From 772a3e4582cd60208a75436321a0aaf13bb680b5 Mon Sep 17 00:00:00 2001 From: cherryleaf-ginny <103435263+ellis-elastic@users.noreply.github.com> Date: Mon, 11 Apr 2022 16:54:42 +0100 Subject: [PATCH 1/4] Update Readme Added link to Auth0 documentation --- packages/auth0/_dev/build/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/auth0/_dev/build/docs/README.md b/packages/auth0/_dev/build/docs/README.md index 54a6a679e55..770d019c68d 100644 --- a/packages/auth0/_dev/build/docs/README.md +++ b/packages/auth0/_dev/build/docs/README.md @@ -1,6 +1,6 @@ # Auth0 Log Streams Integration -Auth0 offers integrations that push log events via log streams to Elasticsearch. The Auth0 Log Streams integration package creates a HTTP listener that accepts incoming log events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch. +Auth0 offers integrations that push log events via log streams to Elasticsearch. The [Auth0 Log Streams](https://auth0.com/docs/customize/log-streams) integration package creates a HTTP listener that accepts incoming log events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch. The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. From 5c88f4d5cf74dadda06afaa26642452f1a7d5af9 Mon Sep 17 00:00:00 2001 From: cherryleaf-ginny <103435263+ellis-elastic@users.noreply.github.com> Date: Mon, 11 Apr 2022 16:56:37 +0100 Subject: [PATCH 2/4] Update changelog and run build --- packages/auth0/changelog.yml | 5 +++++ packages/auth0/docs/README.md | 14 +------------- packages/auth0/manifest.yml | 2 +- 3 files changed, 7 insertions(+), 14 deletions(-) diff --git a/packages/auth0/changelog.yml b/packages/auth0/changelog.yml index 3278132a2cc..ca8bbeb8d5e 100644 --- a/packages/auth0/changelog.yml +++ b/packages/auth0/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.1.4" + changes: + - description: Update Readme + type: enhancement + link: https://github.com/elastic/integrations/pull/3065 - version: "0.1.3" changes: - description: Add documentation for multi-fields diff --git a/packages/auth0/docs/README.md b/packages/auth0/docs/README.md index 518297b224c..5a405d5e2e7 100644 --- a/packages/auth0/docs/README.md +++ b/packages/auth0/docs/README.md @@ -1,6 +1,6 @@ # Auth0 Log Streams Integration -Auth0 offers integrations that push log events via log streams to Elasticsearch. The Auth0 Log Streams integration package creates a HTTP listener that accepts incoming log events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch. +Auth0 offers integrations that push log events via log streams to Elasticsearch. The [Auth0 Log Streams](https://auth0.com/docs/customize/log-streams) integration package creates a HTTP listener that accepts incoming log events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch. The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. @@ -88,7 +88,6 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even | destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | destination.user.id | Unique identifier of the user. | keyword | | destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | @@ -108,7 +107,6 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even | file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | file.name | Name of the file including the extension, without the directory. | keyword | | file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | input.type | Input type. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | @@ -116,22 +114,17 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even | process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | | process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | | process.pid | Process id. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | | related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | source.geo.city_name | City name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | @@ -144,22 +137,17 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even | source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | source.user.id | Unique identifier of the user. | keyword | | source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | | tags | List of keywords used to tag each event. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | | user_agent.device.name | Name of the device. | keyword | | user_agent.name | Name of the user agent. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | | user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | | user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | | user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | | user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | user_agent.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | user_agent.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/auth0/manifest.yml b/packages/auth0/manifest.yml index 56297e9dd26..eaa580219cb 100644 --- a/packages/auth0/manifest.yml +++ b/packages/auth0/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: auth0 title: "Auth0 Log Streams Integration" -version: 0.1.3 +version: 0.1.4 license: basic description: Collect logs from Auth0 with Elastic Agent. type: integration From 3415402ff4f5dd1da7a59101e3db2ac8d01be6cc Mon Sep 17 00:00:00 2001 From: cherryleaf-ginny <103435263+ellis-elastic@users.noreply.github.com> Date: Tue, 12 Apr 2022 10:49:20 +0100 Subject: [PATCH 3/4] Update Readme Added link to Auth0's integration to Elastic Security - https://marketplace.auth0.com/integrations/elastic-security --- packages/auth0/_dev/build/docs/README.md | 2 ++ packages/auth0/docs/README.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/packages/auth0/_dev/build/docs/README.md b/packages/auth0/_dev/build/docs/README.md index 770d019c68d..e7771cc7ea4 100644 --- a/packages/auth0/_dev/build/docs/README.md +++ b/packages/auth0/_dev/build/docs/README.md @@ -4,6 +4,8 @@ Auth0 offers integrations that push log events via log streams to Elasticsearch. The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. +For more information, see Auth0's webpage on [integration to Elastic Security](https://marketplace.auth0.com/integrations/elastic-security). + ## Compatability The package collects log events sent via log stream webhooks. diff --git a/packages/auth0/docs/README.md b/packages/auth0/docs/README.md index 5a405d5e2e7..1214c936dc7 100644 --- a/packages/auth0/docs/README.md +++ b/packages/auth0/docs/README.md @@ -4,6 +4,8 @@ Auth0 offers integrations that push log events via log streams to Elasticsearch. The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. +For more information, see Auth0's webpage on [integration to Elastic Security](https://marketplace.auth0.com/integrations/elastic-security). + ## Compatability The package collects log events sent via log stream webhooks. From 9311ef7ccb2a45a53372025b3df8ac8e851639d3 Mon Sep 17 00:00:00 2001 From: Sai Kiran <85323324+r00tu53r@users.noreply.github.com> Date: Wed, 13 Apr 2022 11:00:51 +1000 Subject: [PATCH 4/4] commit generated readme --- packages/auth0/docs/README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/packages/auth0/docs/README.md b/packages/auth0/docs/README.md index 1214c936dc7..a40c20f6acb 100644 --- a/packages/auth0/docs/README.md +++ b/packages/auth0/docs/README.md @@ -90,6 +90,7 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even | destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | destination.user.id | Unique identifier of the user. | keyword | | destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | @@ -109,6 +110,7 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even | file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | file.name | Name of the file including the extension, without the directory. | keyword | | file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | input.type | Input type. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | @@ -116,17 +118,22 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even | process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | | process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | | process.pid | Process id. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | | related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | source.geo.city_name | City name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | @@ -139,17 +146,22 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even | source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | source.user.id | Unique identifier of the user. | keyword | | source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | | tags | List of keywords used to tag each event. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | | user_agent.device.name | Name of the device. | keyword | | user_agent.name | Name of the user agent. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | | user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | | user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | | user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | | user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | user_agent.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | user_agent.os.version | Operating system version as a raw string. | keyword |