diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json new file mode 100644 index 00000000000..ddaa2fdd51c --- /dev/null +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json @@ -0,0 +1,121 @@ +{ + "name": "Auth0LogsDCR", + "apiVersion": "2021-09-01-preview", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "{{location}}", + "kind": null, + "properties": { + "streamDeclarations": { + "Custom-Auth0Logs": { + "columns": [ + { + "name": "date", + "type": "datetime" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "connection", + "type": "string" + }, + { + "name": "connection_id", + "type": "string" + }, + { + "name": "client_id", + "type": "string" + }, + { + "name": "client_name", + "type": "string" + }, + { + "name": "ip", + "type": "string" + }, + { + "name": "user_agent", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "user_id", + "type": "string" + }, + { + "name": "user_name", + "type": "string" + }, + { + "name": "audience", + "type": "string" + }, + { + "name": "scope", + "type": "string" + }, + { + "name": "strategy", + "type": "string" + }, + { + "name": "strategy_type", + "type": "string" + }, + { + "name": "location_info", + "type": "dynamic" + }, + { + "name": "details", + "type": "dynamic" + }, + { + "name": "log_id", + "type": "string" + }, + { + "name": "tenant_name", + "type": "string" + }, + { + "name": "isMobile", + "type": "boolean" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "{{workspaceResourceId}}", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-Auth0Logs" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source| extend TimeGenerated = ['date'] , EventType = type | project-rename Description = description, Connection = connection, ConnectionId = connection_id, ClientId = client_id, ClientName = client_name, SrcIpAddr = ip, HttpUserAgent = user_agent, SrcHostname = hostname, ActorUserId = user_id, ActorUsername = user_name, Audience = audience, Scope = scope, Strategy = strategy, StrategyType = strategy_type, LocationInfo = location_info, Details = details, LogId = log_id, TenantName = tenant_name, IsMobile = isMobile | project-away ['date'], type", + "outputStream": "Custom-Auth0Logs_CL" + } + + ], + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + } +} \ No newline at end of file diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json new file mode 100644 index 00000000000..25d12da3894 --- /dev/null +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json @@ -0,0 +1,116 @@ +{ + "name": "Auth0ConnectorCCPDefinition", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "location": "{{location}}", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "Auth0ConnectorCCPDefinition", + "title": "Auth0 Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Auth0](https://auth0.com/docs/api/management/v2/logs/get-logs) data connector allows ingesting logs from Auth0 API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses Auth0 API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueries": [ + { + "metricName": "Total logs received", + "legend": "Auth0 Logs", + "baseQuery": "Auth0Logs_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Auth0 logs", + "query": "Auth0Logs_CL | take 10" + } + ], + "dataTypes": [ + { + "name": "Auth0Logs_CL", + "lastDataReceivedQuery": "Auth0Logs_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "tenant": null, + "licenses": null, + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### STEP 1 - Configuration steps for the Auth0 Management API" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "Follow the instructions to obtain the credentials. \n 1. In Auth0 Dashboard, go to [**Applications > Applications**]\n 2. Select your Application. This should be a [**Machine-to-Machine**] Application configured with at least [**read:logs**] and [**read:logs_users**] permissions. \n 3. Copy [**Domain, ClientID, Client Secret**]" + } + }, + { + "parameters": { + "label": "Base API URL", + "placeholder": "https://example.auth0.com", + "type": "text", + "name": "Domain" + }, + "type": "Textbox" + }, + { + "parameters": { + "label": "Client ID", + "placeholder": "Client ID", + "type": "text", + "name": "ClientId" + }, + "type": "Textbox" + }, + { + "type": "Textbox", + "parameters": { + "label": "Client Secret", + "placeholder": "API Token", + "type": "password", + "name": "ClientSecret" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "innerSteps": null + } + ], + "isConnectivityCriteriasMatchSome": false + } + } +} \ No newline at end of file diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/PollingConfig.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/PollingConfig.json new file mode 100644 index 00000000000..ebfa3dc582e --- /dev/null +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/PollingConfig.json @@ -0,0 +1,49 @@ +{ + "type": "Microsoft.SecurityInsights/dataConnectors", + "apiVersion": "2021-10-01-preview", + "name": "Auth0Logs", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "Auth0ConnectorCCPDefinition", + "dataType": "Auth0Logs_CL", + "auth": { + "type": "OAuth2", + "ClientId": "{{ClientId}}", + "ClientSecret": "{{ClientSecret}}", + "GrantType": "client_credentials", + "TokenEndpoint": "[[concat(parameters('Domain'),'/oauth/token')]", + "TokenEndpointQueryParameters": { + "audience": "[[concat(parameters('Domain'),'/api/v2/')]" + } + }, + "request": { + "apiEndpoint": "[[concat(parameters('Domain'),'/api/v2/logs')]", + "headers": { + "Accept": "application/json" + }, + "httpMethod": "Get", + "QueryParameters": { + } + }, + "response": { + "eventsJsonPaths": [ + "$" + ], + "format": "json" + }, + "dcrConfig": { + "streamName": "Custom-Auth0Logs", + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" + }, + "Paging": { + "pagingType" : "PersistentToken", + "nextPageParaName" : "from", + "nextPageTokenJsonPath" : "$.[-1:].log_id", + "PageSizeParameterName": "take", + "PageSize": 100 + } + + } +} \ No newline at end of file diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/table.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/table.json new file mode 100644 index 00000000000..0f5dcb885db --- /dev/null +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/table.json @@ -0,0 +1,102 @@ +{ + "name": "Auth0Logs_CL", + "apiVersion": "2021-03-01-privatepreview", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "{{location}}", + "kind": null, + "properties": { + "schema": { + "name": "Auth0Logs_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "event_date", + "type": "datetime" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "Description", + "type": "string" + }, + { + "name": "Connection", + "type": "string" + }, + { + "name": "ConnectionId", + "type": "string" + }, + { + "name": "ClientId", + "type": "string" + }, + { + "name": "ClientName", + "type": "string" + }, + { + "name": "SrcIpAddr", + "type": "string" + }, + { + "name": "HttpUserAgent", + "type": "string" + }, + { + "name": "SrcHostname", + "type": "string" + }, + { + "name": "ActorUserId", + "type": "string" + }, + { + "name": "ActorUsername", + "type": "string" + }, + { + "name": "Audience", + "type": "string" + }, + { + "name": "Scope", + "type": "string" + }, + { + "name": "Strategy", + "type": "string" + }, + { + "name": "StrategyType", + "type": "string" + }, + { + "name": "LocationInfo", + "type": "dynamic" + }, + { + "name": "Details", + "type": "dynamic" + }, + { + "name": "LogId", + "type": "string" + }, + { + "name": "TenantName", + "type": "string" + }, + { + "name": "IsMobile", + "type": "boolean" + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/Auth0/Data/Solution_Auth0.json b/Solutions/Auth0/Data/Solution_Auth0.json index 36a16f4e62e..699023aeeb4 100644 --- a/Solutions/Auth0/Data/Solution_Auth0.json +++ b/Solutions/Auth0/Data/Solution_Auth0.json @@ -4,15 +4,16 @@ "Logo": "", "Description": "The [Auth0 Access Management](https://auth0.com/access-management) solution for Microsoft Sentinel provides the capability to ingest [Auth0 log events](https://auth0.com/docs/api/management/v2/#!/Logs/get_logs) into your Microsoft Sentinel workspace.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n", "Data Connectors": [ - "Data Connectors/Auth0_FunctionApp.json" + "Data Connectors/Auth0_FunctionApp.json", + "Data Connectors/Auth0_CCP/DataConnectorDefinition.json" ], "Parsers": [ - "Parsers/Auth0.yaml", - "Parsers/Auth0AM.yaml" + "Parsers/Auth0AM.yaml", + "Parsers/Auth0.yaml" ], "Metadata": "SolutionMetadata.json", - "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Auth0", - "Version": "3.0.0", + "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Auth0", + "Version": "3.1.0", "TemplateSpec": true, "Is1PConnector": false, "createPackage": false diff --git a/Solutions/Auth0/Package/3.1.0.zip b/Solutions/Auth0/Package/3.1.0.zip new file mode 100644 index 00000000000..d605b9004cd Binary files /dev/null and b/Solutions/Auth0/Package/3.1.0.zip differ diff --git a/Solutions/Auth0/Package/createUiDefinition.json b/Solutions/Auth0/Package/createUiDefinition.json index 0f9a38e6d70..62617e2288a 100644 --- a/Solutions/Auth0/Package/createUiDefinition.json +++ b/Solutions/Auth0/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Auth0/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Auth0 Access Management](https://auth0.com/access-management) solution for Microsoft Sentinel provides the capability to ingest [Auth0 log events](https://auth0.com/docs/api/management/v2/#!/Logs/get_logs) into your Microsoft Sentinel workspace.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Auth0/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Auth0 Access Management](https://auth0.com/access-management) solution for Microsoft Sentinel provides the capability to ingest [Auth0 log events](https://auth0.com/docs/api/management/v2/#!/Logs/get_logs) into your Microsoft Sentinel workspace.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 2, **Parsers:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -63,13 +63,6 @@ "text": "This Solution installs the data connector for Auth0. You can get Auth0 custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, { "name": "dataconnectors-link2", "type": "Microsoft.Common.TextBlock", diff --git a/Solutions/Auth0/Package/mainTemplate.json b/Solutions/Auth0/Package/mainTemplate.json index cce343752b2..f376d0cfb4f 100644 --- a/Solutions/Auth0/Package/mainTemplate.json +++ b/Solutions/Auth0/Package/mainTemplate.json @@ -27,13 +27,27 @@ "metadata": { "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } }, "variables": { "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Auth0", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.1.0", "solutionId": "azuresentinel.azure-sentinel-solution-auth0", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "Auth0", @@ -45,19 +59,26 @@ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition2": "Auth0ConnectorCCPDefinition", + "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]", + "_dataConnectorContentIdConnections2": "Auth0ConnectorCCPDefinitionConnections", + "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]", + "blanks": "[replace('b', 'b', '')]", "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','Auth0')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Auth0-Parser')))]", + "_parserName1": "[concat(parameters('workspace'),'/','Auth0AM')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Auth0AM-Parser')))]", "parserVersion1": "1.0.0", - "parserContentId1": "Auth0-Parser" + "parserContentId1": "Auth0AM-Parser" }, "parserObject2": { - "_parserName2": "[concat(parameters('workspace'),'/','Auth0AM')]", - "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", - "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Auth0AM-Parser')))]", + "_parserName2": "[concat(parameters('workspace'),'/','Auth0')]", + "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", + "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Auth0-Parser')))]", "parserVersion2": "1.0.0", - "parserContentId2": "Auth0AM-Parser" + "parserContentId2": "Auth0-Parser" }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, @@ -71,7 +92,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Auth0 data connector with template version 3.0.0", + "description": "Auth0 data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -87,7 +108,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Auth0 Access Management(using Azure Function)", + "title": "Auth0 Access Management(using Azure Function) (using Azure Functions)", "publisher": "Auth0", "descriptionMarkdown": "The [Auth0 Access Management](https://auth0.com/access-management) data connector provides the capability to ingest [Auth0 log events](https://auth0.com/docs/api/management/v2/#!/Logs/get_logs) into Microsoft Sentinel", "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", @@ -258,7 +279,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId1')]", "contentKind": "DataConnector", - "displayName": "Auth0 Access Management(using Azure Function)", + "displayName": "Auth0 Access Management(using Azure Function) (using Azure Functions)", "contentProductId": "[variables('_dataConnectorcontentProductId1')]", "id": "[variables('_dataConnectorcontentProductId1')]", "version": "[variables('dataConnectorVersion1')]" @@ -302,7 +323,7 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Auth0 Access Management(using Azure Function)", + "title": "Auth0 Access Management(using Azure Function) (using Azure Functions)", "publisher": "Auth0", "descriptionMarkdown": "The [Auth0 Access Management](https://auth0.com/access-management) data connector provides the capability to ingest [Auth0 log events](https://auth0.com/docs/api/management/v2/#!