Query’s integration with Auth0’s cloud identity management solution allows analysts to do the following:

  • Retrieve details about users identity information (username, email address).
  • Search both failed or successful authentication attempts.

For example, the analyst could obtain the following context:

  • Searching by the user’s email, i.e. Email equals abc@xyz.com, the response would contain the user’s directory information and authentication details about when their logins were, and if they were success or failure.
  • Searching by a device’s IP, i.e. IP equals x.x.x.x , the response would provide the authentication success & failure for that ip address and any user information associated with the device.

To integrate Auth0, see integration documentation here.

The integration will normalize data pulled from Auth0 into Query’s OCSF based QDM (Query Data Model) which then enables cross-platform joins, compounding the analyst’s ability to investigate. Query normalizes Auth0 data into QDM User and Device objects, and Authentication events. Analysts can see key identity attributes like name, email, credential UID, and account UID in the QDM user object. Additional authentication information from Auth0, like last login time, and last IP logged in from, is extracted into the QDM Device object. It also captures the device type, such as whether it was detected by Auth0 as a mobile device.

Query derives QDM Authentication event’s status from the authentication type, and session UUID from the session ID information coming from Auth0. The IP and hostname from the authentication logs are extracted as the observables in the QDM authentication event. Additional information like the UserAgent is provided as well.

With the federated join capabilities, the analyst can now see context on that entity pulled from additional data sources Query is integrated with.

Based upon additional integrations in your environment, Query will show you:

  • The user’s devices.
  • Additional alerts correlated with the user or the device, such as based upon email, web, or file activity.
  • Relevant follow up searches to get vulnerability, malware, and threat intelligence information associated with related entities like files, processes, and applications on that device.