Auth0¶
About¶
Auth0’s identity and management platform provides greater control, superior security, and ease of use.
Product Details¶
Vendor URL: Auth0: Secure access for everyone. But not just anyone.
Product Type: Authentication
Product Tier: Tier II
Integration Method: Cloud Syslog
Integration URL: Auth0 - Cyderes Documentation
Log Guide: Logs - Auth0
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: AUTH_ZERO
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| data.client_id | principal.asset.product_object_id |
| data.client_name | principal.hostname |
| data.connection | security_result.rule_type |
| data.connection_id | security_result.rule_id |
| data.details.request.auth.user.email | metadata.description |
| SSO | extensions.auth.type |
| data.ip | principal.ip |
| data.ip | principal.asset.ip |
| data.client_ip | principal.ip |
| data.client_ip | principal.asset.ip |
| data.details.request.ip | principal.ip |
| data.details.request.ip | principal.asset.ip |
| data.log_id | metadata.product_log_id |
| Statically Defined | metadata.description |
| Statically Defined | metadata.event_type |
| Statically Defined | metadata.product_name |
| Statically Defined | metadata.vendor_name |
| data.details.request.userAgent | network.http.user_agent |
| data.details.request.auth.user.email | principal.user.email_addresses |
| data.details.request.auth.user.name | principal.user.user_display_name |
| data.details.prompts.0.identity | principal.user.product_object_id |
| data.details.prompts.0.name | security_result.rule_name |
| ALLOWED/BLOCKED/FAIL | security_result.action |
| AUTH_VIOLATION | security_result.category |
| Authentication Failure/Successful Login. | security_result.description |
| UNKNOWN_SEVERITY | security_result.severity |
| data.description | security_result.summary |
| data.details.stats.loginsCount | additional.logins_count |
| data.hostname | target.asset.hostname |
| data.hostname | target.hostname |
| data.user_name | target.user.user_display_name |
| data.user_name | target.user.userid |
| data.type | metadata.description |
| data.user_agent | network.http.user_agent |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| s,se,f | USER_LOGIN | ||
| DEFAULT | GENERIC_EVENT |
Log Sample¶
{"log_id":"00000000000000000000000000000000001","data":{"user_name":"john.doe@company.com","connection_id":"con_23302020jfkldfaksjfksdajl","ip":"10.10.10.1","details":{"prompts":[{"name":"lock-password-authenticate","connection":"lpc-users","connection_id":"con_23302020jfkldfaksjfksdajl","strategy":"auth0","stats":{"loginsCount":98},"elapsedTime":349,"initiatedAt":1657216755096,"completedAt":1657216755445,"identity":"00001"},{"timers":{"rules":105},"elapsedTime":4006,"name":"login","flow":"login","initiatedAt":1657216751444,"completedAt":1657216755450,"user_id":"auth0|00001","user_name":"john.doe@company.com"},{"performed_acr":["http://cyderes.com"],"performed_amr":["mfa"],"provider":"guardian","elapsedTime":29090,"name":"mfa","flow":"universal-mfa","initiatedAt":1657216756005,"completedAt":1657216785095}],"initiatedAt":1657216751433,"completedAt":1657216785595,"elapsedTime":34162,"session_id":"ljfadslfjsakfjkekjfakjfklewjJKDAFJLFJA","stats":{"loginsCount":98}},"log_id":"00000000000000000000000000000000001","connection":"lpc-users","client_id":"lgT9393939002929899H","user_id":"auth0|00001","strategy_type":"database","date":"2022-07-07T17:59:45.597Z","client_name":"computer-sideend","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36","type":"s","hostname":"computer1.company.com","strategy":"auth0"}}
Sample Parsing¶
metadata.product_log_id = "00000000000000000000000000000000001"
metadata.event_timestamp = "2022-07-07T17:59:45.597Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Auth0"
metadata.product_name = "Auth0 Event"
metadata.product_event_type = "s"
metadata.description = "Success Login"
additional.logins_count = "98"
principal.hostname = "computer-sideend"
principal.user.product_object_id = "00001"
principal.ip = "10.10.10.1"
principal.asset.product_object_id = "lgT9393939002929899H"
principal.asset.hostname = "computer-sideend"
principal.asset.ip = "10.10.10.1"
target.hostname = "computer1.company.com"
target.user.userid = "john.doe@company.com"
target.user.user_display_name = "john.doe@company.com"
target.asset.hostname = "computer1.company.com"
security_result.rule_name = "lock-password-authenticate"
security_result.description = "Successful Login."
security_result.action = "ALLOW"
security_result.rule_id = "con_23302020jfkldfaksjfksdajl"
security_result.rule_type = "lpc-users"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
extensions.auth.type = "SSO"
Parser Alerting¶
This product currently does not have any Parser-based Alerting