- Abnormal bursts in traffic to the login flow that result in errors (such as wrong username or password errors).
- Abnormal bursts in traffic coming from IP locales that are not expected.
event field to view tenant traffic data. We recommend building a daily histogram of failure events of the following types:
These failure events depend on the flow you have set up with Auth0.
The following example shows a credential stuffing attack on 02/13, with a large surge of events of type
fu which is a failed username (typical of a credential stuffing attack).

Rate of errors in login flow
Look for a surge or an abnormal number of errors for incorrect username or password. For example: Do you expect >30,000 errors per hour?
Here’s an example of what the data might look like.

Rate of attack protection events
Look for abnormally high traffic for attack protection events such as or brute-force attacks for multiple accounts.
Here’s an example of what the data might look like.

Number of IPs producing errors and their locations
Look for a high number of IPs from locales that do not make sense. For example: Do you expect traffic from 10,000 IPs from Russia every day? Observeip address data in conjunction with fu event traffic to determine where the failure traffic is coming from.
IP geolocation data isn’t available in the tenant logs unless you’re able to enrich it from another location.
Here’s an example of what the data might look like:
