Product and UseCase
April 15, 2026 · View on GitHub
Vendor: Auth0
Product: Auth0
Use-Case: Privilege Abuse
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 22 | 9 | 7 | 9 | 13 |
| Event Type | Rules | Models |
|---|---|---|
| account-deleted | T1531 - Account Access Removal ↳ AM-UA-AD-F: First account deletion activity for user | • AE-UA: All activity for users |
| account-password-change | T1098 - Account Manipulation ↳ AM-UA-APLocU-F: First account password change for local user | |
| app-activity | T1098 - Account Manipulation ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • EM-InB-Perm-N: Models users who give mailbox permissions • APP-AT-PRIV: Privileged application activities |
| app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application | |
| failed-app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| failed-logon | T1078 - Valid Accounts ↳ SEQ-UH-04: Failed logon by a service account ↳ SEQ-UH-05: Failed interactive logon by a service account ↳ SEQ-UH-12: Logon attempt on a disabled account | • AE-UA: All activity for users |
| file-read | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| remote-logon | T1078 - Valid Accounts ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset ↳ DC18-new: Account switch by new user T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account | • AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • AL-OU-CS: Logon to critical servers • RA-UH: Assets accessed by this user remotely • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts |
| web-activity-allowed | T1071 - Application Layer Protocol ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity |