Auth0 Logs

Panther supports receiving Auth0 logs directly via webhook

Overview

Panther ingests Auth0 tenant logs by configuring Auth0's log streaming service to post events to a Panther HTTP source.

How to onboard Auth0 logs to Panther

Step 1: Create a new Auth0 source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Auth0,” then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
- During setup, on the security configuration page, you will be required to use bearer authentication; this is the only method of authentication Auth0 supports. You can generate a token value by clicking the circular arrows, or supply your own.

Step 2: Create a new Log Stream in Auth0

Log in to your Auth0 tenant.
From the dashboard, navigate to Monitoring > Streams.
Click Create Stream.
Select Custom Webhook.
Give your Event Stream a descriptive name, e.g., Panther Log Stream.
In the Payload URL field, paste the URL for the Auth0 HTTP source in Panther you generated in the previous step of this process.
In the Authorization Token field, enter the bearer token you used when setting up the Auth0 source in Panther, in the previous step of this process.
- Enter this value in the form Bearer <token value>.
Click Save.

Panther-managed detections

See Panther-managed rules for Auth0 in the panther-analysis GitHub repository.

Supported log types

Required fields in the schema are listed as "required: true"

Auth0.Events

Auth0.Events are event logs from the Auth0 log stream. For more information, see Auth0's documentation on tenant log events.

schema: Auth0.Events
description: Event logs from Auth0 Log Stream
referenceURL: https://auth0.com/docs/deploy-monitor/logs
fields:
    - name: log_id
      required: true
      description: The ID of the log.
      type: string
    - name: data
      required: true
      description: The data object containing information about the log.
      type: object
      fields:
        - name: date
          description: Date/Time when the event occurred.
          type: timestamp
          timeFormats:
            - rfc3339
          isEventTime: true
        - name: type
          description: Type of event.
          type: string
        - name: description
          description: Description of this event.
          type: string
        - name: connection
          description: Name of the connection the event relates to.
          type: string
        - name: connection_id
          description: ID of the connection the event relates to.
          type: string
        - name: client_id
          description: ID of the client (application).
          type: json
        - name: client_name
          description: Name of the client (application).
          type: string
        - name: ip
          description: IP address of the log event source.
          type: string
          indicators:
            - ip
        - name: hostname
          description: Hostname the event applies to.
          type: string
        - name: user_id
          description: ID of the user involved in the event.
          type: string
          indicators:
            - username
        - name: user_name
          description: Name of the user involved in the event.
          type: string
          indicators:
            - username
        - name: audience
          description: API audience the event applies to.
          type: string
        - name: scope
          description: Scope permissions applied to the event.
          type: string
        - name: strategy
          description: Name of the strategy involved in the event.
          type: string
        - name: strategy_type
          description: Type of strategy involved in the event.
          type: string
        - name: details
          description: Additional useful details about this event (structure is dependent upon event type).
          type: json
        - name: log_id
          description: Unique ID of the event.
          type: string
        - name: is_mobile
          description: Whether the client was a mobile device (true) or desktop/laptop/server (false).
          type: boolean
        - name: user_agent
          description: User agent string from the client device that caused the event.
          type: string
        - name: location_info
          description: Information about the location that triggered this event based on the IP.
          type: object
          fields:
            - name: country_code
              description: Two-letter Alpha-2 ISO 3166-1 country code.
              type: string
            - name: country_code3
              description: Three-letter Alpha-3 ISO 3166-1 country code.
              type: string
            - name: country_name
              description: Full country name in English.
              type: string
            - name: city_name
              description: Full city name in English.
              type: string
            - name: latitude
              description: Global latitude position.
              type: float
            - name: longitude
              description: Global longitude position.
              type: float
            - name: time_zone
              description: Time zone name as found in the tz database.
              type: string
            - name: continent_code
              description: Two-letter continent code.
              type: string

PreviousAuditd Logs (Beta)NextAWS Logs

Last updated 6 months ago