/Logs/get_logs) into Microsoft Sentinel", "graphQueries": [ @@ -423,6 +444,689 @@ } } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "displayName": "Auth0 Logs", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "Auth0ConnectorCCPDefinition", + "title": "Auth0 Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Auth0](https://auth0.com/docs/api/management/v2/logs/get-logs) data connector allows ingesting logs from Auth0 API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses Auth0 API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueries": [ + { + "metricName": "Total logs received", + "legend": "Auth0 Logs", + "baseQuery": "Auth0Logs_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Auth0 logs", + "query": "Auth0Logs_CL | take 10" + } + ], + "dataTypes": [ + { + "name": "Auth0Logs_CL", + "lastDataReceivedQuery": "Auth0Logs_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### STEP 1 - Configuration steps for the Auth0 Management API" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "Follow the instructions to obtain the credentials. \n 1. In Auth0 Dashboard, go to [**Applications > Applications**]\n 2. Select your Application. This should be a [**Machine-to-Machine**] Application configured with at least [**read:logs**] and [**read:logs_users**] permissions. \n 3. Copy [**Domain, ClientID, Client Secret**]" + } + }, + { + "parameters": { + "label": "Base API URL", + "placeholder": "https://example.auth0.com", + "type": "text", + "name": "Domain" + }, + "type": "Textbox" + }, + { + "parameters": { + "label": "Client ID", + "placeholder": "Client ID", + "type": "text", + "name": "ClientId" + }, + "type": "Textbox" + }, + { + "type": "Textbox", + "parameters": { + "label": "Client Secret", + "placeholder": "API Token", + "type": "password", + "name": "ClientSecret" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ], + "isConnectivityCriteriasMatchSome": false + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "Auth0LogsDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "streamDeclarations": { + "Custom-Auth0Logs": { + "columns": [ + { + "name": "date", + "type": "datetime" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "connection", + "type": "string" + }, + { + "name": "connection_id", + "type": "string" + }, + { + "name": "client_id", + "type": "string" + }, + { + "name": "client_name", + "type": "string" + }, + { + "name": "ip", + "type": "string" + }, + { + "name": "user_agent", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "user_id", + "type": "string" + }, + { + "name": "user_name", + "type": "string" + }, + { + "name": "audience", + "type": "string" + }, + { + "name": "scope", + "type": "string" + }, + { + "name": "strategy", + "type": "string" + }, + { + "name": "strategy_type", + "type": "string" + }, + { + "name": "location_info", + "type": "dynamic" + }, + { + "name": "details", + "type": "dynamic" + }, + { + "name": "log_id", + "type": "string" + }, + { + "name": "tenant_name", + "type": "string" + }, + { + "name": "isMobile", + "type": "boolean" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-Auth0Logs" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source| extend TimeGenerated = ['date'] , EventType = type | project-rename Description = description, Connection = connection, ConnectionId = connection_id, ClientId = client_id, ClientName = client_name, SrcIpAddr = ip, HttpUserAgent = user_agent, SrcHostname = hostname, ActorUserId = user_id, ActorUsername = user_name, Audience = audience, Scope = scope, Strategy = strategy, StrategyType = strategy_type, LocationInfo = location_info, Details = details, LogId = log_id, TenantName = tenant_name, IsMobile = isMobile | project-away ['date'], type", + "outputStream": "Custom-Auth0Logs_CL" + } + ], + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + } + }, + { + "name": "Auth0Logs_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "Auth0Logs_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "event_date", + "type": "datetime" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "Description", + "type": "string" + }, + { + "name": "Connection", + "type": "string" + }, + { + "name": "ConnectionId", + "type": "string" + }, + { + "name": "ClientId", + "type": "string" + }, + { + "name": "ClientName", + "type": "string" + }, + { + "name": "SrcIpAddr", + "type": "string" + }, + { + "name": "HttpUserAgent", + "type": "string" + }, + { + "name": "SrcHostname", + "type": "string" + }, + { + "name": "ActorUserId", + "type": "string" + }, + { + "name": "ActorUsername", + "type": "string" + }, + { + "name": "Audience", + "type": "string" + }, + { + "name": "Scope", + "type": "string" + }, + { + "name": "Strategy", + "type": "string" + }, + { + "name": "StrategyType", + "type": "string" + }, + { + "name": "LocationInfo", + "type": "dynamic" + }, + { + "name": "Details", + "type": "dynamic" + }, + { + "name": "LogId", + "type": "string" + }, + { + "name": "TenantName", + "type": "string" + }, + { + "name": "IsMobile", + "type": "boolean" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "Auth0ConnectorCCPDefinition", + "title": "Auth0 Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Auth0](https://auth0.com/docs/api/management/v2/logs/get-logs) data connector allows ingesting logs from Auth0 API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses Auth0 API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueries": [ + { + "metricName": "Total logs received", + "legend": "Auth0 Logs", + "baseQuery": "Auth0Logs_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Auth0 logs", + "query": "Auth0Logs_CL | take 10" + } + ], + "dataTypes": [ + { + "name": "Auth0Logs_CL", + "lastDataReceivedQuery": "Auth0Logs_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### STEP 1 - Configuration steps for the Auth0 Management API" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "Follow the instructions to obtain the credentials. \n 1. In Auth0 Dashboard, go to [**Applications > Applications**]\n 2. Select your Application. This should be a [**Machine-to-Machine**] Application configured with at least [**read:logs**] and [**read:logs_users**] permissions. \n 3. Copy [**Domain, ClientID, Client Secret**]" + } + }, + { + "parameters": { + "label": "Base API URL", + "placeholder": "https://example.auth0.com", + "type": "text", + "name": "Domain" + }, + "type": "Textbox" + }, + { + "parameters": { + "label": "Client ID", + "placeholder": "Client ID", + "type": "text", + "name": "ClientId" + }, + "type": "Textbox" + }, + { + "type": "Textbox", + "parameters": { + "label": "Client Secret", + "placeholder": "API Token", + "type": "password", + "name": "ClientSecret" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ], + "isConnectivityCriteriasMatchSome": false + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "displayName": "Auth0 Logs", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "Auth0 Logs", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "Domain": { + "defaultValue": "Domain", + "type": "string", + "minLength": 1 + }, + "ClientId": { + "defaultValue": "ClientId", + "type": "string", + "minLength": 1 + }, + "ClientSecret": { + "defaultValue": "ClientSecret", + "type": "securestring", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'Auth0Logs')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "Auth0ConnectorCCPDefinition", + "dataType": "Auth0Logs_CL", + "auth": { + "type": "OAuth2", + "ClientId": "[[parameters('ClientId')]", + "ClientSecret": "[[parameters('ClientSecret')]", + "GrantType": "client_credentials", + "TokenEndpoint": "[[concat(parameters('Domain'),'/oauth/token')]", + "TokenEndpointQueryParameters": { + "audience": "[[concat(parameters('Domain'),'/api/v2/')]" + } + }, + "request": { + "apiEndpoint": "[[concat(parameters('Domain'),'/api/v2/logs')]", + "headers": { + "Accept": "application/json" + }, + "httpMethod": "Get", + "QueryParameters": {} + }, + "response": { + "eventsJsonPaths": [ + "$" + ], + "format": "json" + }, + "dcrConfig": { + "streamName": "Custom-Auth0Logs", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "Paging": { + "pagingType": "PersistentToken", + "nextPageParaName": "from", + "nextPageTokenJsonPath": "$.[-1:].log_id", + "PageSizeParameterName": "take", + "PageSize": 100 + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -432,7 +1136,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Auth0 Data Parser with template version 3.0.0", + "description": "Auth0AM Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -446,10 +1150,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Auth0", + "displayName": "Parser for Auth0 Auth0AM_CL", "category": "Microsoft Sentinel Parser", - "functionAlias": "Auth0", - "query": "union isfuzzy=true Auth0AM_CL, Auth0_CL\n| project-rename EventType = type_s,\n HttpRequestMethod = details_request_method_s,\n ActorSessionId = _id_s,\n HttpUserAgent = user_agent_s,\n TargetUsername = user_name_s,\n ActorUserId = client_id_s,\n IpAddr=ip_s,\n Dst = details_request_body_audience_s,\n EventEndTime = date_t,\n EventResultDetails = details_response_statusCode_d\n", + "functionAlias": "Auth0AM", + "query": "let AutoLogsview = view() {union isfuzzy=true (Auth0Logs_CL| project-rename EventCode = EventType, IPAddress = SrcIpAddr, UserAgent = HttpUserAgent, Hostname = SrcHostname, UserId = ActorUserId, UserPrincipalName= ActorUsername, Date = TimeGenerated), (Auth0AM_CL | project Audience = tostring(column_ifexists('audience_s', \"\"))\n, Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', \"\"))\n, Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', \"\"))\n, Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', \"\"))\n, Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', \"\"))\n, Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', \"\"))\n, ClientId = tostring(column_ifexists('client_id_s', \"\"))\n, ClientIp = tostring(column_ifexists('client_ip_s', \"\"))\n, ClientName = tostring(column_ifexists('client_name_s', \"\"))\n, ConnectionId = tostring(column_ifexists('connection_id_s', \"\"))\n, Connection = tostring(column_ifexists('connection_s', \"\"))\n, Date = todatetime(column_ifexists('date_t', \"\"))\n, Description = tostring(column_ifexists('description_s', \"\"))\n, DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', \"\"))\n, DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', \"\"))\n, DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', \"\"))\n, DetailsClientId = tostring(column_ifexists('details_body_client_id_s', \"\"))\n, DetailsConnection = tostring(column_ifexists('details_body_connection_s', \"\"))\n, DetailsEmail = tostring(column_ifexists('details_body_email_s', \"\"))\n, DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', \"\"))\n, DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', \"\"))\n, DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', \"\"))\n, DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', \"\"))\n, DetailsTenant = tostring(column_ifexists('details_body_tenant_s', \"\"))\n, DetailsUserId = tostring(column_ifexists('details_body_user_id_g', \"\"))\n, DetailsVerify = tobool(column_ifexists('details_body_verify_b', \"\"))\n, DetailsCode = tostring(column_ifexists('details_code_s', \"\"))\n, DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', \"\")))\n, DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', \"\"))\n, DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', \"\"))\n, DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', \"\"))\n, DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', \"\"))\n, DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', \"\"))\n, DetailsHost = tostring(column_ifexists('details_host_s', \"\"))\n, DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', \"\"))))\n, DetailsMethod = tostring(column_ifexists('details_method_s', \"\"))\n, DetailsOrigin = tostring(column_ifexists('details_origin_s', \"\"))\n, DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', \"\"))\n, DetailsPrompts = todynamic(column_ifexists('details_prompts_s', \"\"))\n, RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', \"\"))\n, RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', \"\"))\n, RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', \"\"))\n, RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', \"\"))\n, RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', \"\"))\n, RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', \"\"))\n, RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', \"\"))\n, RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', \"\"))\n, RequestConnection = tostring(column_ifexists('details_request_body_connection_s', \"\"))\n, RequestEmail = tostring(column_ifexists('details_request_body_email_s', \"\"))\n, RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', \"\"))\n, RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', \"\"))\n, RequestChannel = tostring(column_ifexists('details_request_channel_s', \"\"))\n, RequestIP = tostring(column_ifexists('details_request_ip_s', \"\"))\n, RequestMethod = tostring(column_ifexists('details_request_method_s', \"\"))\n, RequestPath = tostring(column_ifexists('details_request_path_s', \"\"))\n, RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', \"\"))\n, ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', \"\"))\n, ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', \"\"))\n, ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', \"\"))\n, ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', \"\"))\n, ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', \"\"))\n, ResponseEmail = tostring(column_ifexists('details_response_body_email_s', \"\"))\n, ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', \"\"))\n, ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', \"\"))\n, ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', \"\"))\n, ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', \"\"))\n, ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', \"\"))\n, ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', \"\"))\n, ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', \"\"))\n, ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', \"\"))\n, ResponseName = tostring(column_ifexists('details_response_body_name_s', \"\"))\n, ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', \"\"))\n, ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', \"\"))\n, ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', \"\"))\n, ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', \"\"))\n, ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', \"\"))\n, ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', \"\"), \"|\")[1])\n, ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', \"\"))\n, SessionId = tostring(column_ifexists('details_session_id_s', \"\"))\n, StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', \"\"))\n, XHR = tobool(column_ifexists('details_xhr_b', \"\"))\n, Hostname = tostring(column_ifexists('hostname_s', \"\"))\n, IPAddress = tostring(column_ifexists('ip_s', \"\"))\n, IsMobile = tobool(column_ifexists('isMobile_b', \"\"))\n, LogId = tostring(column_ifexists('log_id_s', \"\"))\n, Scope = tostring(column_ifexists('scope_s', \"\"))\n, Strategy = tostring(column_ifexists('strategy_s', \"\"))\n, StrategyType = tostring(column_ifexists('strategy_type_s', \"\"))\n, Type = tostring(column_ifexists('Type', \"\"))\n, EventCode = tostring(column_ifexists('type_s', \"\"))\n, UserAgent = tostring(column_ifexists('user_agent_s', \"\"))\n, UserId = tostring(split(column_ifexists('user_id_s', \"\"), '|')[1])\n, UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', \"\")))) | extend EventDescritpion = case(EventCode == \"api_limit\",\"Rate Limit on the Authentication or Management APIs\",EventCode == \"appi\",\"Notice for API Peak Performance initiated\",EventCode == \"ciba_exchange_failed\",\"Failed CIBA Exchange\",EventCode == \"ciba_exchange_succeeded\",\"Successful CIBA Exchange\",EventCode == \"ciba_start_failed\",\"Failed CIBA Start\",EventCode == \"ciba_start_succeeded\",\"Successful CIBA Start\",EventCode == \"cls\",\"Code/Link Sent\",EventCode == \"cs\",\"Code Sent\",EventCode == \"depnote\",\"Deprecation Notice\",EventCode == \"f\",\"Failed Login\",EventCode == \"fc\",\"Failed by Connector\",EventCode == \"fce\",\"Failed Change Email\",EventCode == \"fco\",\"Failed by CORS\",EventCode == \"fcoa\",\"Failed cross-origin authentication\",EventCode == \"fcp\",\"Failed Change Password\",EventCode == \"fcph\",\"Failed Post Change Password Hook\",EventCode == \"fcpn\",\"Failed Change Phone Number\",EventCode == \"fcpr\",\"Failed Change Password Request\",EventCode == \"fcpro\",\"Failed Connector Provisioning\",EventCode == \"fcu\",\"Failed Change Username\",EventCode == \"fd\",\"Failed Delegation\",EventCode == \"fdeac\",\"Failed Device Activation\",EventCode == \"fdeaz\",\"Failed Device Authorization Request\",EventCode == \"fdecc\",\"User Canceled Device Confirmation\",EventCode == \"fdu\",\"Failed User Deletion\",EventCode == \"feacft\",\"Failed Exchange\",EventCode == \"feccft\",\"Failed Exchange\",EventCode == \"fede\",\"Failed Exchange\",EventCode == \"fens\",\"Failed Exchange\",EventCode == \"feoobft\",\"Failed Exchange\",EventCode == \"feotpft\",\"Failed Exchange\",EventCode == \"fepft\",\"Failed Exchange\",EventCode == \"fepotpft\",\"Failed Exchange\",EventCode == \"fercft\",\"Failed Exchange\",EventCode == \"ferrt\",\"Failed Exchange\",EventCode == \"fertft\",\"Failed Exchange\",EventCode == \"fi\",\"Failed invite accept\",EventCode == \"flo\",\"Failed Logout\",EventCode == \"fn\",\"Failed Sending Notification\",EventCode == \"fp\",\"Failed Login (Incorrect Password)\",EventCode == \"fpar\",\"Failed Pushed Authorization Request\",EventCode == \"fs\",\"Failed Signup\",EventCode == \"fsa\",\"Failed Silent Auth\",EventCode == \"fu\",\"Failed Login (Invalid Email/Username)\",EventCode == \"fui\",\"Failed users import\",EventCode == \"fv\",\"Failed Verification Email\",EventCode == \"fvr\",\"Failed Verification Email Request\",EventCode == \"gd_auth_email_verification\",\"Email Verification Confirmed\",EventCode == \"gd_auth_fail_email_verification\",\"Email Verification Failed\",EventCode == \"gd_auth_failed\",\"MFA Auth failed\",EventCode == \"gd_auth_rejected\",\"MFA Auth rejected\",EventCode == \"gd_auth_succeed\",\"MFA Auth success\",EventCode == \"gd_enrollment_complete\",\"MFA enrollment complete\",EventCode == \"gd_otp_rate_limit_exceed\",\"Too many MFA failures\",EventCode == \"gd_recovery_failed\",\"Recovery failed\",EventCode == \"gd_recovery_rate_limit_exceed\",\"Multi-factor recovery code has failed too many times\",EventCode == \"gd_recovery_succeed\",\"MFA recovery success\",EventCode == \"gd_send_email\",\"MFA Email Sent\",EventCode == \"gd_send_email_verification\",\"Email Verification Sent\",EventCode == \"gd_send_email_verification_failure\",\"Email Verification Failed\",EventCode == \"gd_send_pn\",\"Push notification sent\",EventCode == \"gd_send_pn_failure\",\"Error Sending MFA Push Notification\",EventCode == \"gd_send_sms\",\"MFA SMS Sent\",EventCode == \"gd_send_sms_failure\",\"Error Sending MFA SMS\",EventCode == \"gd_send_voice\",\"MFA voice call success\",EventCode == \"gd_send_voice_failure\",\"MFA voice call failed\",EventCode == \"gd_start_auth\",\"Second factor started\",EventCode == \"gd_start_enroll\",\"MFA Enroll started\",EventCode == \"gd_start_enroll_failed\",\"MFA Enrollment Failed\",EventCode == \"gd_tenant_update\",\"Guardian tenant update\",EventCode == \"gd_unenroll\",\"Unenroll device account\",EventCode == \"gd_update_device_account\",\"Update device account\",EventCode == \"gd_webauthn_challenge_failed\",\"WebAuthn browser error\",EventCode == \"gd_webauthn_enrollment_failed\",\"WebAuthn browser error\",EventCode == \"kms_key_management_failure\",\"Failed KMS API Operation\",EventCode == \"kms_key_management_success\",\"Success KMS API Operation\",EventCode == \"kms_key_state_changed\",\"KMS Key State Change\",EventCode == \"limit_delegation\",\"Too Many Calls to /delegation\",EventCode == \"limit_mu\",\"Blocked IP Address\",EventCode == \"limit_sul\",\"Blocked Account\",EventCode == \"limit_wc\",\"Blocked Account\",EventCode == \"mfar\",\"MFA Required\",EventCode == \"mgmt_api_read\",\"Management API read Operation\",EventCode == \"oidc_backchannel_logout_failed\",\"Failed OIDC Back-Channel Logout request\",EventCode == \"oidc_backchannel_logout_succeeded\",\"Successful OIDC Back-Channel Logout request\",EventCode == \"organization_member_added\",\"Organization Member Added\",EventCode == \"pla\",\"Pre-login assessment\",EventCode == \"pwd_leak\",\"Breached password\",EventCode == \"resource_cleanup\",\"Success Resource Cleanup\",EventCode == \"rich_consents_access_error\",\"Rich Consents Access Error\",EventCode == \"s\",\"Success Login\",EventCode == \"sapi\",\"Success API Operation\",EventCode == \"sce\",\"Success Change Email\",EventCode == \"scoa\",\"Success cross-origin authentication\",EventCode == \"scp\",\"Success Change Password\",EventCode == \"scpn\",\"Success Change Phone Number\",EventCode == \"scpr\",\"Success Change Password Request\",EventCode == \"scu\",\"Success Change Username\",EventCode == \"scv\",\"Success Credential Validation\",EventCode == \"sd\",\"Success Delegation\",EventCode == \"sdu\",\"Success User Deletion\",EventCode == \"seacft\",\"Success Exchange\",EventCode == \"seccft\",\"Success Exchange\",EventCode == \"sede\",\"Success Exchange\",EventCode == \"sens\",\"Success Exchange\",EventCode == \"seoobft\",\"Success Exchange\",EventCode == \"seotpft\",\"Success Exchange\",EventCode == \"sepft\",\"Success Exchange\",EventCode == \"sepkoobft\",\"Success Exchange\",EventCode == \"sepkotpft\",\"Success Exchange\",EventCode == \"sepkrcft\",\"Success Exchange\",EventCode == \"sercft\",\"Success Exchange\",EventCode == \"sertft\",\"Success Exchange\",EventCode == \"si\",\"Successfully accepted a user invite\",EventCode == \"signup_pwd_leak\",\"Breached Password on Signup\",EventCode == \"slo\",\"Success Logout\",EventCode == \"srrt\",\"Success Revocation\",EventCode == \"ss\",\"Success Signup\",EventCode == \"ss_sso_failure\",\"Failed SS-SSO Operation\",EventCode == \"ss_sso_info\",\"Information from an SS-SSO Operation\",EventCode == \"ss_sso_success\",\"Success SS-SSO Operation\",EventCode == \"ssa\",\"Success Silent Auth\",EventCode == \"sui\",\"Successfully imported users\",EventCode == \"sv\",\"Success Verification Email\",EventCode == \"svr\",\"Success Verification Email Request\",EventCode == \"ublkdu\",\"User login block released\",EventCode == \"w\",\"Warning During Login\",EventCode == \"wum\",\"Warning User Management\",\"\")};\n AutoLogsview()\n", "functionParameters": "", "version": 2, "tags": [ @@ -468,7 +1172,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -498,7 +1202,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", - "displayName": "Auth0", + "displayName": "Parser for Auth0 Auth0AM_CL", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "version": "[variables('parserObject1').parserVersion1]" @@ -511,10 +1215,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Auth0", + "displayName": "Parser for Auth0 Auth0AM_CL", "category": "Microsoft Sentinel Parser", - "functionAlias": "Auth0", - "query": "union isfuzzy=true Auth0AM_CL, Auth0_CL\n| project-rename EventType = type_s,\n HttpRequestMethod = details_request_method_s,\n ActorSessionId = _id_s,\n HttpUserAgent = user_agent_s,\n TargetUsername = user_name_s,\n ActorUserId = client_id_s,\n IpAddr=ip_s,\n Dst = details_request_body_audience_s,\n EventEndTime = date_t,\n EventResultDetails = details_response_statusCode_d\n", + "functionAlias": "Auth0AM", + "query": "let AutoLogsview = view() {union isfuzzy=true (Auth0Logs_CL| project-rename EventCode = EventType, IPAddress = SrcIpAddr, UserAgent = HttpUserAgent, Hostname = SrcHostname, UserId = ActorUserId, UserPrincipalName= ActorUsername, Date = TimeGenerated), (Auth0AM_CL | project Audience = tostring(column_ifexists('audience_s', \"\"))\n, Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', \"\"))\n, Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', \"\"))\n, Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', \"\"))\n, Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', \"\"))\n, Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', \"\"))\n, ClientId = tostring(column_ifexists('client_id_s', \"\"))\n, ClientIp = tostring(column_ifexists('client_ip_s', \"\"))\n, ClientName = tostring(column_ifexists('client_name_s', \"\"))\n, ConnectionId = tostring(column_ifexists('connection_id_s', \"\"))\n, Connection = tostring(column_ifexists('connection_s', \"\"))\n, Date = todatetime(column_ifexists('date_t', \"\"))\n, Description = tostring(column_ifexists('description_s', \"\"))\n, DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', \"\"))\n, DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', \"\"))\n, DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', \"\"))\n, DetailsClientId = tostring(column_ifexists('details_body_client_id_s', \"\"))\n, DetailsConnection = tostring(column_ifexists('details_body_connection_s', \"\"))\n, DetailsEmail = tostring(column_ifexists('details_body_email_s', \"\"))\n, DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', \"\"))\n, DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', \"\"))\n, DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', \"\"))\n, DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', \"\"))\n, DetailsTenant = tostring(column_ifexists('details_body_tenant_s', \"\"))\n, DetailsUserId = tostring(column_ifexists('details_body_user_id_g', \"\"))\n, DetailsVerify = tobool(column_ifexists('details_body_verify_b', \"\"))\n, DetailsCode = tostring(column_ifexists('details_code_s', \"\"))\n, DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', \"\")))\n, DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', \"\"))\n, DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', \"\"))\n, DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', \"\"))\n, DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', \"\"))\n, DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', \"\"))\n, DetailsHost = tostring(column_ifexists('details_host_s', \"\"))\n, DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', \"\"))))\n, DetailsMethod = tostring(column_ifexists('details_method_s', \"\"))\n, DetailsOrigin = tostring(column_ifexists('details_origin_s', \"\"))\n, DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', \"\"))\n, DetailsPrompts = todynamic(column_ifexists('details_prompts_s', \"\"))\n, RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', \"\"))\n, RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', \"\"))\n, RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', \"\"))\n, RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', \"\"))\n, RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', \"\"))\n, RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', \"\"))\n, RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', \"\"))\n, RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', \"\"))\n, RequestConnection = tostring(column_ifexists('details_request_body_connection_s', \"\"))\n, RequestEmail = tostring(column_ifexists('details_request_body_email_s', \"\"))\n, RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', \"\"))\n, RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', \"\"))\n, RequestChannel = tostring(column_ifexists('details_request_channel_s', \"\"))\n, RequestIP = tostring(column_ifexists('details_request_ip_s', \"\"))\n, RequestMethod = tostring(column_ifexists('details_request_method_s', \"\"))\n, RequestPath = tostring(column_ifexists('details_request_path_s', \"\"))\n, RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', \"\"))\n, ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', \"\"))\n, ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', \"\"))\n, ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', \"\"))\n, ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', \"\"))\n, ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', \"\"))\n, ResponseEmail = tostring(column_ifexists('details_response_body_email_s', \"\"))\n, ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', \"\"))\n, ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', \"\"))\n, ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', \"\"))\n, ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', \"\"))\n, ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', \"\"))\n, ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', \"\"))\n, ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', \"\"))\n, ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', \"\"))\n, ResponseName = tostring(column_ifexists('details_response_body_name_s', \"\"))\n, ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', \"\"))\n, ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', \"\"))\n, ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', \"\"))\n, ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', \"\"))\n, ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', \"\"))\n, ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', \"\"), \"|\")[1])\n, ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', \"\"))\n, SessionId = tostring(column_ifexists('details_session_id_s', \"\"))\n, StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', \"\"))\n, XHR = tobool(column_ifexists('details_xhr_b', \"\"))\n, Hostname = tostring(column_ifexists('hostname_s', \"\"))\n, IPAddress = tostring(column_ifexists('ip_s', \"\"))\n, IsMobile = tobool(column_ifexists('isMobile_b', \"\"))\n, LogId = tostring(column_ifexists('log_id_s', \"\"))\n, Scope = tostring(column_ifexists('scope_s', \"\"))\n, Strategy = tostring(column_ifexists('strategy_s', \"\"))\n, StrategyType = tostring(column_ifexists('strategy_type_s', \"\"))\n, Type = tostring(column_ifexists('Type', \"\"))\n, EventCode = tostring(column_ifexists('type_s', \"\"))\n, UserAgent = tostring(column_ifexists('user_agent_s', \"\"))\n, UserId = tostring(split(column_ifexists('user_id_s', \"\"), '|')[1])\n, UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', \"\")))) | extend EventDescritpion = case(EventCode == \"api_limit\",\"Rate Limit on the Authentication or Management APIs\",EventCode == \"appi\",\"Notice for API Peak Performance initiated\",EventCode == \"ciba_exchange_failed\",\"Failed CIBA Exchange\",EventCode == \"ciba_exchange_succeeded\",\"Successful CIBA Exchange\",EventCode == \"ciba_start_failed\",\"Failed CIBA Start\",EventCode == \"ciba_start_succeeded\",\"Successful CIBA Start\",EventCode == \"cls\",\"Code/Link Sent\",EventCode == \"cs\",\"Code Sent\",EventCode == \"depnote\",\"Deprecation Notice\",EventCode == \"f\",\"Failed Login\",EventCode == \"fc\",\"Failed by Connector\",EventCode == \"fce\",\"Failed Change Email\",EventCode == \"fco\",\"Failed by CORS\",EventCode == \"fcoa\",\"Failed cross-origin authentication\",EventCode == \"fcp\",\"Failed Change Password\",EventCode == \"fcph\",\"Failed Post Change Password Hook\",EventCode == \"fcpn\",\"Failed Change Phone Number\",EventCode == \"fcpr\",\"Failed Change Password Request\",EventCode == \"fcpro\",\"Failed Connector Provisioning\",EventCode == \"fcu\",\"Failed Change Username\",EventCode == \"fd\",\"Failed Delegation\",EventCode == \"fdeac\",\"Failed Device Activation\",EventCode == \"fdeaz\",\"Failed Device Authorization Request\",EventCode == \"fdecc\",\"User Canceled Device Confirmation\",EventCode == \"fdu\",\"Failed User Deletion\",EventCode == \"feacft\",\"Failed Exchange\",EventCode == \"feccft\",\"Failed Exchange\",EventCode == \"fede\",\"Failed Exchange\",EventCode == \"fens\",\"Failed Exchange\",EventCode == \"feoobft\",\"Failed Exchange\",EventCode == \"feotpft\",\"Failed Exchange\",EventCode == \"fepft\",\"Failed Exchange\",EventCode == \"fepotpft\",\"Failed Exchange\",EventCode == \"fercft\",\"Failed Exchange\",EventCode == \"ferrt\",\"Failed Exchange\",EventCode == \"fertft\",\"Failed Exchange\",EventCode == \"fi\",\"Failed invite accept\",EventCode == \"flo\",\"Failed Logout\",EventCode == \"fn\",\"Failed Sending Notification\",EventCode == \"fp\",\"Failed Login (Incorrect Password)\",EventCode == \"fpar\",\"Failed Pushed Authorization Request\",EventCode == \"fs\",\"Failed Signup\",EventCode == \"fsa\",\"Failed Silent Auth\",EventCode == \"fu\",\"Failed Login (Invalid Email/Username)\",EventCode == \"fui\",\"Failed users import\",EventCode == \"fv\",\"Failed Verification Email\",EventCode == \"fvr\",\"Failed Verification Email Request\",EventCode == \"gd_auth_email_verification\",\"Email Verification Confirmed\",EventCode == \"gd_auth_fail_email_verification\",\"Email Verification Failed\",EventCode == \"gd_auth_failed\",\"MFA Auth failed\",EventCode == \"gd_auth_rejected\",\"MFA Auth rejected\",EventCode == \"gd_auth_succeed\",\"MFA Auth success\",EventCode == \"gd_enrollment_complete\",\"MFA enrollment complete\",EventCode == \"gd_otp_rate_limit_exceed\",\"Too many MFA failures\",EventCode == \"gd_recovery_failed\",\"Recovery failed\",EventCode == \"gd_recovery_rate_limit_exceed\",\"Multi-factor recovery code has failed too many times\",EventCode == \"gd_recovery_succeed\",\"MFA recovery success\",EventCode == \"gd_send_email\",\"MFA Email Sent\",EventCode == \"gd_send_email_verification\",\"Email Verification Sent\",EventCode == \"gd_send_email_verification_failure\",\"Email Verification Failed\",EventCode == \"gd_send_pn\",\"Push notification sent\",EventCode == \"gd_send_pn_failure\",\"Error Sending MFA Push Notification\",EventCode == \"gd_send_sms\",\"MFA SMS Sent\",EventCode == \"gd_send_sms_failure\",\"Error Sending MFA SMS\",EventCode == \"gd_send_voice\",\"MFA voice call success\",EventCode == \"gd_send_voice_failure\",\"MFA voice call failed\",EventCode == \"gd_start_auth\",\"Second factor started\",EventCode == \"gd_start_enroll\",\"MFA Enroll started\",EventCode == \"gd_start_enroll_failed\",\"MFA Enrollment Failed\",EventCode == \"gd_tenant_update\",\"Guardian tenant update\",EventCode == \"gd_unenroll\",\"Unenroll device account\",EventCode == \"gd_update_device_account\",\"Update device account\",EventCode == \"gd_webauthn_challenge_failed\",\"WebAuthn browser error\",EventCode == \"gd_webauthn_enrollment_failed\",\"WebAuthn browser error\",EventCode == \"kms_key_management_failure\",\"Failed KMS API Operation\",EventCode == \"kms_key_management_success\",\"Success KMS API Operation\",EventCode == \"kms_key_state_changed\",\"KMS Key State Change\",EventCode == \"limit_delegation\",\"Too Many Calls to /delegation\",EventCode == \"limit_mu\",\"Blocked IP Address\",EventCode == \"limit_sul\",\"Blocked Account\",EventCode == \"limit_wc\",\"Blocked Account\",EventCode == \"mfar\",\"MFA Required\",EventCode == \"mgmt_api_read\",\"Management API read Operation\",EventCode == \"oidc_backchannel_logout_failed\",\"Failed OIDC Back-Channel Logout request\",EventCode == \"oidc_backchannel_logout_succeeded\",\"Successful OIDC Back-Channel Logout request\",EventCode == \"organization_member_added\",\"Organization Member Added\",EventCode == \"pla\",\"Pre-login assessment\",EventCode == \"pwd_leak\",\"Breached password\",EventCode == \"resource_cleanup\",\"Success Resource Cleanup\",EventCode == \"rich_consents_access_error\",\"Rich Consents Access Error\",EventCode == \"s\",\"Success Login\",EventCode == \"sapi\",\"Success API Operation\",EventCode == \"sce\",\"Success Change Email\",EventCode == \"scoa\",\"Success cross-origin authentication\",EventCode == \"scp\",\"Success Change Password\",EventCode == \"scpn\",\"Success Change Phone Number\",EventCode == \"scpr\",\"Success Change Password Request\",EventCode == \"scu\",\"Success Change Username\",EventCode == \"scv\",\"Success Credential Validation\",EventCode == \"sd\",\"Success Delegation\",EventCode == \"sdu\",\"Success User Deletion\",EventCode == \"seacft\",\"Success Exchange\",EventCode == \"seccft\",\"Success Exchange\",EventCode == \"sede\",\"Success Exchange\",EventCode == \"sens\",\"Success Exchange\",EventCode == \"seoobft\",\"Success Exchange\",EventCode == \"seotpft\",\"Success Exchange\",EventCode == \"sepft\",\"Success Exchange\",EventCode == \"sepkoobft\",\"Success Exchange\",EventCode == \"sepkotpft\",\"Success Exchange\",EventCode == \"sepkrcft\",\"Success Exchange\",EventCode == \"sercft\",\"Success Exchange\",EventCode == \"sertft\",\"Success Exchange\",EventCode == \"si\",\"Successfully accepted a user invite\",EventCode == \"signup_pwd_leak\",\"Breached Password on Signup\",EventCode == \"slo\",\"Success Logout\",EventCode == \"srrt\",\"Success Revocation\",EventCode == \"ss\",\"Success Signup\",EventCode == \"ss_sso_failure\",\"Failed SS-SSO Operation\",EventCode == \"ss_sso_info\",\"Information from an SS-SSO Operation\",EventCode == \"ss_sso_success\",\"Success SS-SSO Operation\",EventCode == \"ssa\",\"Success Silent Auth\",EventCode == \"sui\",\"Successfully imported users\",EventCode == \"sv\",\"Success Verification Email\",EventCode == \"svr\",\"Success Verification Email Request\",EventCode == \"ublkdu\",\"User login block released\",EventCode == \"w\",\"Warning During Login\",EventCode == \"wum\",\"Warning User Management\",\"\")};\n AutoLogsview()\n", "functionParameters": "", "version": 2, "tags": [ @@ -534,7 +1238,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -564,7 +1268,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Auth0AM Data Parser with template version 3.0.0", + "description": "Auth0 Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -578,10 +1282,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for Auth0 Auth0AM_CL", + "displayName": "Auth0", "category": "Microsoft Sentinel Parser", - "functionAlias": "Auth0AM", - "query": "let logData = () \n {\n // Parse Auth0 Log data from custom table\n Auth0AM_CL\n | where isnotempty(type_s)\n | project TimeGenerated\n , Audience = tostring(column_ifexists('audience_s', \"\"))\n , Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', \"\"))\n , Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', \"\"))\n , Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', \"\"))\n , Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', \"\"))\n , Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', \"\"))\n , ClientId = tostring(column_ifexists('client_id_s', \"\"))\n , ClientIp = tostring(column_ifexists('client_ip_s', \"\"))\n , ClientName = tostring(column_ifexists('client_name_s', \"\"))\n , ConnectionId = tostring(column_ifexists('connection_id_s', \"\"))\n , Connection = tostring(column_ifexists('connection_s', \"\"))\n , Date = todatetime(column_ifexists('date_t', \"\"))\n , Description = tostring(column_ifexists('description_s', \"\"))\n , DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', \"\"))\n , DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', \"\"))\n , DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', \"\"))\n , DetailsClientId = tostring(column_ifexists('details_body_client_id_s', \"\"))\n , DetailsConnection = tostring(column_ifexists('details_body_connection_s', \"\"))\n , DetailsEmail = tostring(column_ifexists('details_body_email_s', \"\"))\n , DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', \"\"))\n , DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', \"\"))\n , DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', \"\"))\n , DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', \"\"))\n , DetailsTenant = tostring(column_ifexists('details_body_tenant_s', \"\"))\n , DetailsUserId = tostring(column_ifexists('details_body_user_id_g', \"\"))\n , DetailsVerify = tobool(column_ifexists('details_body_verify_b', \"\"))\n , DetailsCode = tostring(column_ifexists('details_code_s', \"\"))\n , DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', \"\")))\n , DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', \"\"))\n , DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', \"\"))\n , DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', \"\"))\n , DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', \"\"))\n , DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', \"\"))\n , DetailsHost = tostring(column_ifexists('details_host_s', \"\"))\n , DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', \"\"))))\n , DetailsMethod = tostring(column_ifexists('details_method_s', \"\"))\n , DetailsOrigin = tostring(column_ifexists('details_origin_s', \"\"))\n , DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', \"\"))\n , DetailsPrompts = todynamic(column_ifexists('details_prompts_s', \"\"))\n , RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', \"\"))\n , RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', \"\"))\n , RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', \"\"))\n , RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', \"\"))\n , RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', \"\"))\n , RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', \"\"))\n , RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', \"\"))\n , RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', \"\"))\n , RequestConnection = tostring(column_ifexists('details_request_body_connection_s', \"\"))\n , RequestEmail = tostring(column_ifexists('details_request_body_email_s', \"\"))\n , RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', \"\"))\n , RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', \"\"))\n , RequestChannel = tostring(column_ifexists('details_request_channel_s', \"\"))\n , RequestIP = tostring(column_ifexists('details_request_ip_s', \"\"))\n , RequestMethod = tostring(column_ifexists('details_request_method_s', \"\"))\n , RequestPath = tostring(column_ifexists('details_request_path_s', \"\"))\n , RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', \"\"))\n , ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', \"\"))\n , ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', \"\"))\n , ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', \"\"))\n , ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', \"\"))\n , ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', \"\"))\n , ResponseEmail = tostring(column_ifexists('details_response_body_email_s', \"\"))\n , ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', \"\"))\n , ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', \"\"))\n , ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', \"\"))\n , ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', \"\"))\n , ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', \"\"))\n , ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', \"\"))\n , ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', \"\"))\n , ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', \"\"))\n , ResponseName = tostring(column_ifexists('details_response_body_name_s', \"\"))\n , ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', \"\"))\n , ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', \"\"))\n , ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', \"\"))\n , ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', \"\"))\n , ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', \"\"))\n , ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', \"\"), \"|\")[1])\n , ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', \"\"))\n , SessionId = tostring(column_ifexists('details_session_id_s', \"\"))\n , StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', \"\"))\n , XHR = tobool(column_ifexists('details_xhr_b', \"\"))\n , Hostname = tostring(column_ifexists('hostname_s', \"\"))\n , IPAddress = tostring(column_ifexists('ip_s', \"\"))\n , IsMobile = tobool(column_ifexists('isMobile_b', \"\"))\n , LogId = tostring(column_ifexists('log_id_s', \"\"))\n , Scope = tostring(column_ifexists('scope_s', \"\"))\n , Strategy = tostring(column_ifexists('strategy_s', \"\"))\n , StrategyType = tostring(column_ifexists('strategy_type_s', \"\"))\n , Type = tostring(column_ifexists('Type', \"\"))\n , EventCode = tostring(column_ifexists('type_s', \"\"))\n , UserAgent = tostring(column_ifexists('user_agent_s', \"\"))\n , UserId = tostring(split(column_ifexists('user_id_s', \"\"), '|')[1])\n , UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', \"\")))\n | extend TimeGenerated = Date\n | extend IPGeoLocation = geo_info_from_ip_address\n ;\n };\n let FailedByCORS = ()\n // fco =Origin is not in the Allowed Origins list for the specified application\n {\n logData\n | where EventCode == \"fco\"\n | extend LogType = \"Failed By CORS\"\n | project TimeGenerated, ClientId, Description, DetailsAllowedOrigins, DetailsHeadersOrigin\n , DetailsXforwardedProtocol, DetailsHost, DetailsMethod, DetailsOrigin, DetailsOriginalUrl\n , XHR, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType\n };\n let FailedExchange = ()\n // feccft = Failed exchange of Access Token for a Client Credentials Grant\n // fepft = Failed exchange of Password for Access Token\n {\n logData\n | where EventCode == \"feccft\"\n or EventCode == \"fepft\"\n | extend EventDescritpion = iff(EventCode == \"feccft\", \"Failed exchange of Access Token for a Client Credentials Grant\", \"Failed exchange of Password for Access Token\")\n | extend LogType = \"Failed Exchange\"\n | project TimeGenerated, Audience, ClientId, ClientIp,ClientName, ConnectionId\n ,Connection, Description, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Scope\n , UserAgent, UserPrincipalName, EventDescritpion, LogType\n };\n let FailedLogin = () \n // fp =\tFailed Login (Incorrect Password)\t\n {\n logData\n | where EventCode == \"fp\"\n | extend LogType = \"Failed Login\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description\n , DetailsErrorMessage, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent\n , UserId, UserPrincipalName, LogType\n };\n let BlockedIpAddress = ()\n // limit_mu = An IP address is blocked because it attempted too many failed logins without a successful login. Or an IP address is blocked because it attempted too many sign-ups, whether successful or failed. For more information, \n // see Attack Protection - https://auth0.com/docs/configure/attack-protection\n {\n logData\n | where EventCode == \"limit_mu\"\n | extend LogType = \"Blocked IP Address\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, IsMobile\n , LogId, UserAgent\n , UserPrincipalName, LogType\n };\n let ManagementAPIReadOperation = ()\n // mgmt_api_read = API GET operation returning secrets completed successfully\n {\n logData\n | where EventCode == \"mgmt_api_read\"\n | extend LogType = \"Management API Read Operation\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, RequestAuthStrategy\n , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseStatusCode\n , IPAddress, IsMobile, LogId, UserAgent, UserId, LogType\n };\n let BreachedPassword = () \n // pwd_leak = Someone behind the IP address ip attempted to login with a leaked password.\n {\n logData\n | where EventCode == \"pwd_leak\"\n | extend LogType = \"Breached Password\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, Hostname, IPAddress\n , IPGeoLocation, IsMobile, LogId, UserAgent, UserPrincipalName, LogType\n };\n let SuccessLogin = ()\n // s = Successful login event.\n {\n logData\n | where EventCode == \"s\"\n | extend LogType = \"Success Login\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, DetailsActionsExecutions\n , DetailsCompletedAt, DetailsElapsedTime, DetailsInitiatedAt, DetailsPrompts, SessionId, StatsLoginsCount\n , Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessAPIOperation = ()\n // sapi = Successful management API write event.\n {\n logData\n | where EventCode == \"sapi\"\n | extend LogType = \"Success API Operation\"\n | project TimeGenerated, ClientId, Description, RequestAuthCredentialsScopes, RequestAuthStrategy\n , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified\n , RequestBodyPassword, RequestChannel, RequestIP, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale\n , ResponseAppMetadataSecondaryLocale, ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified\n , ResponseGivenName, ResponseFamilyName, ResponseIdentities, ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset\n , ResponseLoginsCount, ResponseName, ResponsePhoneVerified, ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator\n , ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType\n };\n let SuccessChangeEmail = ()\n // sce = Success Change Email\n {\n logData\n | where EventCode == \"sce\"\n | extend LogType = \"Success Change Email\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection\n , DetailsEmail, DetailsEmailVerified, DetailsTenant, DetailsUserId, DetailsVerify, RequestAuthCredentialsScopes, RequestAuthStrategy\n , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified, RequestBodyPassword\n , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale, ResponseAppMetadataSecondaryLocale\n , ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified, ResponseGivenName, ResponseFamilyName, ResponseIdentities\n , ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset, ResponseLoginsCount, ResponseName, ResponseNickname, ResponsePhoneVerified\n , ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator, ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy\n , StrategyType, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessChangePassword = () \n // scp = Success Change Password\n {\n logData\n | where EventCode == \"scp\"\n | extend LogType = \"Success Change Password\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection\n , DetailsEmail, DetailsIdentifierType, DetailsIdentifierValue, DetailsTenant, DetailsUserId, DetailsVerify, IPAddress\n , IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessExchange = ()\n // seacft = Successful exchange of authorization code for Access Token\n // seccft = Successful exchange of Access Token for a Client Credentials Grant\n // sepft = Successful exchange of Password for Access Token\n // sertft = Successful exchange of Refresh Token for Access Token\n {\n logData\n | where EventCode == \"seacft\"\n or EventCode == \"seccft\"\n or EventCode == \"sepft\"\n or EventCode == \"sertft\"\n | extend EventDescritpion = case (\n EventCode == \"seacft\", \"Successful exchange of authorization code for Access Token\"\n , EventCode == \"seccft\", \"Successful exchange of Access Token for a Client Credentials Grant\"\n , EventCode == \"sepft\", \"Successful exchange of Password for Access Token\"\n , EventCode == \"sertft\", \"Successful exchange of Refresh Token for Access Token\"\n , \"\"\n )\n | extend LogType = \"Success Exchange\"\n | project TimeGenerated, Audience, Auth0ClientEnvNode, Auth0ClientEnvSwift, Auth0ClientName, Auth0ClientVersion, ClientId\n , ClientIp, ClientName, ConnectionId, Connection, Description, DetailsActionsExecutions, DetailsCode, Hostname\n , IPAddress, IPGeoLocation, IsMobile, LogId, Scope, UserAgent, UserId, UserPrincipalName, EventDescritpion, LogType\n };\nunion FailedByCORS, FailedExchange, FailedLogin, BlockedIpAddress, ManagementAPIReadOperation, BreachedPassword\n , SuccessLogin, SuccessAPIOperation, SuccessChangeEmail, SuccessChangePassword, SuccessExchange\n", + "functionAlias": "Auth0", + "query": "union isfuzzy=true Auth0AM_CL, Auth0_CL\n| project-rename EventType = type_s,\n HttpRequestMethod = details_request_method_s,\n ActorSessionId = _id_s,\n HttpUserAgent = user_agent_s,\n TargetUsername = user_name_s,\n ActorUserId = client_id_s,\n IpAddr=ip_s,\n Dst = details_request_body_audience_s,\n EventEndTime = date_t,\n EventResultDetails = details_response_statusCode_d\n", "functionParameters": "", "version": 2, "tags": [ @@ -600,7 +1304,7 @@ "[variables('parserObject2')._parserId2]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", "contentId": "[variables('parserObject2').parserContentId2]", "kind": "Parser", "version": "[variables('parserObject2').parserVersion2]", @@ -630,7 +1334,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject2').parserContentId2]", "contentKind": "Parser", - "displayName": "Parser for Auth0 Auth0AM_CL", + "displayName": "Auth0", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", "version": "[variables('parserObject2').parserVersion2]" @@ -643,10 +1347,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for Auth0 Auth0AM_CL", + "displayName": "Auth0", "category": "Microsoft Sentinel Parser", - "functionAlias": "Auth0AM", - "query": "let logData = () \n {\n // Parse Auth0 Log data from custom table\n Auth0AM_CL\n | where isnotempty(type_s)\n | project TimeGenerated\n , Audience = tostring(column_ifexists('audience_s', \"\"))\n , Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', \"\"))\n , Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', \"\"))\n , Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', \"\"))\n , Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', \"\"))\n , Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', \"\"))\n , ClientId = tostring(column_ifexists('client_id_s', \"\"))\n , ClientIp = tostring(column_ifexists('client_ip_s', \"\"))\n , ClientName = tostring(column_ifexists('client_name_s', \"\"))\n , ConnectionId = tostring(column_ifexists('connection_id_s', \"\"))\n , Connection = tostring(column_ifexists('connection_s', \"\"))\n , Date = todatetime(column_ifexists('date_t', \"\"))\n , Description = tostring(column_ifexists('description_s', \"\"))\n , DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', \"\"))\n , DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', \"\"))\n , DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', \"\"))\n , DetailsClientId = tostring(column_ifexists('details_body_client_id_s', \"\"))\n , DetailsConnection = tostring(column_ifexists('details_body_connection_s', \"\"))\n , DetailsEmail = tostring(column_ifexists('details_body_email_s', \"\"))\n , DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', \"\"))\n , DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', \"\"))\n , DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', \"\"))\n , DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', \"\"))\n , DetailsTenant = tostring(column_ifexists('details_body_tenant_s', \"\"))\n , DetailsUserId = tostring(column_ifexists('details_body_user_id_g', \"\"))\n , DetailsVerify = tobool(column_ifexists('details_body_verify_b', \"\"))\n , DetailsCode = tostring(column_ifexists('details_code_s', \"\"))\n , DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', \"\")))\n , DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', \"\"))\n , DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', \"\"))\n , DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', \"\"))\n , DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', \"\"))\n , DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', \"\"))\n , DetailsHost = tostring(column_ifexists('details_host_s', \"\"))\n , DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', \"\"))))\n , DetailsMethod = tostring(column_ifexists('details_method_s', \"\"))\n , DetailsOrigin = tostring(column_ifexists('details_origin_s', \"\"))\n , DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', \"\"))\n , DetailsPrompts = todynamic(column_ifexists('details_prompts_s', \"\"))\n , RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', \"\"))\n , RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', \"\"))\n , RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', \"\"))\n , RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', \"\"))\n , RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', \"\"))\n , RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', \"\"))\n , RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', \"\"))\n , RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', \"\"))\n , RequestConnection = tostring(column_ifexists('details_request_body_connection_s', \"\"))\n , RequestEmail = tostring(column_ifexists('details_request_body_email_s', \"\"))\n , RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', \"\"))\n , RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', \"\"))\n , RequestChannel = tostring(column_ifexists('details_request_channel_s', \"\"))\n , RequestIP = tostring(column_ifexists('details_request_ip_s', \"\"))\n , RequestMethod = tostring(column_ifexists('details_request_method_s', \"\"))\n , RequestPath = tostring(column_ifexists('details_request_path_s', \"\"))\n , RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', \"\"))\n , ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', \"\"))\n , ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', \"\"))\n , ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', \"\"))\n , ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', \"\"))\n , ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', \"\"))\n , ResponseEmail = tostring(column_ifexists('details_response_body_email_s', \"\"))\n , ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', \"\"))\n , ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', \"\"))\n , ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', \"\"))\n , ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', \"\"))\n , ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', \"\"))\n , ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', \"\"))\n , ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', \"\"))\n , ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', \"\"))\n , ResponseName = tostring(column_ifexists('details_response_body_name_s', \"\"))\n , ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', \"\"))\n , ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', \"\"))\n , ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', \"\"))\n , ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', \"\"))\n , ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', \"\"))\n , ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', \"\"), \"|\")[1])\n , ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', \"\"))\n , SessionId = tostring(column_ifexists('details_session_id_s', \"\"))\n , StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', \"\"))\n , XHR = tobool(column_ifexists('details_xhr_b', \"\"))\n , Hostname = tostring(column_ifexists('hostname_s', \"\"))\n , IPAddress = tostring(column_ifexists('ip_s', \"\"))\n , IsMobile = tobool(column_ifexists('isMobile_b', \"\"))\n , LogId = tostring(column_ifexists('log_id_s', \"\"))\n , Scope = tostring(column_ifexists('scope_s', \"\"))\n , Strategy = tostring(column_ifexists('strategy_s', \"\"))\n , StrategyType = tostring(column_ifexists('strategy_type_s', \"\"))\n , Type = tostring(column_ifexists('Type', \"\"))\n , EventCode = tostring(column_ifexists('type_s', \"\"))\n , UserAgent = tostring(column_ifexists('user_agent_s', \"\"))\n , UserId = tostring(split(column_ifexists('user_id_s', \"\"), '|')[1])\n , UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', \"\")))\n | extend TimeGenerated = Date\n | extend IPGeoLocation = geo_info_from_ip_address\n ;\n };\n let FailedByCORS = ()\n // fco =Origin is not in the Allowed Origins list for the specified application\n {\n logData\n | where EventCode == \"fco\"\n | extend LogType = \"Failed By CORS\"\n | project TimeGenerated, ClientId, Description, DetailsAllowedOrigins, DetailsHeadersOrigin\n , DetailsXforwardedProtocol, DetailsHost, DetailsMethod, DetailsOrigin, DetailsOriginalUrl\n , XHR, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType\n };\n let FailedExchange = ()\n // feccft = Failed exchange of Access Token for a Client Credentials Grant\n // fepft = Failed exchange of Password for Access Token\n {\n logData\n | where EventCode == \"feccft\"\n or EventCode == \"fepft\"\n | extend EventDescritpion = iff(EventCode == \"feccft\", \"Failed exchange of Access Token for a Client Credentials Grant\", \"Failed exchange of Password for Access Token\")\n | extend LogType = \"Failed Exchange\"\n | project TimeGenerated, Audience, ClientId, ClientIp,ClientName, ConnectionId\n ,Connection, Description, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Scope\n , UserAgent, UserPrincipalName, EventDescritpion, LogType\n };\n let FailedLogin = () \n // fp =\tFailed Login (Incorrect Password)\t\n {\n logData\n | where EventCode == \"fp\"\n | extend LogType = \"Failed Login\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description\n , DetailsErrorMessage, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent\n , UserId, UserPrincipalName, LogType\n };\n let BlockedIpAddress = ()\n // limit_mu = An IP address is blocked because it attempted too many failed logins without a successful login. Or an IP address is blocked because it attempted too many sign-ups, whether successful or failed. For more information, \n // see Attack Protection - https://auth0.com/docs/configure/attack-protection\n {\n logData\n | where EventCode == \"limit_mu\"\n | extend LogType = \"Blocked IP Address\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, IsMobile\n , LogId, UserAgent\n , UserPrincipalName, LogType\n };\n let ManagementAPIReadOperation = ()\n // mgmt_api_read = API GET operation returning secrets completed successfully\n {\n logData\n | where EventCode == \"mgmt_api_read\"\n | extend LogType = \"Management API Read Operation\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, RequestAuthStrategy\n , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseStatusCode\n , IPAddress, IsMobile, LogId, UserAgent, UserId, LogType\n };\n let BreachedPassword = () \n // pwd_leak = Someone behind the IP address ip attempted to login with a leaked password.\n {\n logData\n | where EventCode == \"pwd_leak\"\n | extend LogType = \"Breached Password\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, Hostname, IPAddress\n , IPGeoLocation, IsMobile, LogId, UserAgent, UserPrincipalName, LogType\n };\n let SuccessLogin = ()\n // s = Successful login event.\n {\n logData\n | where EventCode == \"s\"\n | extend LogType = \"Success Login\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, DetailsActionsExecutions\n , DetailsCompletedAt, DetailsElapsedTime, DetailsInitiatedAt, DetailsPrompts, SessionId, StatsLoginsCount\n , Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessAPIOperation = ()\n // sapi = Successful management API write event.\n {\n logData\n | where EventCode == \"sapi\"\n | extend LogType = \"Success API Operation\"\n | project TimeGenerated, ClientId, Description, RequestAuthCredentialsScopes, RequestAuthStrategy\n , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified\n , RequestBodyPassword, RequestChannel, RequestIP, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale\n , ResponseAppMetadataSecondaryLocale, ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified\n , ResponseGivenName, ResponseFamilyName, ResponseIdentities, ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset\n , ResponseLoginsCount, ResponseName, ResponsePhoneVerified, ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator\n , ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType\n };\n let SuccessChangeEmail = ()\n // sce = Success Change Email\n {\n logData\n | where EventCode == \"sce\"\n | extend LogType = \"Success Change Email\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection\n , DetailsEmail, DetailsEmailVerified, DetailsTenant, DetailsUserId, DetailsVerify, RequestAuthCredentialsScopes, RequestAuthStrategy\n , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified, RequestBodyPassword\n , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale, ResponseAppMetadataSecondaryLocale\n , ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified, ResponseGivenName, ResponseFamilyName, ResponseIdentities\n , ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset, ResponseLoginsCount, ResponseName, ResponseNickname, ResponsePhoneVerified\n , ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator, ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy\n , StrategyType, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessChangePassword = () \n // scp = Success Change Password\n {\n logData\n | where EventCode == \"scp\"\n | extend LogType = \"Success Change Password\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection\n , DetailsEmail, DetailsIdentifierType, DetailsIdentifierValue, DetailsTenant, DetailsUserId, DetailsVerify, IPAddress\n , IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessExchange = ()\n // seacft = Successful exchange of authorization code for Access Token\n // seccft = Successful exchange of Access Token for a Client Credentials Grant\n // sepft = Successful exchange of Password for Access Token\n // sertft = Successful exchange of Refresh Token for Access Token\n {\n logData\n | where EventCode == \"seacft\"\n or EventCode == \"seccft\"\n or EventCode == \"sepft\"\n or EventCode == \"sertft\"\n | extend EventDescritpion = case (\n EventCode == \"seacft\", \"Successful exchange of authorization code for Access Token\"\n , EventCode == \"seccft\", \"Successful exchange of Access Token for a Client Credentials Grant\"\n , EventCode == \"sepft\", \"Successful exchange of Password for Access Token\"\n , EventCode == \"sertft\", \"Successful exchange of Refresh Token for Access Token\"\n , \"\"\n )\n | extend LogType = \"Success Exchange\"\n | project TimeGenerated, Audience, Auth0ClientEnvNode, Auth0ClientEnvSwift, Auth0ClientName, Auth0ClientVersion, ClientId\n , ClientIp, ClientName, ConnectionId, Connection, Description, DetailsActionsExecutions, DetailsCode, Hostname\n , IPAddress, IPGeoLocation, IsMobile, LogId, Scope, UserAgent, UserId, UserPrincipalName, EventDescritpion, LogType\n };\nunion FailedByCORS, FailedExchange, FailedLogin, BlockedIpAddress, ManagementAPIReadOperation, BreachedPassword\n , SuccessLogin, SuccessAPIOperation, SuccessChangeEmail, SuccessChangePassword, SuccessExchange\n", + "functionAlias": "Auth0", + "query": "union isfuzzy=true Auth0AM_CL, Auth0_CL\n| project-rename EventType = type_s,\n HttpRequestMethod = details_request_method_s,\n ActorSessionId = _id_s,\n HttpUserAgent = user_agent_s,\n TargetUsername = user_name_s,\n ActorUserId = client_id_s,\n IpAddr=ip_s,\n Dst = details_request_body_audience_s,\n EventEndTime = date_t,\n EventResultDetails = details_response_statusCode_d\n", "functionParameters": "", "version": 2, "tags": [ @@ -666,7 +1370,7 @@ "[variables('parserObject2')._parserId2]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", "contentId": "[variables('parserObject2').parserContentId2]", "kind": "Parser", "version": "[variables('parserObject2').parserVersion2]", @@ -692,12 +1396,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.1.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Auth0", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Auth0 Access Management solution for Microsoft Sentinel provides the capability to ingest Auth0 log events into your Microsoft Sentinel workspace.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Auth0 Access Management solution for Microsoft Sentinel provides the capability to ingest Auth0 log events into your Microsoft Sentinel workspace.