# Auth0 Logs (Beta) ## Overview {% hint style="info" %} Auth0 log ingestion is in open beta starting with Panther version 1.73. Please share any bug reports and feature requests with your Panther support team. {% endhint %} Panther ingests Auth0 tenant logs by configuring [Auth0's log streaming service](https://auth0.com/docs/customize/log-streams) to post events to a Panther [HTTP source](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-onboarding/data-transports/http). ## How to onboard Auth0 logs to Panther ### Step 1: Create a new Auth0 source in Panther 1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.** 2. Click **Create New**. 3. Search for “Auth0,” then click its tile. * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option. 4. Click **Start Setup**.\ ![The Auth0 log source setup page is shown, in the Panther Console. In the upper-right corner, the Transport Mechanism dropdown has a value of "HTTP," and to its right is a Start Setup button. Both are circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FDkBaA7Iv4mO1TNhCd4Ni%2FScreenshot%202023-06-07%20at%204.35.28%20PM.png?alt=media\&token=c71231c6-1b29-4aee-8e0a-891f237cc780) 5. Follow [Panther's instructions for configuring an HTTP Source](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-onboarding/data-transports/http). * You will be required to use [bearer authentication](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-transports/http#bearer). This is the only method of authentication Auth0 supports. ### Step 2: Create a new Log Stream in Auth0 1. Log in to your Auth0 tenant. 2. From the dashboard, navigate to **Monitoring** > **Streams**. 3. Click **Create Stream**. 4. Select **Custom Webhook**. 5. Give your Event Stream a descriptive name, e.g., `Panther Log Stream`. 6. In the **Payload URL** field, paste the URL for the Auth0 HTTP source in Panther you generated in the previous step of this process. 7. In the **Authorization Token** field, enter the bearer token you used when setting up the Auth0 source in Panther, in the previous step of this process. * Enter this value in the form `Bearer `. 8. Click **Save**. ## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Auth0 in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/master/rules/auth0_rules). ## Supported log types {% hint style="info" %} Required fields in the schema are listed as **"required: true"** {% endhint %} ### Auth0.Events Auth0.Events are event logs from the Auth0 log stream. For more information, see [Auth0's documentation on tenant log events](https://auth0.com/docs/deploy-monitor/logs). ```yaml schema: Auth0.Events description: Event logs from Auth0 Log Stream referenceURL: https://auth0.com/docs/deploy-monitor/logs fields: - name: log_id required: true description: The ID of the log. type: string - name: data required: true description: The data object containing information about the log. type: object fields: - name: date description: Date/Time when the event occurred. type: timestamp timeFormats: - rfc3339 isEventTime: true - name: type description: Type of event. type: string - name: description description: Description of this event. type: string - name: connection description: Name of the connection the event relates to. type: string - name: connection_id description: ID of the connection the event relates to. type: string - name: client_id description: ID of the client (application). type: string - name: client_name description: Name of the client (application). type: string - name: ip description: IP address of the log event source. type: string indicators: - ip - name: hostname description: Hostname the event applies to. type: string - name: user_id description: ID of the user involved in the event. type: string indicators: - username - name: user_name description: Name of the user involved in the event. type: string indicators: - username - name: audience description: API audience the event applies to. type: string - name: scope description: Scope permissions applied to the event. type: string - name: strategy description: Name of the strategy involved in the event. type: string - name: strategy_type description: Type of strategy involved in the event. type: string - name: details description: Additional useful details about this event (structure is dependent upon event type). type: json - name: log_id description: Unique ID of the event. type: string - name: is_mobile description: Whether the client was a mobile device (true) or desktop/laptop/server (false). type: boolean - name: user_agent description: User agent string from the client device that caused the event. type: string - name: location_info description: Information about the location that triggered this event based on the IP. type: object fields: - name: country_code description: Two-letter Alpha-2 ISO 3166-1 country code. type: string - name: country_code3 description: Three-letter Alpha-3 ISO 3166-1 country code. type: string - name: country_name description: Full country name in English. type: string - name: city_name description: Full city name in English. type: string - name: latitude description: Global latitude position. type: float - name: longitude description: Global longitude position. type: float - name: time_zone description: Time zone name as found in the tz database. type: string - name: continent_code description: Two-letter continent code. type: string ```