Auth0 Logs
Panther supports receiving Auth0 logs directly via webhook
Last updated
Panther supports receiving Auth0 logs directly via webhook
Last updated
Panther ingests Auth0 tenant logs by configuring Auth0's log streaming service to post events to a Panther HTTP source.
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Auth0,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
During setup, on the security configuration page, you will be required to use bearer authentication; this is the only method of authentication Auth0 supports. You can generate a token value by clicking the circular arrows, or supply your own.
Log in to your Auth0 tenant.
From the dashboard, navigate to Monitoring > Streams.
Click Create Stream.
Select Custom Webhook.
Give your Event Stream a descriptive name, e.g., Panther Log Stream
.
In the Payload URL field, paste the URL for the Auth0 HTTP source in Panther you generated in the previous step of this process.
In the Authorization Token field, enter the bearer token you used when setting up the Auth0 source in Panther, in the previous step of this process.
Enter this value in the form Bearer <token value>
.
Click Save.
See Panther-managed rules for Auth0 in the panther-analysis GitHub repository.
Required fields in the schema are listed as "required: true"
Auth0.Events are event logs from the Auth0 log stream. For more information, see Auth0's documentation on tenant log events.