Vendor: Auth0

May 13, 2026 · View on GitHub

Product: Auth0

Rules	Models	MITRE ATT&CK® TTPs	Activity Types	Parsers
276	107	51	12	19

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	account-deleted ↳auth0-a-json-user-delete-success-userdeletion account-password-change ↳auth0-a-json-user-password-modify-success-changepassword app-activity ↳auth0-a-json-http-session-success-sapi ↳auth0-a-json-app-activity-success-catchall app-login ↳auth0-a-json-app-login-success-s ↳auth0-a-json-app-login-success-seacft ↳auth0-a-json-app-login-success-ss ↳auth0-a-json-app-login-success-ssa ↳auth0-a-json-app-login-success-seccft ↳auth0-a-json-app-login-success-changeemail authentication-failed ↳silverfort-s-kv-endpoint-login-fail-request ↳auth0-a-json-app-authentication-fail-warning ↳auth0-a-json-app-authentication-fail-gd_auth_failed authentication-successful ↳auth0-a-json-app-authentication-success-startauth ↳auth0-a-json-app-authentication-success-gd_auth_succeed ↳auth0-a-json-endpoint-login-success-verification ↳auth0-a-json-endpoint-login-success-exchange failed-app-login ↳auth0-a-json-app-login-fail-fcpr ↳auth0-a-json-app-login-fail-limitwc ↳auth0-a-json-app-login-fail-apilimit ↳auth0-a-json-app-login-fail-fu ↳auth0-a-json-app-login-fail-fsa failed-logon ↳auth0-a-json-endpoint-login-fail-invalidrequest-1 ↳auth0-a-json-endpoint-login-fail-invalidrequest ↳eset-ep-leef-endpoint-login-fail-auditevent remote-logon ↳ca-pamsc-kv-rdp-traffic-success-connection web-activity-allowed ↳auth0-a-json-http-session-success-mgmt_api_read ↳forcepoint-wsg-cef-http-session-success-httpurllogged	T1021 - Remote Services T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1110 - Brute Force T1133 - External Remote Services	46 Rules 22 Models
Account Manipulation	account-deleted ↳auth0-a-json-user-delete-success-userdeletion account-password-change ↳auth0-a-json-user-password-modify-success-changepassword app-activity ↳auth0-a-json-http-session-success-sapi ↳auth0-a-json-app-activity-success-catchall	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1531 - Account Access Removal	6 Rules 2 Models
Brute Force Attack	failed-logon ↳auth0-a-json-endpoint-login-fail-invalidrequest-1 ↳auth0-a-json-endpoint-login-fail-invalidrequest ↳eset-ep-leef-endpoint-login-fail-auditevent	T1021 - Remote Services T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules
Cryptomining	web-activity-allowed ↳auth0-a-json-http-session-success-mgmt_api_read ↳forcepoint-wsg-cef-http-session-success-httpurllogged	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	1 Rules
Data Exfiltration	web-activity-allowed ↳auth0-a-json-http-session-success-mgmt_api_read ↳forcepoint-wsg-cef-http-session-success-httpurllogged	T1041 - Exfiltration Over C2 Channel T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms	7 Rules 2 Models
Data Leak	app-activity ↳auth0-a-json-http-session-success-sapi ↳auth0-a-json-app-activity-success-catchall web-activity-allowed ↳auth0-a-json-http-session-success-mgmt_api_read ↳forcepoint-wsg-cef-http-session-success-httpurllogged	T1041 - Exfiltration Over C2 Channel T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1114 - Email Collection T1114.003 - Email Collection: Email Forwarding Rule T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage	8 Rules 2 Models
Phishing	web-activity-allowed ↳auth0-a-json-http-session-success-mgmt_api_read ↳forcepoint-wsg-cef-http-session-success-httpurllogged	T1189 - Drive-by Compromise T1204 - User Execution T1204.001 - T1204.001 T1534 - Internal Spearphishing T1566 - Phishing T1566.002 - Phishing: Spearphishing Link T1598 - T1598 T1598.003 - T1598.003	3 Rules
Workforce Protection	web-activity-allowed ↳auth0-a-json-http-session-success-mgmt_api_read ↳forcepoint-wsg-cef-http-session-success-httpurllogged	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols	4 Rules 2 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Exploit Public Fasing Application Phishing	User Execution	Create Account External Remote Services Valid Accounts Account Manipulation Account Manipulation: Exchange Email Delegate Permissions	Valid Accounts Exploitation for Privilege Escalation	Obfuscated Files or Information: Indicator Removal from Tools Valid Accounts Use Alternate Authentication Material Use Alternate Authentication Material: Pass the Hash Use Alternate Authentication Material: Pass the Ticket Obfuscated Files or Information Valid Accounts: Local Accounts	OS Credential Dumping Brute Force Steal or Forge Kerberos Tickets Credentials from Password Stores Steal or Forge Kerberos Tickets: Kerberoasting	File and Directory Discovery Remote System Discovery	Exploitation of Remote Services Remote Services Use Alternate Authentication Material Remote Services: Remote Desktop Protocol Internal Spearphishing	Email Collection Email Collection: Email Forwarding Rule	Web Service Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over C2 Channel Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Account Access Removal Resource Hijacking