![]() To help us (and our customers) visualize these logs, we spent some time creating a couple of dashboards. Sumo Logic makes it easy to see the latest failed logins, find and alert on error messages, create charts to visualize trends, or even do complex statistical analysis on your data. We have been using the Auth0 to Sumo Logic extension ourselves since it was first released, and it's proven to be very useful for staying on top of what's happening with our own Auth0 accounts and our internal users (employees). The resulting chart will look something like this: | transpose row _timeslice column client_name Want to create a chart showing the popularity of a particular client based on the number of logins per hour over a few days? Sure, you can do that in Sumo Logic with just a few commands: _sourceCategory =auth0_logs salesforce | json auto | timeslice 1h | count user_name | top 10 user_name by _count Getting the top 10 users for a given time period is as easy as this query: _sourceCategory =auth0_logs | json auto A simple search like _sourceCategory =auth0_logs will show you the most recent log events. We recommend naming the source category auth0_logs.ĭata should begin appearing in Sumo Logic a few minutes after you enable the extension. If you don't already have one, follow the Sumo Logic instructions for creating an HTTP source and paste the URL it generates into the Auth0 extension configuration settings. One piece of information you will need to supply is the URL of your Sumo Logic HTTP collector endpoint. You'll need to decide on a few simple settings, but the defaults are all reasonable. Once enabled, the extension configuration screen will be displayed. Simply login, click on Extensions, then find and click on the Sumo Logic icon to configure and enable the extension. ![]() If you want to get started with Sumo Logic, reach out to us.It's super easy to install the "Auth0 Logs to Sumo Logic" extension right from your Auth0 account Dashboard. If you are a Sumo Logic customer, reach out to us now for help. ![]() Sumo Logic Global Operations Center, Threat Labs and Engineering teams are working on releasing additional content to help you to stay ahead of such compromises. You will be able to use all relevant Okta (or other) logs to help you determine if you are compromised. ![]() Once you sign up, our onboarding team will help you navigate the steps to be taken to get you going. | where finding = "High push fail Ratio with successful login detected" and total_pushes > 1ĭon't worry, you can get started in minutes! Sign up for your free trial today. | if(push_fail_ratio>.1,"High push fail Ratio with successful login detected",finding) as finding | if(success>0 AND total_pushes>3,"Multiple pushes sent, eventual successful authentication!",finding) as finding | if(total_pushes=0,"Multiple pushes sent and ignored",finding) as finding | if(failure=total_pushes AND total_pushes>1,"Authentication attempts not successful because multiple pushes denied",finding) as finding | failure/total_pushes as push_fail_ratio | count as total_pushes,sum(success) as success, sum(failure) as failure by user,_timeslice | json field=_raw "actor.alternateId" as user | json field=_raw "outcome.result" as result _source="Okta" (_via_mfa or OKTA_VERIFY_PUSH) Okta_User_Attempted_to_Access_Unauthorized_AppĪlternatively, from the Sumo Logic platform you can search Okta logs for signs of an attacker attempting to flood the target victim with Multi-Factor Authentication (MFA) push notifications until the victim accepts an MFA request. If you are a Sumo Logic Cloud SIEM customer you have more fine-grained capabilities! Cloud SIEM includes targeted searches that you can use now, such as: Identify top 10 user account lockouts in the last 24 hoursĬorrelate user account lockout with a successful loginĮxample: User Event Analysis using Okta App You can use the Okta App for Sumo Logic to get started with securing your environment by using the Okta logs to determine this potential compromise and much more, including: If you are a Sumo Logic customer or if you are trialing Sumo Logic services, we can help you determine if you are at risk.
0 Comments
Leave a Reply. |