- Elastic integrations
- Integrations quick reference
- 1Password
- Abnormal Security
- ActiveMQ
- Active Directory Entity Analytics
- Airflow
- Akamai
- Apache
- API (custom)
- Arbor Peakflow SP Logs
- Arista NG Firewall
- Atlassian
- Auditd
- Auth0
- authentik
- AWS
- Amazon CloudFront
- Amazon DynamoDB
- Amazon EBS
- Amazon EC2
- Amazon ECS
- Amazon EMR
- AWS API Gateway
- Amazon GuardDuty
- AWS Health
- Amazon Kinesis Data Firehose
- Amazon Kinesis Data Stream
- Amazon Managed Streaming for Apache Kafka (MSK)
- Amazon NAT Gateway
- Amazon RDS
- Amazon Redshift
- Amazon S3
- Amazon S3 Storage Lens
- Amazon Security Lake
- Amazon SNS
- Amazon SQS
- Amazon VPC
- Amazon VPN
- AWS Bedrock
- AWS Billing
- AWS CloudTrail
- AWS CloudWatch
- AWS ELB
- AWS Fargate
- AWS Inspector
- AWS Lambda
- AWS Logs (custom)
- AWS Network Firewall
- AWS Route 53
- AWS Security Hub
- AWS Transit Gateway
- AWS Usage
- AWS WAF
- Azure
- Activity logs
- App Service
- Application Gateway
- Application Insights metrics
- Application Insights metrics overview
- Application State Insights metrics
- Azure logs (v2 preview)
- Azure OpenAI
- Billing metrics
- Container instance metrics
- Container registry metrics
- Container service metrics
- Custom Azure Logs
- Custom Blob Storage Input
- Database Account metrics
- Event Hub input
- Firewall logs
- Frontdoor
- Functions
- Microsoft Entra ID
- Monitor metrics
- Network Watcher VNet
- Network Watcher NSG
- Platform logs
- Resource metrics
- Spring Cloud logs
- Storage Account metrics
- Virtual machines metrics
- Virtual machines scaleset metrics
- Barracuda
- BitDefender
- Bitwarden
- blacklens.io
- Blue Coat Director Logs
- BBOT (Bighuge BLS OSINT Tool)
- Box Events
- Bravura Monitor
- Broadcom ProxySG
- Canva
- Cassandra
- CEL Custom API
- Ceph
- Check Point
- Cilium Tetragon
- CISA Known Exploited Vulnerabilities
- Cisco
- Cisco Meraki Metrics
- Citrix
- Claroty CTD
- Cloudflare
- Cloud Asset Inventory
- CockroachDB Metrics
- Common Event Format (CEF)
- Containerd
- CoreDNS
- Corelight
- Couchbase
- CouchDB
- Cribl
- CrowdStrike
- Cyberark
- Cybereason
- CylanceProtect Logs
- Custom Websocket logs
- Darktrace
- Data Exfiltration Detection
- DGA
- Digital Guardian
- Docker
- Elastic APM
- Elastic Fleet Server
- Elastic Security
- Elastic Stack monitoring
- Elasticsearch Service Billing
- Envoy Proxy
- ESET PROTECT
- ESET Threat Intelligence
- etcd
- Falco
- F5
- File Integrity Monitoring
- FireEye Network Security
- First EPSS
- Forcepoint Web Security
- ForgeRock
- Fortinet
- Gigamon
- GitHub
- GitLab
- Golang
- Google Cloud
- Custom GCS Input
- GCP
- GCP Audit logs
- GCP Billing metrics
- GCP Cloud Run metrics
- GCP CloudSQL metrics
- GCP Compute metrics
- GCP Dataproc metrics
- GCP DNS logs
- GCP Firestore metrics
- GCP Firewall logs
- GCP GKE metrics
- GCP Load Balancing metrics
- GCP Metrics Input
- GCP PubSub logs (custom)
- GCP PubSub metrics
- GCP Redis metrics
- GCP Security Command Center
- GCP Storage metrics
- GCP VPC Flow logs
- GCP Vertex AI
- GoFlow2 logs
- Hadoop
- HAProxy
- Hashicorp Vault
- HTTP Endpoint logs (custom)
- IBM MQ
- IIS
- Imperva
- InfluxDb
- Infoblox
- Iptables
- Istio
- Jamf Compliance Reporter
- Jamf Pro
- Jamf Protect
- Jolokia Input
- Journald logs (custom)
- JumpCloud
- Kafka
- Keycloak
- Kubernetes
- LastPass
- Lateral Movement Detection
- Linux Metrics
- Living off the Land Attack Detection
- Logs (custom)
- Lumos
- Lyve Cloud
- Mattermost
- Memcached
- Menlo Security
- Microsoft
- Microsoft 365
- Microsoft Defender for Cloud
- Microsoft Defender for Endpoint
- Microsoft DHCP
- Microsoft DNS Server
- Microsoft Entra ID Entity Analytics
- Microsoft Exchange Online Message Trace
- Microsoft Exchange Server
- Microsoft Graph Activity Logs
- Microsoft M365 Defender
- Microsoft Office 365 Metrics Integration
- Microsoft Sentinel
- Microsoft SQL Server
- Mimecast
- ModSecurity Audit
- MongoDB
- MongoDB Atlas
