Rules by Product and UseCase

April 15, 2026 · View on GitHub

Vendor: Auth0

Product: Auth0

Use-Case: Privileged Activity

RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers
2187814
Event TypeRulesModels
app-activityT1078 - Valid Accounts
APP-Account-deactivated: Activity from a de-activated user account
APP-AT-PRIV: Non-privileged user performing privileged application activity		APP-AT-PRIV: Privileged application activities
app-loginT1078 - Valid Accounts
APP-Account-deactivated: Activity from a de-activated user account
failed-app-loginT1078 - Valid Accounts
APP-Account-deactivated: Activity from a de-activated user account
failed-logonT1078 - Valid Accounts
SEQ-UH-12: Logon attempt on a disabled account

T1068 - Exploitation for Privilege Escalation
ALERT-EXEC: Security violation by Executive
file-readT1078 - Valid Accounts
FA-Account-deactivated: File Activity from a de-activated user account
remote-logonT1078 - Valid Accounts
AL-F-F-CS: First logon to a critical system for user
AL-F-A-CS: Abnormal logon to a critical system for user
AL-UH-CS-NC: Logon to a critical system for a user with no information
AL-OU-F-CS: First logon to a critical system that user has not previously accessed
AL-F-F-DC-G: First logon to a Domain Controller for peer group
AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group
AL-UH-F-DC: First logon to this Domain Controller for user
AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously
AL-UH-DC-NC: Logon to a Domain Controller for user with no information
RL-UZ-F-DC: First logon to a Domain Controller from zone for user
RL-OZ-F-DC: First logon to a Domain Controller from zone for organization
RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization
AL-HT-PRIV: Non-Privileged logon to privileged asset
AL-HT-EXEC-new: New user logon to executive asset

T1021 - Remote Services
RL-UZ-F-DC: First logon to a Domain Controller from zone for user
RL-OZ-F-DC: First logon to a Domain Controller from zone for organization
RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization

T1078.002 - T1078.002
AL-F-F-DC-G: First logon to a Domain Controller for peer group
AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group
AL-UH-F-DC: First logon to this Domain Controller for user
AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously
AL-UH-DC-NC: Logon to a Domain Controller for user with no information
RL-UZ-F-DC: First logon to a Domain Controller from zone for user
RL-OZ-F-DC: First logon to a Domain Controller from zone for organization
RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization

T1068 - Exploitation for Privilege Escalation
ALERT-EXEC: Security violation by Executive		AL-HT-EXEC: Executive Assets
AL-HT-PRIV: Privilege Users Assets
RL-OZ-DC: Source zones in the organization during domain controller access
RL-UZ-DC: Source zones per user logging into domain controller
RA-UH: Assets accessed by this user remotely
AL-UH-DC: Logons to Domain Controllers
AL-OU-CS: Logon to critical servers
security-alertT1068 - Exploitation for Privilege Escalation
ALERT-EXEC: Security violation by Executive
web-activity-allowedT1071 - Application Layer Protocol
WEB-ALERT-EXEC: Security violation by Executive in web activity
A-WEB-DC: Web activity event on a Domain Controller

T1071.001 - Application Layer Protocol: Web Protocols
WEB-ALERT-EXEC: Security violation by Executive in web activity
A-WEB-DC: Web activity event on a Domain Controller

T1102 - Web Service
A-WEB-DC: Web activity event on a Domain Controller

T1078 - Valid Accounts
WEB-ALERT-EXEC: Security violation by Executive in web activity