Auth0

Collect logs from Auth0 with Elastic Agent.

Version
1.18.1 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

Auth0 offers integrations that push log events via log streams to Elasticsearch or allows an Elastic Agent to make API requests for log events. The Auth0 Log Streams integration package creates a HTTP listener that accepts incoming log events or runs periodic API requests to collect events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch.

Compatibility

The package collects log events either sent via log stream webhooks, or by API request to the Auth0 v2 API.

Enabling the integration in Elastic

  1. In Kibana go to Management > Integrations
  2. In "Search for integrations" search bar type Auth0
  3. Click on "Auth0" integration from the search results.
  4. Click on Add Auth0 button to add Auth0 integration.

Configuration for Webhook input

The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.

For more information, see Auth0's webpage on integration to Elastic Security.

Configure the Auth0 integration

  1. Click on Collect Auth0 log streams events via Webhooks to enable it.
  2. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the Endpoint URL https://{AGENT_ADDRESS}:8383/auth0/logs.
  3. Enter value for "Secret value". This must match the "Authorization Token" value entered when configuring the "Custom Webhook" from Auth0 cloud.
  4. Enter values for "TLS". Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.

Creating the stream in Auth0

  1. From the Auth0 management console, navigate to Logs > Streams and click + Create Stream.
  2. Choose Custom Webhook.
  3. Name the new Event Stream appropriately (e.g. Elastic) and click Create.
  4. In Payload URL, paste the Endpoint URL collected during Step 1 of Configure the Auth0 integration section.
  5. In Authorization Token, paste the Authorization Token. This must match the value entered in Step 2 of Configure the Auth0 integration section.
  6. In Content Type, choose application/json.
  7. In Content Format, choose JSON Lines.
  8. Click Save.

Configuration for API request input

Creating an application in Auth0

  1. From the Auth0 management console, navigate to Applications > Applications and click + Create Application.
  2. Choose Machine to Machine Application.
  3. Name the new Application appropriately (e.g. Elastic) and click Create.
  4. Select the Auth0 Management API option and click Authorize.
  5. Select the read:logs and read:logs_users permissions and then click Authorize.
  6. Navigate to the Settings tab. Take note of the "Domain", "Client ID" and "Client Secret" values in the Basic Information section.
  7. Click Save Changes.

Configure the Auth0 integration

  1. In the Elastic Auth0 integration user interface click on Collect Auth0 log events via API requests to enable it.
  2. Enter value for "URL". This must be an https URL using the Domain value obtained from Auth cloud above.
  3. Enter value for "Client ID". This must match the "Client ID" value obtained from Auth0 cloud above.
  4. Enter value for "Client Secret". This must match the "Client Secret" value obtained from Auth0 cloud above.

Log Events

Enable to collect Auth0 log events for all the applications configured for the chosen log stream.

Logs

Log Stream Events

The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log events are available in the auth0.logs field group.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
auth0.logs.data.audience
API audience the event applies to.
keyword
auth0.logs.data.classification
Log stream filters
keyword
auth0.logs.data.client_id
ID of the client (application).
keyword
auth0.logs.data.client_name
Name of the client (application).
keyword
auth0.logs.data.connection
Name of the connection the event relates to.
keyword
auth0.logs.data.connection_id
ID of the connection the event relates to.
keyword
auth0.logs.data.date
Date when the event occurred in ISO 8601 format.
date
auth0.logs.data.description
Description of this event.
text
auth0.logs.data.details
Additional useful details about this event (values here depend upon event type).
flattened
auth0.logs.data.hostname
Hostname the event applies to.
keyword
auth0.logs.data.ip
IP address of the log event source.
ip
auth0.logs.data.is_mobile
Whether the client was a mobile device (true) or desktop/laptop/server (false).
boolean
auth0.logs.data.location_info.city_name
Full city name in English.
keyword
auth0.logs.data.location_info.continent_code
Continent the country is located within. Can be AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America).
keyword
auth0.logs.data.location_info.country_code
Two-letter Alpha-2 ISO 3166-1 country code
keyword
auth0.logs.data.location_info.country_code3
Three-letter Alpha-3 ISO 3166-1 country code
keyword
auth0.logs.data.location_info.country_name
Full country name in English.
keyword
auth0.logs.data.location_info.latitude
Global latitude (horizontal) position.
keyword
auth0.logs.data.location_info.longitude
Global longitude (vertical) position.
keyword
auth0.logs.data.location_info.time_zone
Time zone name as found in the tz database.
keyword
auth0.logs.data.log_id
Unique log event identifier
keyword
auth0.logs.data.login.completedAt
Time at which the operation was completed
date
auth0.logs.data.login.elapsedTime
The total amount of time in milliseconds the operation took to complete.
long
auth0.logs.data.login.initiatedAt
Time at which the operation was initiated
date
auth0.logs.data.login.stats.loginsCount
Total number of logins performed by the user
long
auth0.logs.data.scope
Scope permissions applied to the event.
keyword
auth0.logs.data.strategy
Name of the strategy involved in the event.
keyword
auth0.logs.data.strategy_type
Type of strategy involved in the event.
keyword
auth0.logs.data.tenant_name
The name of the auth0 tenant.
keyword
auth0.logs.data.type
Type of event.
keyword
auth0.logs.data.user_agent
User agent string from the client device that caused the event.
text
auth0.logs.data.user_id
ID of the user involved in the event.
keyword
auth0.logs.data.user_name
Name of the user involved in the event.
keyword
auth0.logs.log_id
Unique log event identifier
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event timestamp.
constant_keyword
event.module
Event timestamp.
constant_keyword
input.type
Input type.
keyword

