Auth0

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Auth0 Log Events

✅

✅

auth_zero_log_events

NDJSON

API


Overview

image.pngFor businesses that utilize Auth0 for identity management and authentication, it is a vital part of securing user access to various applications. Being an accessible platform from the internet, it is an appealing target for attackers to gain unauthorized access to a multitude of organizational resources.

Auth0 logs can be retrieved using their Management API, providing various types of logs and data to enhance the detection capabilities for different attack vectors.

Supported data types

Auth0 Log Events

Table name: auth_zero_log_events

These include the logs related to user activities, sign-ins, sign-outs, and other relevant events within Auth0. These logs are essential for monitoring suspicious and potentially harmful behaviors associated with the Auth0 platform or integrated services.

Send data to Hunters

Hunters can gather logs from Auth0 using its Management API.

To connect Auth0 logs:

  1. Log into Auth0.

  2. Navigate to the Auth0 APIs page and authorize.

  3. From the sidebar, navigate to Applications > APIs.
    image.png

  4. Click on the Auth0 Management API.
    image.png

  5. Navigate to the Machine To machine Applications tab and make sure the appliaction is granted the needed scopes to read the logs.
    image.png

  6. Navigate to the Auth0 Applications Page and supply the Management API Credentials field.

  7. From the sidebar, navigate to the Applications section.
    image.png

  8. Click on the API Explorer Application.
    image.png

  9. Gather the required values:  Domain (i.e. host), Client ID and Client Secret.

  10. Complete the process on the Hunters platform, following this guide.

Expected format

Logs are expected in NDJSON format.

{"date":"2023-08-21T13:40:31.176Z","type":"s","connection_id":"","client_id":"Jjjjjjjjjjjjj","client_name":"Hunters","ip":"3.1.10.19","user_agent":"Chrome 115.0.0 / Windows 10.0.0","details":{"prompts":[],"completedAt":1692625231172,"elapsedTime":null,"actions":{"executions":["mg7foQP9SPmC7wx-vjeVVTIwMjMwODIx"]},"session_id":"6CqDoBU6CqDoBU6CqDoBU6CqDoBU"},"hostname":"TEST.eu.auth0.com","user_id":"waad|xxxxxxxxxxx","user_name":"john@doe.com","log_id":"90020230821134033979015000000000000001223372052246339897","_id":"90020230821134033979015000000000000001223372052246339897","isMobile":false}