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 2, Parsers: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -727,6 +1431,11 @@ "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/Auth0/Package/testParameters.json b/Solutions/Auth0/Package/testParameters.json index e55ec41a9ac..554801e41b7 100644 --- a/Solutions/Auth0/Package/testParameters.json +++ b/Solutions/Auth0/Package/testParameters.json @@ -20,5 +20,19 @@ "metadata": { "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } } diff --git a/Solutions/Auth0/Parsers/Auth0AM.yaml b/Solutions/Auth0/Parsers/Auth0AM.yaml index 6851b06a24a..4992d476049 100644 --- a/Solutions/Auth0/Parsers/Auth0AM.yaml +++ b/Solutions/Auth0/Parsers/Auth0AM.yaml @@ -7,243 +7,97 @@ Category: Microsoft Sentinel Parser FunctionName: Auth0AM FunctionAlias: Auth0AM FunctionQuery: | - let logData = () - { - // Parse Auth0 Log data from custom table - Auth0AM_CL - | where isnotempty(type_s) - | project TimeGenerated - , Audience = tostring(column_ifexists('audience_s', "")) - , Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', "")) - , Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', "")) - , Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', "")) - , Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', "")) - , Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', "")) - , ClientId = tostring(column_ifexists('client_id_s', "")) - , ClientIp = tostring(column_ifexists('client_ip_s', "")) - , ClientName = tostring(column_ifexists('client_name_s', "")) - , ConnectionId = tostring(column_ifexists('connection_id_s', "")) - , Connection = tostring(column_ifexists('connection_s', "")) - , Date = todatetime(column_ifexists('date_t', "")) - , Description = tostring(column_ifexists('description_s', "")) - , DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', "")) - , DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', "")) - , DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', "")) - , DetailsClientId = tostring(column_ifexists('details_body_client_id_s', "")) - , DetailsConnection = tostring(column_ifexists('details_body_connection_s', "")) - , DetailsEmail = tostring(column_ifexists('details_body_email_s', "")) - , DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', "")) - , DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', "")) - , DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', "")) - , DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', "")) - , DetailsTenant = tostring(column_ifexists('details_body_tenant_s', "")) - , DetailsUserId = tostring(column_ifexists('details_body_user_id_g', "")) - , DetailsVerify = tobool(column_ifexists('details_body_verify_b', "")) - , DetailsCode = tostring(column_ifexists('details_code_s', "")) - , DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', ""))) - , DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', "")) - , DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', "")) - , DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', "")) - , DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', "")) - , DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', "")) - , DetailsHost = tostring(column_ifexists('details_host_s', "")) - , DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', "")))) - , DetailsMethod = tostring(column_ifexists('details_method_s', "")) - , DetailsOrigin = tostring(column_ifexists('details_origin_s', "")) - , DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', "")) - , DetailsPrompts = todynamic(column_ifexists('details_prompts_s', "")) - , RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', "")) - , RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', "")) - , RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', "")) - , RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', "")) - , RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', "")) - , RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', "")) - , RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', "")) - , RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', "")) - , RequestConnection = tostring(column_ifexists('details_request_body_connection_s', "")) - , RequestEmail = tostring(column_ifexists('details_request_body_email_s', "")) - , RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', "")) - , RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', "")) - , RequestChannel = tostring(column_ifexists('details_request_channel_s', "")) - , RequestIP = tostring(column_ifexists('details_request_ip_s', "")) - , RequestMethod = tostring(column_ifexists('details_request_method_s', "")) - , RequestPath = tostring(column_ifexists('details_request_path_s', "")) - , RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', "")) - , ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', "")) - , ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', "")) - , ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', "")) - , ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', "")) - , ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', "")) - , ResponseEmail = tostring(column_ifexists('details_response_body_email_s', "")) - , ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', "")) - , ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', "")) - , ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', "")) - , ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', "")) - , ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', "")) - , ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', "")) - , ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', "")) - , ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', "")) - , ResponseName = tostring(column_ifexists('details_response_body_name_s', "")) - , ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', "")) - , ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', "")) - , ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', "")) - , ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', "")) - , ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', "")) - , ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', ""), "|")[1]) - , ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', "")) - , SessionId = tostring(column_ifexists('details_session_id_s', "")) - , StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', "")) - , XHR = tobool(column_ifexists('details_xhr_b', "")) - , Hostname = tostring(column_ifexists('hostname_s', "")) - , IPAddress = tostring(column_ifexists('ip_s', "")) - , IsMobile = tobool(column_ifexists('isMobile_b', "")) - , LogId = tostring(column_ifexists('log_id_s', "")) - , Scope = tostring(column_ifexists('scope_s', "")) - , Strategy = tostring(column_ifexists('strategy_s', "")) - , StrategyType = tostring(column_ifexists('strategy_type_s', "")) - , Type = tostring(column_ifexists('Type', "")) - , EventCode = tostring(column_ifexists('type_s', "")) - , UserAgent = tostring(column_ifexists('user_agent_s', "")) - , UserId = tostring(split(column_ifexists('user_id_s', ""), '|')[1]) - , UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', ""))) - | extend TimeGenerated = Date - | extend IPGeoLocation = geo_info_from_ip_address - ; - }; - let FailedByCORS = () - // fco =Origin is not in the Allowed Origins list for the specified application - { - logData - | where EventCode == "fco" - | extend LogType = "Failed By CORS" - | project TimeGenerated, ClientId, Description, DetailsAllowedOrigins, DetailsHeadersOrigin - , DetailsXforwardedProtocol, DetailsHost, DetailsMethod, DetailsOrigin, DetailsOriginalUrl - , XHR, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType - }; - let FailedExchange = () - // feccft = Failed exchange of Access Token for a Client Credentials Grant - // fepft = Failed exchange of Password for Access Token - { - logData - | where EventCode == "feccft" - or EventCode == "fepft" - | extend EventDescritpion = iff(EventCode == "feccft", "Failed exchange of Access Token for a Client Credentials Grant", "Failed exchange of Password for Access Token") - | extend LogType = "Failed Exchange" - | project TimeGenerated, Audience, ClientId, ClientIp,ClientName, ConnectionId - ,Connection, Description, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Scope - , UserAgent, UserPrincipalName, EventDescritpion, LogType - }; - let FailedLogin = () - // fp = Failed Login (Incorrect Password) - { - logData - | where EventCode == "fp" - | extend LogType = "Failed Login" - | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description - , DetailsErrorMessage, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent - , UserId, UserPrincipalName, LogType - }; - let BlockedIpAddress = () - // limit_mu = An IP address is blocked because it attempted too many failed logins without a successful login. Or an IP address is blocked because it attempted too many sign-ups, whether successful or failed. For more information, - // see Attack Protection - https://auth0.com/docs/configure/attack-protection - { - logData - | where EventCode == "limit_mu" - | extend LogType = "Blocked IP Address" - | project TimeGenerated, ClientId, ConnectionId, Connection, Description, IsMobile - , LogId, UserAgent - , UserPrincipalName, LogType - }; - let ManagementAPIReadOperation = () - // mgmt_api_read = API GET operation returning secrets completed successfully - { - logData - | where EventCode == "mgmt_api_read" - | extend LogType = "Management API Read Operation" - | project TimeGenerated, ClientId, ConnectionId, Connection, Description, RequestAuthStrategy - , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseStatusCode - , IPAddress, IsMobile, LogId, UserAgent, UserId, LogType - }; - let BreachedPassword = () - // pwd_leak = Someone behind the IP address ip attempted to login with a leaked password. - { - logData - | where EventCode == "pwd_leak" - | extend LogType = "Breached Password" - | project TimeGenerated, ClientId, ConnectionId, Connection, Description, Hostname, IPAddress - , IPGeoLocation, IsMobile, LogId, UserAgent, UserPrincipalName, LogType - }; - let SuccessLogin = () - // s = Successful login event. - { - logData - | where EventCode == "s" - | extend LogType = "Success Login" - | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, DetailsActionsExecutions - , DetailsCompletedAt, DetailsElapsedTime, DetailsInitiatedAt, DetailsPrompts, SessionId, StatsLoginsCount - , Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, UserAgent, UserId, UserPrincipalName, LogType - }; - let SuccessAPIOperation = () - // sapi = Successful management API write event. - { - logData - | where EventCode == "sapi" - | extend LogType = "Success API Operation" - | project TimeGenerated, ClientId, Description, RequestAuthCredentialsScopes, RequestAuthStrategy - , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified - , RequestBodyPassword, RequestChannel, RequestIP, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale - , ResponseAppMetadataSecondaryLocale, ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified - , ResponseGivenName, ResponseFamilyName, ResponseIdentities, ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset - , ResponseLoginsCount, ResponseName, ResponsePhoneVerified, ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator - , ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType - }; - let SuccessChangeEmail = () - // sce = Success Change Email - { - logData - | where EventCode == "sce" - | extend LogType = "Success Change Email" - | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection - , DetailsEmail, DetailsEmailVerified, DetailsTenant, DetailsUserId, DetailsVerify, RequestAuthCredentialsScopes, RequestAuthStrategy - , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified, RequestBodyPassword - , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale, ResponseAppMetadataSecondaryLocale - , ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified, ResponseGivenName, ResponseFamilyName, ResponseIdentities - , ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset, ResponseLoginsCount, ResponseName, ResponseNickname, ResponsePhoneVerified - , ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator, ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy - , StrategyType, UserAgent, UserId, UserPrincipalName, LogType - }; - let SuccessChangePassword = () - // scp = Success Change Password - { - logData - | where EventCode == "scp" - | extend LogType = "Success Change Password" - | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection - , DetailsEmail, DetailsIdentifierType, DetailsIdentifierValue, DetailsTenant, DetailsUserId, DetailsVerify, IPAddress - , IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent, UserId, UserPrincipalName, LogType - }; - let SuccessExchange = () - // seacft = Successful exchange of authorization code for Access Token - // seccft = Successful exchange of Access Token for a Client Credentials Grant - // sepft = Successful exchange of Password for Access Token - // sertft = Successful exchange of Refresh Token for Access Token - { - logData - | where EventCode == "seacft" - or EventCode == "seccft" - or EventCode == "sepft" - or EventCode == "sertft" - | extend EventDescritpion = case ( - EventCode == "seacft", "Successful exchange of authorization code for Access Token" - , EventCode == "seccft", "Successful exchange of Access Token for a Client Credentials Grant" - , EventCode == "sepft", "Successful exchange of Password for Access Token" - , EventCode == "sertft", "Successful exchange of Refresh Token for Access Token" - , "" - ) - | extend LogType = "Success Exchange" - | project TimeGenerated, Audience, Auth0ClientEnvNode, Auth0ClientEnvSwift, Auth0ClientName, Auth0ClientVersion, ClientId - , ClientIp, ClientName, ConnectionId, Connection, Description, DetailsActionsExecutions, DetailsCode, Hostname - , IPAddress, IPGeoLocation, IsMobile, LogId, Scope, UserAgent, UserId, UserPrincipalName, EventDescritpion, LogType - }; - union FailedByCORS, FailedExchange, FailedLogin, BlockedIpAddress, ManagementAPIReadOperation, BreachedPassword - , SuccessLogin, SuccessAPIOperation, SuccessChangeEmail, SuccessChangePassword, SuccessExchange \ No