Reviewing logs to assess the impact of an attack is a crucial step in your incident response plan. On this page you’ll see how to access logs on the and some examples of log search queries to find indicators of an attack and review account activity.

Check Auth0 logs

  1. Login to the Auth0 Dashboard
  2. The Logs page is located under Monitoring in the menu on the left.
  3. On the Logs page, you’ll see a search bar along with a filter selection and date picker.
Dashboard Monitoring Logs
Select a log event from the list to see a Summary of the event along with further Details including the raw JSON.

Log structure

Each log event has the following fields:
FieldDescription
dateTimestamp when this event occurred.
log_idThe id of the log event
typeThe log event type
descriptionThe description of the event.
connectionThe connection name related to the event.
connection_idThe connection id related to the event.
client_idThe client id related to the event
client_nameThe name of the client related to the event.
ipThe IP address from where the request that caused the log event originated.
user_agentThe user agent that is related to the event.
detailsAn object containing further information for this log event.
user_idThe user id related to the event.
user_nameThe user name related to the event.
strategyThe connection strategy related to the event.
strategy_typeThe connection strategy type related to the event.

Example of failed login log event

Here is an example log event for a failed login due to an incorrect password: 
{
  "date": "2020-10-27T19:39:54.699Z",
  "type": "fp",
  "description": "Wrong email or password.",
  "connection": "Username-Password-Authentication",
  "connection_id": "con_ABC123",
  "client_id": "ABCDEFG123456789",
  "client_name": "All Applications",
  "ip": "99.xxx.xxx.xxx",
  "user_agent": "Chrome 86.0.4240 / Mac OS X 10.15.6",
  "details": {
    "error": {
      "message": "Wrong email or password."
    }
  },
  "user_id": "auth0|ABC123",
  "user_name": "test@test.com",
  "strategy": "auth0",
  "strategy_type": "database",
  "log_id": "123456789",
  "_id": "123456789",
  "isMobile": false
}

Indicators of an attack

Identifying an attack early on may be difficult, but here are some things to look for in your logs along with example search queries:
  • High numbers of failed logins with invalid usernames or login attempts for non-existent users.
    • type:"fu"
    • description:"missing username parameter"
    • description:"Wrong email or password"
  • Large number of accounts reaching the failed login attempts limit.
    • type:"limit_wc"
  • A high number of login attempts using a leaked password.
    • type:"pwd_leak"
During your investigation take note of IP addresses, applications being targeted, and connections or used.
The Log Search Query Syntax page provides details on Auth0’s log query syntax and includes more example queries.

Identify compromised user accounts

To identify user accounts that may have been compromised you can search for:
  • Successful login events from a suspicious IP address:
    • type:"s" AND ip:"99.xxx.xxx.xxx"

Check compromised user account activity

After identifying a compromised user account you’ll want to check the account’s activity:
  • Search for other log events with the same user_id: user_id:"auth0|ABC123"
  • Check the client_name or client_id log event fields to see which applications were accessed. Make a note of when access occurred.
  • Check for administration access or Auth0 configuration changes
  • Search for recent calls: type:"sapi"

Delete or block users from the dashboard

  1. Go to Dashboard > User Management > Users.
  2. Search for the user to delete or block.
  3. Click the ”” button on the far right of the user.
  4. Select Block or Delete and confirm.