Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Auth0 Log Events | ✅ | ✅ | auth_zero_log_events | NDJSON | API |
Overview
For businesses that utilize Auth0 for identity management and authentication, it is a vital part of securing user access to various applications. Being an accessible platform from the internet, it is an appealing target for attackers to gain unauthorized access to a multitude of organizational resources.
Auth0 logs can be retrieved using their Management API, providing various types of logs and data to enhance the detection capabilities for different attack vectors.
Supported data types
Auth0 Log Events
Table name: auth_zero_log_events
These include the logs related to user activities, sign-ins, sign-outs, and other relevant events within Auth0. These logs are essential for monitoring suspicious and potentially harmful behaviors associated with the Auth0 platform or integrated services.
Send data to Hunters
Hunters can gather logs from Auth0 using its Management API.
To connect Auth0 logs:
Log into Auth0.
Navigate to the Auth0 APIs page and authorize.
From the sidebar, navigate to Applications > APIs.
Click on the Auth0 Management API.
Navigate to the Machine To machine Applications tab and make sure the appliaction is granted the needed scopes to read the logs.
Navigate to the Auth0 Applications Page and supply the Management API Credentials field.
From the sidebar, navigate to the Applications section.
Click on the API Explorer Application.
Gather the required values: Domain (i.e. host), Client ID and Client Secret.
Complete the process on the Hunters platform, following this guide.
Expected format
Logs are expected in NDJSON format.
{"date":"2023-08-21T13:40:31.176Z","type":"s","connection_id":"","client_id":"Jjjjjjjjjjjjj","client_name":"Hunters","ip":"3.1.10.19","user_agent":"Chrome 115.0.0 / Windows 10.0.0","details":{"prompts":[],"completedAt":1692625231172,"elapsedTime":null,"actions":{"executions":["mg7foQP9SPmC7wx-vjeVVTIwMjMwODIx"]},"session_id":"6CqDoBU6CqDoBU6CqDoBU6CqDoBU"},"hostname":"TEST.eu.auth0.com","user_id":"waad|xxxxxxxxxxx","user_name":"john@doe.com","log_id":"90020230821134033979015000000000000001223372052246339897","_id":"90020230821134033979015000000000000001223372052246339897","isMobile":false}