Feature: Request for the ability to suppress security alerts triggered by individual end-users/IPs.
Description: The current flow of the security alerts is designed to notify the tenant administrators periodically every 1 hour when suspicious activity/traffic is detected. While this ensures a near immediate response time for any potential threat, it fails to differentiate between more severe and coordinated active threats, and minor, situational events that are either negligible or have already been addressed.
At present, the Auth0 users lack any ability to alter or customize the behavior of these alerts. This creates situations where the users are receiving constant alerts, reporting the most recent malicious activity, even when this is triggered by the same repeated offender, using the same account, or from the same IP address, even if they had been manually blocked. Because it is not possible to isolate this away, it creates a poor experience when trying to monitor the overall situation, and can distract from other upcoming attacks.
This post is meant to address this oversight, and to request the option to suppress upcoming security alerts triggered by individual compromised accounts, or IP addresses. This way, a repeated offender will no longer be able to cause any distractions or ambiguity, and the administrators can monitor potential attacks. The security measures would still be triggered, but the response would no longer cause internal spam.
Use-case: An incident where a single user account had been compromised. This user would attempt to log in with incorrect credentials, triggering Auth0 to respond by initiating the Brute Force Protection routine. The user was flagged and the IP blocked, followed by a 30 day restriction. But this did not prevent the attacker from attempting multiple invalid authentications, which caused the Brute Force protection to trigger again, and another alert was sent. This pattern continued even after the user was manually blocked by the tenant administrators, which resulted in multiple alerts being sent every hour for multiple days.