An example event for logs looks as following:

{
    "@timestamp": "2021-11-03T03:06:05.696Z",
    "agent": {
        "ephemeral_id": "ca08f8bd-d4b8-4ea2-aefa-eb285a0b32c6",
        "id": "212c7c0c-b1d6-427f-b567-7cc8887732b9",
        "name": "elastic-agent-75377",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "auth0": {
        "logs": {
            "data": {
                "classification": "Login - Failure",
                "date": "2021-11-03T03:06:05.696Z",
                "description": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs",
                "details": {
                    "error": {
                        "message": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs",
                        "oauthError": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs. Please go to 'https://manage.auth0.com/#/applications/aI61p8I8aFjmYRliLWgvM9ev97kCCNDB/settings' and make sure you are sending the same callback url from your application.",
                        "payload": {
                            "attempt": "http://localhost:3000/callback",
                            "client": {
                                "clientID": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB"
                            },
                            "code": "unauthorized_client",
                            "message": "Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs",
                            "name": "CallbackMismatchError",
                            "status": 403
                        },
                        "type": "callback-url-mismatch"
                    },
                    "qs": {
                        "client_id": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB",
                        "redirect_uri": "http://localhost:3000/callback",
                        "response_type": "code",
                        "scope": "openid profile",
                        "state": "Vz6G2zZf95/FCOQALrpvd4bS6jx5xvRos2pVldFAiw4="
                    }
                },
                "hostname": "dev-yoj8axza.au.auth0.com",
                "type": "Failed login"
            }
        }
    },
    "data_stream": {
        "dataset": "auth0.logs",
        "namespace": "12089",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "212c7c0c-b1d6-427f-b567-7cc8887732b9",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "failed-login",
        "agent_id_status": "verified",
        "category": [
            "authentication"
        ],
        "dataset": "auth0.logs",
        "id": "90020211103030609732115389415260839021644201259064885298",
        "ingested": "2024-11-11T15:35:02Z",
        "kind": "event",
        "original": "{\"data\":{\"connection_id\":\"\",\"date\":\"2021-11-03T03:06:05.696Z\",\"description\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs\",\"details\":{\"body\":{},\"error\":{\"message\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs\",\"oauthError\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs. Please go to 'https://manage.auth0.com/#/applications/aI61p8I8aFjmYRliLWgvM9ev97kCCNDB/settings' and make sure you are sending the same callback url from your application.\",\"payload\":{\"attempt\":\"http://localhost:3000/callback\",\"authorized\":[],\"client\":{\"clientID\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\"},\"code\":\"unauthorized_client\",\"message\":\"Callback URL mismatch. http://localhost:3000/callback is not in the list of allowed callback URLs\",\"name\":\"CallbackMismatchError\",\"status\":403},\"type\":\"callback-url-mismatch\"},\"qs\":{\"client_id\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\",\"redirect_uri\":\"http://localhost:3000/callback\",\"response_type\":\"code\",\"scope\":\"openid profile\",\"state\":\"Vz6G2zZf95/FCOQALrpvd4bS6jx5xvRos2pVldFAiw4=\"}},\"hostname\":\"dev-yoj8axza.au.auth0.com\",\"ip\":\"81.2.69.143\",\"log_id\":\"90020211103030609732115389415260839021644201259064885298\",\"type\":\"f\",\"user_agent\":\"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0\"},\"log_id\":\"90020211103030609732115389415260839021644201259064885298\"}",
        "outcome": "failure",
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "http_endpoint"
    },
    "log": {
        "level": "error"
    },
    "network": {
        "type": "ipv4"
    },
    "source": {
        "geo": {
            "city_name": "London",
            "continent_name": "Europe",
            "country_iso_code": "GB",
            "country_name": "United Kingdom",
            "location": {
                "lat": 51.5142,
                "lon": -0.0931
            },
            "region_iso_code": "GB-ENG",
            "region_name": "England"
        },
        "ip": "81.2.69.143"
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "auth0-logstream"
    ],
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Firefox",
        "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0",
        "os": {
            "name": "Ubuntu"
        },
        "version": "93.0."
    }
}