- MySQL
- Nagios XI
- NATS
- NetFlow Records
- Netskope
- Network Beaconing Identification
- Network Packet Capture
- Nginx
- Okta
- Oracle
- OpenCanary
- Osquery
- Palo Alto
- pfSense
- PHP-FPM
- PingOne
- PingFederate
- Pleasant Password Server
- PostgreSQL
- Prometheus
- Proofpoint TAP
- Proofpoint On Demand
- Pulse Connect Secure
- Qualys VMDR
- QNAP NAS
- RabbitMQ Logs
- Radware DefensePro Logs
- Rapid7
- Redis
- Rubrik RSC Metrics Integration
- Salesforce
- SentinelOne
- ServiceNow
- Slack Logs
- Snort
- Snyk
- SonicWall Firewall
- Sophos
- Spring Boot
- SpyCloud Enterprise Protection
- SQL Input
- Squid Logs
- SRX
- STAN
- Statsd Input
- Sublime Security
- Suricata
- StormShield SNS
- Symantec
- Symantec Endpoint Security
- Sysmon for Linux
- Sysdig
- Syslog Router Integration
- System
- System Audit
- Tanium
- TCP Logs (custom)
- Teleport
- Tenable
- Threat intelligence
- ThreatConnect
- Threat Map
- Thycotic Secret Server
- Tines
- Traefik
- Trellix
- Trend Micro
- TYCHON Agentless
- UDP Logs (custom)
- Universal Profiling
- Vectra Detect
- VMware
- WatchGuard Firebox
- WebSphere Application Server
- Windows
- Wiz
- Zeek
- ZeroFox
- Zero Networks
- ZooKeeper Metrics
- Zoom
- Zscaler
Auth0 Log Streams Integration
editAuth0 Log Streams Integration
editVersion |
1.19.0 (View all) |
Compatible Kibana version(s) |
8.13.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Elastic |
Auth0 offers integrations that push log events via log streams to Elasticsearch or allows an Elastic Agent to make API requests for log events. The Auth0 Log Streams integration package creates a HTTP listener that accepts incoming log events or runs periodic API requests to collect events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch.
Compatibility
editThe package collects log events either sent via log stream webhooks, or by API request to the Auth0 v2 API.
Enabling the integration in Elastic
edit- In Kibana go to Management > Integrations
- In "Search for integrations" search bar type Auth0
- Click on "Auth0" integration from the search results.
- Click on Add Auth0 button to add Auth0 integration.
Configuration for Webhook input
editThe agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.
For more information, see Auth0’s webpage on integration to Elastic Security.
Configure the Auth0 integration
edit- Click on Collect Auth0 log streams events via Webhooks to enable it.
-
Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the Endpoint URL
https://{AGENT_ADDRESS}:8383/auth0/logs
. - Enter value for "Secret value". This must match the "Authorization Token" value entered when configuring the "Custom Webhook" from Auth0 cloud.
- Enter values for "TLS". Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.
Creating the stream in Auth0
edit- From the Auth0 management console, navigate to Logs > Streams and click + Create Stream.
- Choose Custom Webhook.
- Name the new Event Stream appropriately (e.g. Elastic) and click Create.
- In Payload URL, paste the Endpoint URL collected during Step 1 of Configure the Auth0 integration section.
- In Authorization Token, paste the Authorization Token. This must match the value entered in Step 2 of Configure the Auth0 integration section.
- In Content Type, choose application/json.
- In Content Format, choose JSON Lines.
- Click Save.
Configuration for API request input
editCreating an application in Auth0
edit- From the Auth0 management console, navigate to Applications > Applications and click + Create Application.
- Choose Machine to Machine Application.
- Name the new Application appropriately (e.g. Elastic) and click Create.
- Select the Auth0 Management API option and click Authorize.
-
Select the
read:logs
andread:logs_users
permissions and then click Authorize. - Navigate to the Settings tab. Take note of the "Domain", "Client ID" and "Client Secret" values in the Basic Information section.
- Click Save Changes.
