The "content" Property from the limit_mu Event Code Mismatches the Suspicious IP Throttling Configuration when Using Datadog for Log Streaming

auth0.knowledge3 · November 28, 2024, 7:15pm

Overview

When using Datadog as the log streaming service, the “content” property for the limit_mu log entries will show:

An IP address is blocked with 100 failed login attempts using different usernames, all with incorrect passwords in 24 hours, or 50 sign-up attempts per minute from the same IP address.

The 100 failed login attempts do not align with the configuration from the tenant’s Suspicious IP throttling attack protection or with the failed login attempts from the tenant logs.

Applies To

Datadog log stream

Cause

The “content” property comes from a Datadog enrichment that adds the event filter description from this documentation.

Solution

Use the “data.description” property in the Datadog to reflect what is obtained from the tenant logs for event code limit_mu.

Topic		Replies	Views
Suspicious IP Throttling Help	4	3135	September 20, 2021
Meaning of limit_sul Error Knowledge Articles	1	822	November 3, 2023
Tenant Log Event Not Generated or Notification Email Not Received after an Attack Protection Feature is Triggered Knowledge Articles email , brute-force , notifications , limits , suspicious-ip-throttle , attack_protection	1	319	March 19, 2024
Math - Suspicious IP Throttling Feedback	0	305	February 6, 2024
Suspicious IP Throttling - Maximum attempts and throttling rate Help	6	2345	November 9, 2022

The "content" Property from the limit_mu Event Code Mismatches the Suspicious IP Throttling Configuration when Using Datadog for Log Streaming

Overview

Applies To

Cause

Solution

Related topics