Changelog

VersionDetailsKibana version(s)

1.18.1

Bug fix View pull request
Fix dashboard visualisations containing empty data.

8.13.0 or higher

1.18.0

Enhancement View pull request
Allow @custom pipeline access to event.original without setting preserve_original_event.

8.13.0 or higher

1.17.0

Enhancement View pull request
Add pull v2/logs API input.

8.13.0 or higher

1.16.0

Enhancement View pull request
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.15.0

Enhancement View pull request
Set sensitive values as secret.

8.12.0 or higher

1.14.2

Enhancement View pull request
Changed owners

8.7.1 or higher

1.14.1

Enhancement View pull request
Improve wording on elapsed time in milliseconds.

8.7.1 or higher

1.14.0

Enhancement View pull request
ECS version updated to 8.11.0.

8.7.1 or higher

1.13.0

Enhancement View pull request
ECS version updated to 8.10.0.

8.7.1 or higher

1.12.0

Enhancement View pull request
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.

8.7.1 or higher

1.11.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.7.1 or higher

1.10.0

Enhancement View pull request
Update package to ECS 8.9.0.

8.7.1 or higher

1.9.0

Enhancement View pull request
Convert visualizations to lens.

8.7.1 or higher

1.8.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

8.1.0 or higher

1.7.0

Enhancement View pull request
Update package to ECS 8.8.0.

8.1.0 or higher

1.6.0

Enhancement View pull request
Update package-spec version to 2.7.0.

8.1.0 or higher

1.5.0

Enhancement View pull request
Update package to ECS 8.7.0.

8.1.0 or higher

1.4.1

Enhancement View pull request
Added categories and/or subcategories.

8.1.0 or higher

1.4.0

Enhancement View pull request
Update package to ECS 8.6.0.

8.1.0 or higher

1.3.1

Enhancement View pull request
Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load

8.1.0 or higher

1.3.0

Enhancement View pull request
Update package to ECS 8.5.0.

7.16.0 or higher
8.0.0 or higher

1.2.2

Bug fix View pull request
Remove duplicate field.

7.16.0 or higher
8.0.0 or higher

1.2.1

Enhancement View pull request
Use ECS geo.location definition.

7.16.0 or higher
8.0.0 or higher

1.2.0

Enhancement View pull request
Update package to ECS 8.4.0

7.16.0 or higher
8.0.0 or higher

1.1.1

Enhancement View pull request
Update package name and description to align with standard wording

7.16.0 or higher
8.0.0 or higher

1.1.0

Enhancement View pull request
Update package to ECS 8.3.0.

7.16.0 or higher
8.0.0 or higher

1.0.0

Enhancement View pull request
Make GA

7.16.0 or higher
8.0.0 or higher

0.1.4

Enhancement View pull request
Update Readme

0.1.3

Enhancement View pull request
Add documentation for multi-fields

0.1.2

Bug fix View pull request
Fix documentation bug

0.1.1

Bug fix View pull request
Update Auth0 logo image

0.1.0

Enhancement View pull request
Initial commit