Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=auth0-overview

Auth0 integration overview

API Identity

You can integrate Auth0 with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Auth0 product overview

Auth0 is an authentication and authorization platform, specializing in providing secure access to applications and systems through a cloud-native solution. Auth0 focuses on enhancing user experiences by offering developers flexible and easy-to-implement authentication and authorization capabilities, such as single sign-on (SSO), multi-factor authentication, and social login. Its dynamic approach in managing and securing user identities across various applications makes it a powerful tool for organizations aiming to bolster their cybersecurity infrastructure while maintaining user accessibility and convenience.

Sophos documents

Integrate Auth0 (API)

What we ingest

Sample alerts seen by Sophos:

  • security.authenticator.lifecycle.activate
  • security.authenticator.lifecycle.create
  • security.authenticator.lifecycle.deactivate
  • security.authenticator.lifecycle.update
  • security.device.add_request_blacklist_policy
  • security.device.remove_request_blacklist_policy
  • security.device.temporarily_disable_blacklisting
  • security.request.blocked
  • security.session.detect_client_roaming

Filtering

We filter messages as follows:

  • We ALLOW only messages that are in the correct format.
  • We DROP messages that aren't in the correct format.

Sample threat mappings

We define the alert type from a lookup of type in a list published by Auth0.

"value": "=> getNestedValue(_.referenceValues.code_translation, 'log_event_type_code', fields.type) ? getNestedValue(_.referenceValues.code_translation, 'log_event_type_code', fields.type) :  getNestedValue(_.globalReferenceValues.code_translation, 'log_event_type_code', fields.type) ? getNestedValue(_.globalReferenceValues.code_translation, 'log_event_type_code', fields.type) : fields.type",

Samples:

{"alertType": "Success Change Password", "threatId": "T1098", "threatName": "Account Manipulation"}
{"alertType": "Rate Limit on the Authentication API", "threatId": "T1110", "threatName": "Brute Force"}
{"alertType": "Auth0 Update Started", "threatId": "TA0005", "threatName": "Defense Evasion"}

Vendor documentation

Get Management API Access Tokens for Production