Auth0 Pack
This is a pack that allows for processing of Auth0 Logs. The pack includes parsing, looking up sentiment, creating patterns and metrics.
2 minute read
Edge Delta Pipeline Pack for CloudTrail
Overview
The Auth0 ensures ingestion and appropriate processing of Auth0 Logs. This pack will first parse the JSON before handling a variety of different of types by using the type to figure out the sentiment of the log. Based on that the log sentiment, the log will be either converted to a pattern or metric and then can be utilized downstream.
Pack Description
1. Parse JSON
Parse the JSON from the body and put it into the attributes
- name: parse_json_attributes_76ed
type: parse_json_attributes
user_description: Parse JSON Attributes
field_path: item["attributes"]["event"]
2. Lookup
We used the type field from the parsed object to do the lookup from the provided lookup artifact.
- name: lookup_b8f6
type: lookup
user_description: Lookup Processor
location_path: ed://Auth0
reload_period: 5m0s
match_mode: exact
regex_option: first
key_fields:
- event_field: item["attributes"]["event"]["type"]
lookup_field: LogType
out_fields:
- event_field: item["attributes"]["event"]["sentiment"]
lookup_field: Sentiment
default_value: Unknown
3. Route
Based on the sentiment retrieved from the lookup table we route the log
- name: route_4718
type: route
user_description: Route
expression_type: ottl
paths:
- path: Positive Sentiment
condition: attributes["event"]["sentiment"] == "Positive"
exit_if_matched: true
- path: Negative Sentiment
condition: attributes["event"]["sentiment"] == "Negative"
exit_if_matched: true
4. Pattern and Metrics
Positive logs are patternized and negative logs are converted to metrics for alerting. The Negative logs are also sent downstream for continued processing.
Sample Input
{"date":"2025-06-30T13:02:48.038Z","type":"police","connection":"Username-Password-Authentication","connection_id":"conn_123456789","client_id":"appeal","client_name":"My Application","ip":"192.168.1.100","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36","details":{"completedAt":"2025-06-30T13:02:48.038Z","elapsedTime":234,"session_id":"sess_789012345"},"user_id":"auth0|507f1f77bcf86cd799439011","user_name":"john.doe@example.com","description":"Successful login","auth0_client":{"name":"Auth0.js","version":"9.20.1"},"location_info":{"country_code":"US","country_name":"United States","city_name":"San Francisco","latitude":37.7749,"longitude":-122.4194}}
{"date":"2025-06-30T13:02:48.038Z","type":"earn","connection":"Username-Password-Authentication","connection_id":"conn_123456789","client_id":"serve","client_name":"My Application","ip":"192.168.1.100","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36","details":{"completedAt":"2025-06-30T13:02:48.038Z","elapsedTime":234,"session_id":"sess_789012345"},"user_id":"auth0|507f1f77bcf86cd799439011","user_name":"john.doe@example.com","description":"Successful login","auth0_client":{"name":"Auth0.js","version":"9.20.1"},"location_info":{"country_code":"US","country_name":"United States","city_name":"San Francisco","latitude":37.7749,"longitude":-122.4194}}
{"date":"2025-06-30T13:02:48.038Z","type":"background","connection":"Username-Password-Authentication","connection_id":"conn_123456789","client_id":"live","client_name":"My Application","ip":"192.168.1.100","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36","details":{"completedAt":"2025-06-30T13:02:48.038Z","elapsedTime":234,"session_id":"sess_789012345"},"user_id":"auth0|507f1f77bcf86cd799439011","user_name":"john.doe@example.com","description":"Successful login","auth0_client":{"name":"Auth0.js","version":"9.20.1"},"location_info":{"country_code":"US","country_name":"United States","city_name":"San Francisco","latitude":37.7749,"longitude":-122.4194}}
{"date":"2025-06-30T13:02:48.039Z","type":"prepare","connection":"Username-Password-Authentication","connection_id":"conn_123456789","client_id":"become","client_name":"My Application","ip":"192.168.1.100","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36","details":{"completedAt":"2025-06-30T13:02:48.039Z","elapsedTime":234,"session_id":"sess_789012345"},"user_id":"auth0|507f1f77bcf86cd799439011","user_name":"john.doe@example.com","description":"Successful login","auth0_client":{"name":"Auth0.js","version":"9.20.1"},"location_info":{"country_code":"US","country_name":"United States","city_name":"San Francisco","latitude":37.7749,"longitude":-122.4194}}
{"date":"2025-06-30T13:02:48.039Z","type":"convince","connection":"Username-Password-Authentication","connection_id":"conn_123456789","client_id":"pound","client_name":"My Application","ip":"192.168.1.100","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36","details":{"completedAt":"2025-06-30T13:02:48.039Z","elapsedTime":234,"session_id":"sess_789012345"},"user_id":"auth0|507f1f77bcf86cd799439011","user_name":"john.doe@example.com","description":"Successful login","auth0_client":{"name":"Auth0.js","version":"9.20.1"},"location_info":{"country_code":"US","country_name":"United States","city_name":"San Francisco","latitude":37.7749,"longitude":-122.4194}}
{"date":"2025-06-30T13:02:48.039Z","type":"pleasure","connection":"Username-Password-Authentication","connection_id":"conn_123456789","client_id":"climb","client_name":"My Application","ip":"192.168.1.100","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36","details":{"completedAt":"2025-06-30T13:02:48.039Z","elapsedTime":234,"session_id":"sess_789012345"},"user_id":"auth0|507f1f77bcf86cd799439011","user_name":"john.doe@example.com","description":"Successful login","auth0_client":{"name":"Auth0.js","version":"9.20.1"},"location_info":{"country_code":"US","country_name":"United States","city_name":"San Francisco","latitude":37.7749,"longitude":-122.4194}}
{"date":"2025-06-30T13:02:48.039Z","type":"philosophy","connection":"Username-Password-Authentication","connection_id":"conn_123456789","client_id":"command","client_name":"My Application","ip":"192.168.1.100","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36","details":{"completedAt":"2025-06-30T13:02:48.039Z","elapsedTime":234,"session_id":"sess_789012345"},"user_id":"auth0|507f1f77bcf86cd799439011","user_name":"john.doe@example.com","description":"Successful login","auth0_client":{"name":"Auth0.js","version":"9.20.1"},"location_info":{"country_code":"US","country_name":"United States","city_name":"San Francisco","latitude":37.7749,"longitude":-122.4194}}