Configure the Auth0 integration
edit- In the Elastic Auth0 integration user interface click on Collect Auth0 log events via API requests to enable it.
- Enter value for "URL". This must be an https URL using the Domain value obtained from Auth cloud above.
- Enter value for "Client ID". This must match the "Client ID" value obtained from Auth0 cloud above.
- Enter value for "Client Secret". This must match the "Client Secret" value obtained from Auth0 cloud above.
Log Events
editEnable to collect Auth0 log events for all the applications configured for the chosen log stream.
Logs
editLog Stream Events
editThe Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log events are available in the auth0.logs
field group.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Event timestamp. |
date |
auth0.logs.data.audience |
API audience the event applies to. |
keyword |
auth0.logs.data.classification |
Log stream filters |
keyword |
auth0.logs.data.client_id |
ID of the client (application). |
keyword |
auth0.logs.data.client_name |
Name of the client (application). |
keyword |
auth0.logs.data.connection |
Name of the connection the event relates to. |
keyword |
auth0.logs.data.connection_id |
ID of the connection the event relates to. |
keyword |
auth0.logs.data.date |
Date when the event occurred in ISO 8601 format. |
date |
auth0.logs.data.description |
Description of this event. |
text |
auth0.logs.data.details |
Additional useful details about this event (values here depend upon event type). |
flattened |
auth0.logs.data.hostname |
Hostname the event applies to. |
keyword |
auth0.logs.data.ip |
IP address of the log event source. |
ip |
auth0.logs.data.is_mobile |
Whether the client was a mobile device (true) or desktop/laptop/server (false). |
boolean |
auth0.logs.data.location_info.city_name |
Full city name in English. |
keyword |
auth0.logs.data.location_info.continent_code |
Continent the country is located within. Can be AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America). |
keyword |
auth0.logs.data.location_info.country_code |
Two-letter Alpha-2 ISO 3166-1 country code |
keyword |
auth0.logs.data.location_info.country_code3 |
Three-letter Alpha-3 ISO 3166-1 country code |
keyword |
auth0.logs.data.location_info.country_name |
Full country name in English. |
keyword |
auth0.logs.data.location_info.latitude |
Global latitude (horizontal) position. |
keyword |
auth0.logs.data.location_info.longitude |
Global longitude (vertical) position. |
keyword |
auth0.logs.data.location_info.time_zone |
Time zone name as found in the tz database. |
keyword |
auth0.logs.data.log_id |
Unique log event identifier |
keyword |
auth0.logs.data.login.completedAt |
Time at which the operation was completed |
date |
auth0.logs.data.login.elapsedTime |
The total amount of time in milliseconds the operation took to complete. |
long |
auth0.logs.data.login.initiatedAt |
Time at which the operation was initiated |
date |
auth0.logs.data.login.stats.loginsCount |
Total number of logins performed by the user |
long |
auth0.logs.data.scope |
Scope permissions applied to the event. |
keyword |
auth0.logs.data.strategy |
Name of the strategy involved in the event. |
keyword |
auth0.logs.data.strategy_type |
Type of strategy involved in the event. |
keyword |
auth0.logs.data.tenant_name |
The name of the auth0 tenant. |
keyword |
auth0.logs.data.type |
Type of event. |
keyword |
auth0.logs.data.user_agent |
User agent string from the client device that caused the event. |
text |
auth0.logs.data.user_id |
ID of the user involved in the event. |
keyword |
auth0.logs.data.user_name |
Name of the user involved in the event. |
keyword |
auth0.logs.log_id |
Unique log event identifier |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event timestamp. |
constant_keyword |
event.module |
Event timestamp. |
constant_keyword |
input.type |
Input type. |
keyword |
Example
An example event for logs
looks as following:
{ "@timestamp": "2021-11-03T03:06:05.696Z", "agent": { "ephemeral_id": "ca08f8bd-d4b8-4ea2-aefa-eb285a0b32c6", "id": "212c7c0c-b1d6-427f-b567-7cc8887732b9", "name": "elastic-agent-75377", "type": "filebeat", "version": "8.13.0" }, "auth0": { "logs": { "data": { "classification": "Login - Failure", "date": "2021-11-03T03:06:05.696Z", "description": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs", "details": { "error": { "message": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs", "oauthError": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs. Please go to 'https://manage.auth0.com/#/applications/aI61p8I8aFjmYRliLWgvM9ev97kCCNDB/settings' and make sure you are sending the same callback url from your application.", "payload": { "attempt": "http://localhost:3000/callback", "client": { "clientID": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB" }, "code": "unauthorized_client", "message": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs", "name": "CallbackMismatchError", "status": 