Skip to content

Auth0

Auth0

About

Auth0’s identity and management platform provides greater control, superior security, and ease of use.

Product Details

Vendor URL: Auth0: Secure access for everyone. But not just anyone.

Product Type: Authentication

Product Tier: Tier II

Integration Method: Cloud Syslog

Integration URL: Auth0 - Cyderes Documentation

Log Guide: Logs - Auth0

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: AUTH_ZERO

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
data.client_id principal.asset.product_object_id
data.client_name principal.hostname
data.connection security_result.rule_type
data.connection_id security_result.rule_id
data.details.request.auth.user.email metadata.description
SSO extensions.auth.type
data.ip principal.ip
data.ip principal.asset.ip
data.client_ip principal.ip
data.client_ip principal.asset.ip
data.details.request.ip principal.ip
data.details.request.ip principal.asset.ip
data.log_id metadata.product_log_id
Statically Defined metadata.description
Statically Defined metadata.event_type
Statically Defined metadata.product_name
Statically Defined metadata.vendor_name
data.details.request.userAgent network.http.user_agent
data.details.request.auth.user.email principal.user.email_addresses
data.details.request.auth.user.name principal.user.user_display_name
data.details.prompts.0.identity principal.user.product_object_id
data.details.prompts.0.name security_result.rule_name
ALLOWED/BLOCKED/FAIL security_result.action
AUTH_VIOLATION security_result.category
Authentication Failure/Successful Login. security_result.description
UNKNOWN_SEVERITY security_result.severity
data.description security_result.summary
data.details.stats.loginsCount additional.logins_count
data.hostname target.asset.hostname
data.hostname target.hostname
data.user_name target.user.user_display_name
data.user_name target.user.userid
data.type metadata.description
data.user_agent network.http.user_agent

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
s,se,f USER_LOGIN
DEFAULT GENERIC_EVENT

Log Sample

{"log_id":"00000000000000000000000000000000001","data":{"user_name":"john.doe@company.com","connection_id":"con_23302020jfkldfaksjfksdajl","ip":"10.10.10.1","details":{"prompts":[{"name":"lock-password-authenticate","connection":"lpc-users","connection_id":"con_23302020jfkldfaksjfksdajl","strategy":"auth0","stats":{"loginsCount":98},"elapsedTime":349,"initiatedAt":1657216755096,"completedAt":1657216755445,"identity":"00001"},{"timers":{"rules":105},"elapsedTime":4006,"name":"login","flow":"login","initiatedAt":1657216751444,"completedAt":1657216755450,"user_id":"auth0|00001","user_name":"john.doe@company.com"},{"performed_acr":["http://cyderes.com"],"performed_amr":["mfa"],"provider":"guardian","elapsedTime":29090,"name":"mfa","flow":"universal-mfa","initiatedAt":1657216756005,"completedAt":1657216785095}],"initiatedAt":1657216751433,"completedAt":1657216785595,"elapsedTime":34162,"session_id":"ljfadslfjsakfjkekjfakjfklewjJKDAFJLFJA","stats":{"loginsCount":98}},"log_id":"00000000000000000000000000000000001","connection":"lpc-users","client_id":"lgT9393939002929899H","user_id":"auth0|00001","strategy_type":"database","date":"2022-07-07T17:59:45.597Z","client_name":"computer-sideend","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36","type":"s","hostname":"computer1.company.com","strategy":"auth0"}}

Sample Parsing

metadata.product_log_id = "00000000000000000000000000000000001"
metadata.event_timestamp = "2022-07-07T17:59:45.597Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Auth0"
metadata.product_name = "Auth0 Event"
metadata.product_event_type = "s"
metadata.description = "Success Login"
additional.logins_count = "98"
principal.hostname = "computer-sideend"
principal.user.product_object_id = "00001"
principal.ip = "10.10.10.1"
principal.asset.product_object_id = "lgT9393939002929899H"
principal.asset.hostname = "computer-sideend"
principal.asset.ip = "10.10.10.1"
target.hostname = "computer1.company.com"
target.user.userid = "john.doe@company.com"
target.user.user_display_name = "john.doe@company.com"
target.asset.hostname = "computer1.company.com"
security_result.rule_name = "lock-password-authenticate"
security_result.description = "Successful Login."
security_result.action = "ALLOW"
security_result.rule_id = "con_23302020jfkldfaksjfksdajl"
security_result.rule_type = "lpc-users"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
extensions.auth.type = "SSO"

Parser Alerting

This product currently does not have any Parser-based Alerting