newline at end of file + let AutoLogsview = view() {union isfuzzy=true (Auth0Logs_CL| project-rename EventCode = EventType, IPAddress = SrcIpAddr, UserAgent = HttpUserAgent, Hostname = SrcHostname, UserId = ActorUserId, UserPrincipalName= ActorUsername, Date = TimeGenerated), (Auth0AM_CL | project Audience = tostring(column_ifexists('audience_s', "")) + , Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', "")) + , Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', "")) + , Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', "")) + , Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', "")) + , Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', "")) + , ClientId = tostring(column_ifexists('client_id_s', "")) + , ClientIp = tostring(column_ifexists('client_ip_s', "")) + , ClientName = tostring(column_ifexists('client_name_s', "")) + , ConnectionId = tostring(column_ifexists('connection_id_s', "")) + , Connection = tostring(column_ifexists('connection_s', "")) + , Date = todatetime(column_ifexists('date_t', "")) + , Description = tostring(column_ifexists('description_s', "")) + , DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', "")) + , DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', "")) + , DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', "")) + , DetailsClientId = tostring(column_ifexists('details_body_client_id_s', "")) + , DetailsConnection = tostring(column_ifexists('details_body_connection_s', "")) + , DetailsEmail = tostring(column_ifexists('details_body_email_s', "")) + , DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', "")) + , DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', "")) + , DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', "")) + , DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', "")) + , DetailsTenant = tostring(column_ifexists('details_body_tenant_s', "")) + , DetailsUserId = tostring(column_ifexists('details_body_user_id_g', "")) + , DetailsVerify = tobool(column_ifexists('details_body_verify_b', "")) + , DetailsCode = tostring(column_ifexists('details_code_s', "")) + , DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', ""))) + , DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', "")) + , DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', "")) + , DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', "")) + , DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', "")) + , DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', "")) + , DetailsHost = tostring(column_ifexists('details_host_s', "")) + , DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', "")))) + , DetailsMethod = tostring(column_ifexists('details_method_s', "")) + , DetailsOrigin = tostring(column_ifexists('details_origin_s', "")) + , DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', "")) + , DetailsPrompts = todynamic(column_ifexists('details_prompts_s', "")) + , RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', "")) + , RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', "")) + , RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', "")) + , RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', "")) + , RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', "")) + , RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', "")) + , RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', "")) + , RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', "")) + , RequestConnection = tostring(column_ifexists('details_request_body_connection_s', "")) + , RequestEmail = tostring(column_ifexists('details_request_body_email_s', "")) + , RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', "")) + , RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', "")) + , RequestChannel = tostring(column_ifexists('details_request_channel_s', "")) + , RequestIP = tostring(column_ifexists('details_request_ip_s', "")) + , RequestMethod = tostring(column_ifexists('details_request_method_s', "")) + , RequestPath = tostring(column_ifexists('details_request_path_s', "")) + , RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', "")) + , ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', "")) + , ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', "")) + , ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', "")) + , ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', "")) + , ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', "")) + , ResponseEmail = tostring(column_ifexists('details_response_body_email_s', "")) + , ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', "")) + , ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', "")) + , ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', "")) + , ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', "")) + , ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', "")) + , ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', "")) + , ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', "")) + , ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', "")) + , ResponseName = tostring(column_ifexists('details_response_body_name_s', "")) + , ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', "")) + , ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', "")) + , ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', "")) + , ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', "")) + , ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', "")) + , ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', ""), "|")[1]) + , ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', "")) + , SessionId = tostring(column_ifexists('details_session_id_s', "")) + , StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', "")) + , XHR = tobool(column_ifexists('details_xhr_b', "")) + , Hostname = tostring(column_ifexists('hostname_s', "")) + , IPAddress = tostring(column_ifexists('ip_s', "")) + , IsMobile = tobool(column_ifexists('isMobile_b', "")) + , LogId = tostring(column_ifexists('log_id_s', "")) + , Scope = tostring(column_ifexists('scope_s', "")) + , Strategy = tostring(column_ifexists('strategy_s', "")) + , StrategyType = tostring(column_ifexists('strategy_type_s', "")) + , Type = tostring(column_ifexists('Type', "")) + , EventCode = tostring(column_ifexists('type_s', "")) + , UserAgent = tostring(column_ifexists('user_agent_s', "")) + , UserId = tostring(split(column_ifexists('user_id_s', ""), '|')[1]) + , UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', "")))) | extend EventDescritpion = case(EventCode == "api_limit","Rate Limit on the Authentication or Management APIs",EventCode == "appi","Notice for API Peak Performance initiated",EventCode == "ciba_exchange_failed","Failed CIBA Exchange",EventCode == "ciba_exchange_succeeded","Successful CIBA Exchange",EventCode == "ciba_start_failed","Failed CIBA Start",EventCode == "ciba_start_succeeded","Successful CIBA Start",EventCode == "cls","Code/Link Sent",EventCode == "cs","Code Sent",EventCode == "depnote","Deprecation Notice",EventCode == "f","Failed Login",EventCode == "fc","Failed by Connector",EventCode == "fce","Failed Change Email",EventCode == "fco","Failed by CORS",EventCode == "fcoa","Failed cross-origin authentication",EventCode == "fcp","Failed Change Password",EventCode == "fcph","Failed Post Change Password Hook",EventCode == "fcpn","Failed Change Phone Number",EventCode == "fcpr","Failed Change Password Request",EventCode == "fcpro","Failed Connector Provisioning",EventCode == "fcu","Failed Change Username",EventCode == "fd","Failed Delegation",EventCode == "fdeac","Failed Device Activation",EventCode == "fdeaz","Failed Device Authorization Request",EventCode == "fdecc","User Canceled Device Confirmation",EventCode == "fdu","Failed User Deletion",EventCode == "feacft","Failed Exchange",EventCode == "feccft","Failed Exchange",EventCode == "fede","Failed Exchange",EventCode == "fens","Failed Exchange",EventCode == "feoobft","Failed Exchange",EventCode == "feotpft","Failed Exchange",EventCode == "fepft","Failed Exchange",EventCode == "fepotpft","Failed Exchange",EventCode == "fercft","Failed Exchange",EventCode == "ferrt","Failed Exchange",EventCode == "fertft","Failed Exchange",EventCode == "fi","Failed invite accept",EventCode == "flo","Failed Logout",EventCode == "fn","Failed Sending Notification",EventCode == "fp","Failed Login (Incorrect Password)",EventCode == "fpar","Failed Pushed Authorization Request",EventCode == "fs","Failed Signup",EventCode == "fsa","Failed Silent Auth",EventCode == "fu","Failed Login (Invalid Email/Username)",EventCode == "fui","Failed users import",EventCode == "fv","Failed Verification Email",EventCode == "fvr","Failed Verification Email Request",EventCode == "gd_auth_email_verification","Email Verification Confirmed",EventCode == "gd_auth_fail_email_verification","Email Verification Failed",EventCode == "gd_auth_failed","MFA Auth failed",EventCode == "gd_auth_rejected","MFA Auth rejected",EventCode == "gd_auth_succeed","MFA Auth success",EventCode == "gd_enrollment_complete","MFA enrollment complete",EventCode == "gd_otp_rate_limit_exceed","Too many MFA failures",EventCode == "gd_recovery_failed","Recovery failed",EventCode == "gd_recovery_rate_limit_exceed","Multi-factor recovery code has failed too many times",EventCode == "gd_recovery_succeed","MFA recovery success",EventCode == "gd_send_email","MFA Email Sent",EventCode == "gd_send_email_verification","Email Verification Sent",EventCode == "gd_send_email_verification_failure","Email Verification Failed",EventCode == "gd_send_pn","Push notification sent",EventCode == "gd_send_pn_failure","Error Sending MFA Push Notification",EventCode == "gd_send_sms","MFA SMS Sent",EventCode == "gd_send_sms_failure","Error Sending MFA SMS",EventCode == "gd_send_voice","MFA voice call success",EventCode == "gd_send_voice_failure","MFA voice call failed",EventCode == "gd_start_auth","Second factor started",EventCode == "gd_start_enroll","MFA Enroll started",EventCode == "gd_start_enroll_failed","MFA Enrollment Failed",EventCode == "gd_tenant_update","Guardian tenant update",EventCode == "gd_unenroll","Unenroll device account",EventCode == "gd_update_device_account","Update device account",EventCode == "gd_webauthn_challenge_failed","WebAuthn browser error",EventCode == "gd_webauthn_enrollment_failed","WebAuthn browser error",EventCode == "kms_key_management_failure","Failed KMS API Operation",EventCode == "kms_key_management_success","Success KMS API Operation",EventCode == "kms_key_state_changed","KMS Key State Change",EventCode == "limit_delegation","Too Many Calls to /delegation",EventCode == "limit_mu","Blocked IP Address",EventCode == "limit_sul","Blocked Account",EventCode == "limit_wc","Blocked Account",EventCode == "mfar","MFA Required",EventCode == "mgmt_api_read","Management API read Operation",EventCode == "oidc_backchannel_logout_failed","Failed OIDC Back-Channel Logout request",EventCode == "oidc_backchannel_logout_succeeded","Successful OIDC Back-Channel Logout request",EventCode == "organization_member_added","Organization Member Added",EventCode == "pla","Pre-login assessment",EventCode == "pwd_leak","Breached password",EventCode == "resource_cleanup","Success Resource Cleanup",EventCode == "rich_consents_access_error","Rich Consents Access Error",EventCode == "s","Success Login",EventCode == "sapi","Success API Operation",EventCode == "sce","Success Change Email",EventCode == "scoa","Success cross-origin authentication",EventCode == "scp","Success Change Password",EventCode == "scpn","Success Change Phone Number",EventCode == "scpr","Success Change Password Request",EventCode == "scu","Success Change Username",EventCode == "scv","Success Credential Validation",EventCode == "sd","Success Delegation",EventCode == "sdu","Success User Deletion",EventCode == "seacft","Success Exchange",EventCode == "seccft","Success Exchange",EventCode == "sede","Success Exchange",EventCode == "sens","Success Exchange",EventCode == "seoobft","Success Exchange",EventCode == "seotpft","Success Exchange",EventCode == "sepft","Success Exchange",EventCode == "sepkoobft","Success Exchange",EventCode == "sepkotpft","Success Exchange",EventCode == "sepkrcft","Success Exchange",EventCode == "sercft","Success Exchange",EventCode == "sertft","Success Exchange",EventCode == "si","Successfully accepted a user invite",EventCode == "signup_pwd_leak","Breached Password on Signup",EventCode == "slo","Success Logout",EventCode == "srrt","Success Revocation",EventCode == "ss","Success Signup",EventCode == "ss_sso_failure","Failed SS-SSO Operation",EventCode == "ss_sso_info","Information from an SS-SSO Operation",EventCode == "ss_sso_success","Success SS-SSO Operation",EventCode == "ssa","Success Silent Auth",EventCode == "sui","Successfully imported users",EventCode == "sv","Success Verification Email",EventCode == "svr","Success Verification Email Request",EventCode == "ublkdu","User login block released",EventCode == "w","Warning During Login",EventCode == "wum","Warning User Management","")}; + AutoLogsview() \ No newline at end of file diff --git a/Solutions/Auth0/ReleaseNotes.md b/Solutions/Auth0/ReleaseNotes.md index 57a5750bf45..fcf5af95a86 100644 --- a/Solutions/Auth0/ReleaseNotes.md +++ b/Solutions/Auth0/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------| -| 3.0.0 | 24-08-2024 | Updated the python runtime version to 3.11 | +| 3.0.1 | 13-12-2024 | Added new CCP **Data Connector** to the Solution | +| 3.0.0 | 24-08-2024 | Updated the **Data Connector** Function app python runtime version to 3.11 | | 3.0.0 | 11-12-2023 | Added new **Parser** (Auth0AM) |