403 }, "type": "callback-url-mismatch" }, "qs": { "client_id": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB", "redirect_uri": "http://localhost:3000/callback", "response_type": "code", "scope": "openid profile", "state": "Vz6G2zZf95/FCOQALrpvd4bS6jx5xvRos2pVldFAiw4=" } }, "hostname": "dev-yoj8axza.au.auth0.com", "type": "Failed login" } } }, "data_stream": { "dataset": "auth0.logs", "namespace": "12089", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "212c7c0c-b1d6-427f-b567-7cc8887732b9", "snapshot": false, "version": "8.13.0" }, "event": { "action": "failed-login", "agent_id_status": "verified", "category": [ "authentication" ], "dataset": "auth0.logs", "id": "90020211103030609732115389415260839021644201259064885298", "ingested": "2024-11-11T15:35:02Z", "kind": "event", "original": "{\"data\":{\"connection_id\":\"\",\"date\":\"2021-11-03T03:06:05.696Z\",\"description\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs\",\"details\":{\"body\":{},\"error\":{\"message\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs\",\"oauthError\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs. Please go to 'https://manage.auth0.com/#/applications/aI61p8I8aFjmYRliLWgvM9ev97kCCNDB/settings' and make sure you are sending the same callback url from your application.\",\"payload\":{\"attempt\":\"http://localhost:3000/callback\",\"authorized\":[],\"client\":{\"clientID\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\"},\"code\":\"unauthorized_client\",\"message\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs\",\"name\":\"CallbackMismatchError\",\"status\":403},\"type\":\"callback-url-mismatch\"},\"qs\":{\"client_id\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\",\"redirect_uri\":\"http://localhost:3000/callback\",\"response_type\":\"code\",\"scope\":\"openid profile\",\"state\":\"Vz6G2zZf95/FCOQALrpvd4bS6jx5xvRos2pVldFAiw4=\"}},\"hostname\":\"dev-yoj8axza.au.auth0.com\",\"ip\":\"81.2.69.143\",\"log_id\":\"90020211103030609732115389415260839021644201259064885298\",\"type\":\"f\",\"user_agent\":\"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0\"},\"log_id\":\"90020211103030609732115389415260839021644201259064885298\"}", "outcome": "failure", "type": [ "info" ] }, "input": { "type": "http_endpoint" }, "log": { "level": "error" }, "network": { "type": "ipv4" }, "source": { "geo": { "city_name": "London", "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", "location": { "lat": 51.5142, "lon": -0.0931 }, "region_iso_code": "GB-ENG", "region_name": "England" }, "ip": "81.2.69.143" }, "tags": [ "preserve_original_event", "forwarded", "auth0-logstream" ], "user_agent": { "device": { "name": "Other" }, "name": "Firefox", "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0", "os": { "name": "Ubuntu" }, "version": "93.0." } }
Changelog
editChangelog
Version | Details | Kibana version(s) |
---|---|---|
1.19.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.18.1 |
Bug fix (View pull request) |
8.13.0 or higher |
1.18.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.17.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.16.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.15.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.14.2 |
Enhancement (View pull request) |
8.7.1 or higher |
1.14.1 |
Enhancement (View pull request) |
8.7.1 or higher |
1.14.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.13.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.12.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.11.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.10.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.9.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.8.0 |
Enhancement (View pull request) |
8.1.0 or higher |
1.7.0 |
Enhancement (View pull request) |
8.1.0 or higher |
1.6.0 |
Enhancement (View pull request) |
8.1.0 or higher |
1.5.0 |
Enhancement (View pull request) |
8.1.0 or higher |
1.4.1 |
Enhancement (View pull request) |
8.1.0 or higher |
1.4.0 |
Enhancement (View pull request) |
8.1.0 or higher |
1.3.1 |
Enhancement (View pull request) |
8.1.0 or higher |
1.3.0 |
Enhancement (View pull request) |
7.16.0 or higher |
1.2.2 |
Bug fix (View pull request) |
7.16.0 or higher |
1.2.1 |
Enhancement (View pull request) |
7.16.0 or higher |
1.2.0 |
Enhancement (View pull request) |
7.16.0 or higher |
1.1.1 |
Enhancement (View pull request) |
7.16.0 or higher |
1.1.0 |
Enhancement (View pull request) |
7.16.0 or higher |
1.0.0 |
Enhancement (View pull request) |
7.16.0 or higher |
0.1.4 |
Enhancement (View pull request) |
— |
0.1.3 |
Enhancement (View pull request) |
— |
0.1.2 |
Bug fix (View pull request) |
— |
0.1.1 |
Bug fix (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |
On this page
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now