Auth0
Auth0 is an identity provider and a API -based data source. Its logs can produce CloudService documents.
To set up Auth0, you’ll need to:
- Configure Auth0 to send data to your Collector.
- Set up the Auth0 event source in InsightIDR.
- Verify the configuration works.
Configure Auth0 to send data to your Collector
To configure Auth0 for InsightIDR, sign-in to Auth0 and take the following actions from the dashboard:
Set up a machine-to-machine application: This will provide the credentials needed to access the Management API. For instructions, see "Create and Authorize Machine-to-Machine Applications for Management API" in the Auth0 documentation: https://auth0.com/docs/tokens/management-api-access-tokens/create-and-authorize-a-machine-to-machine-application
Define token settings for the JSON Web Token: To authenticate to an API endpoint, you'll need a JSON Web Token scopes. The default timeout for the token is around ten hours (36000 seconds). Since the data source fetches a new token on each run, you can safely reduce the timeout down to one hour or less. You can follow the steps listed in this documentation by Auth0 to manage API Access Tokens: https://auth0.com/docs/tokens/management-api-access-tokens
Authorize a Machine-to-Machine application: Select these roles:
read:logs
,read:logs_users
,read:users
,read:user_idp_tokens
. You can follow the steps listed in this documentation by Auth0: https://auth0.com/docs/tokens/management-api-access-tokens/get-management-api-access-tokens-for-production
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Auth0 in the event sources search bar.
- In the Product Type filter, select Cloud Service.
- Select the Auth0 event source tile.
- Select your collector and Auth0 from the event source dropdown.
- Name your event source.
- Optionally choose to send unparsed data.
- Select your Account Attribution preference:
- Use short name attribution: The system first attempts to attribute data by email address, for example,
jsmith@myorg.example.com
. If the first attempt is unsuccessful, attribution is attempted by short name, for example,jsmith
. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example,John Smith
. - Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example,
jsmith@myorg.example.com
. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example,John Smith
. This option is best if your environment has collisions with short names.
- Use short name attribution: The system first attempts to attribute data by email address, for example,
- Specify the user domain that will use the access tokens you set up in the Before your Begin step.
- Select a credential you set up in the Before your Begin step.
- Click Save.
Verify the configuration
Complete the following steps to view your logs and ensure events are making it to the Collector:
- Click Data Collection in the left menu of InsightIDR and navigate to the Event Sources tab. Find the new event source that was just created and click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
- Click Log Search in the left menu of InsightIDR.
- Select the applicable Log Sets and the Log Names within them. The Log Name will be the name you gave to your event source. Auth0 logs flow into the
Cloud Service Activity
log set.
Logs take a minimum of 7 minutes to appear in Log Search
Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.