Use this file to discover all available pages before exploring further.
Your tenant logs contain useful data that you can use to build charts to look at the profile of the traffic going through your tenant. This is helpful when evaluating activity. For example, you can look for the following events to determine if you’re under attack:
Abnormal bursts in traffic to the login flow that result in errors (such as wrong username or password errors).
Abnormal bursts in traffic coming from IP locales that are not expected.
These events tend to happen without much change to the rate of successful logins.You can use your tenant log data event field to view tenant traffic data. We recommend building a daily histogram of failure events of the following types:
Event Code
Event
f
Failed login
fcoa
Failed cross-origin authentication
feccft
Failed exchange
fepft
Failed exchange
fsa
Failed silent authentication
fu
Failed login (invalid email/username)
pla
Pre-login assessment
sepft
Success exchange
These failure events depend on the flow you have set up with Auth0.The following example shows a credential stuffing attack on 02/13, with a large surge of events of type fu which is a failed username (typical of a credential stuffing attack).
Number of IPs producing errors and their locations
Look for a high number of IPs from locales that do not make sense. For example: Do you expect traffic from 10,000 IPs from Russia every day? Observe ip address data in conjunction with fu event traffic to determine where the failure traffic is coming from.IP geolocation data isn’t available in the tenant logs unless you’re able to enrich it from another location.Here’s an example of what the data might look like:
