Auth0 is an identity provider and a API -based data source. Its logs can produce CloudService documents.
To set up Auth0, you’ll need to:
- Configure Auth0 to send data to your Collector.
- Set up the Auth0 event source in InsightIDR.
- Verify the configuration works.
Configure Auth0 to send data to your Collector
To configure Auth0 for InsightIDR, sign-in to Auth0 and take the following actions from the dashboard:
Set up a machine-to-machine application: This will provide the credentials needed to access the Management API. For instructions, see "Create and Authorize Machine-to-Machine Applications for Management API" in the Auth0 documentation: https://auth0.com/docs/tokens/management-api-access-tokens/create-and-authorize-a-machine-to-machine-application
Define token settings for the JSON Web Token: To authenticate to an API endpoint, you'll need a JSON Web Token scopes. The default timeout for the token is around ten hours (36000 seconds). Since the data source fetches a new token on each run, you can safely reduce the timeout down to one hour or less. You can follow the steps listed in this documentation by Auth0 to manage API Access Tokens: https://auth0.com/docs/tokens/management-api-access-tokens
Authorize a Machine-to-Machine application: Select these roles:
read:logs_users. You can follow the steps listed in this documentation by Auth0: https://auth0.com/docs/tokens/management-api-access-tokens/get-management-api-access-tokens-for-production
Set up Auth0 in InsightIDR
- From your dashboard, select Data Collection on the left-hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Cloud Services icon. The “Add Event Source” panel appears.
- Select your collector and Auth0 from the event source dropdown.
- Name your event source.
- Optionally choose to send unparsed data.
- Select your LDAP account attribution preference.
- Specify the user domain that will use the access tokens you set up in the Before your Begin step.
- Select a credential you set up in the Before your Begin step.
- Click Save.
Verify the configuration
Complete the following steps to view your logs and ensure events are making it to the Collector:
- Click Data Collection in the left menu of InsightIDR and navigate to the Event Sources tab. Find the new event source that was just created and click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
- Click Log Search in the left menu of InsightIDR.
- Select the applicable Log Sets and the Log Names within them. The Log Name will be the name you gave to your event source. Auth0 logs flow into the
Cloud Service Activitylog set.
Logs take a minimum of 7 minutes to appear in Log Search
Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.