Tenant Log Event Not Generated or Notification Email Not Received after an Attack Protection Feature is Triggered

Problem statement

The user or an IP address is blocked by the Attack Protection features – Brute Force Protection, Suspicious IP Throttling, or Breached Password Detection – but the user did not receive the notification email, or there was no tenant log event (limit_wc, limit_mu, and pwd_leak) generated every time.

For example, the email was sent for the first time, but no email was sent afterward if there were more failed login attempts.
Is there a time window for when the email will be sent again?

Solution

When the Auth0 Attack Protection features, depending on the configurations in the tenant, a certain set of actions, e.g., blocking the user, throttling the IP addresses, notifying the user/admin, etc, will be taken.

Some of the actions are taken only once in a certain time window, which is the designed behavior in order to protect the user and Auth0 from the attacking traffic.

The table below gives the details:

Block Further Login Attempts, User Account, or Offending IP Email the Affected User Email the Tenant Admin Tenant Log
Brute Force Protection Always Throttled N/A Throttled
Suspicious IP Throttling Always N/A Throttled Throttled
Breached Password Detection Always Throttled Throttled Throttled

Always - If the action is enabled, it is always actioned.
Throttled - If the action is enabled, the action is throttled to happen only once in a certain time window.

NOTE: Actions listed in the above table can be customized to be enabled/disabled in the tenant. The “Always” or “Throttled” described in the above table only applies when that action is enabled.