elastic
diff --git a/‎.buildkite/pull-requests.json‎
Lines changed: 1 addition & 1 deletion b/‎.buildkite/pull-requests.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 0 deletions b/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/auth0/_dev/build/docs/README.md‎
Lines changed: 35 additions & 15 deletions b/‎packages/auth0/_dev/build/docs/README.md‎
Lines changed: 35 additions & 15 deletions
diff --git a/‎packages/auth0/_dev/deploy/docker/docker-compose.yml‎
Lines changed: 13 additions & 0 deletions b/‎packages/auth0/_dev/deploy/docker/docker-compose.yml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎packages/auth0/_dev/deploy/docker/files/config-logs.yml‎
Lines changed: 171 additions & 0 deletions b/‎packages/auth0/_dev/deploy/docker/files/config-logs.yml‎
Lines changed: 171 additions & 0 deletions
diff --git a/‎packages/auth0/changelog.yml‎
Lines changed: 5 additions & 0 deletions b/‎packages/auth0/changelog.yml‎
Lines changed: 5 additions & 0 deletions
@@ -5,7 +5,7 @@
       "pipelineSlug": "integrations",
       "allow_org_users": true,
       "allowed_repo_permissions": ["admin", "write"],
-      "allowed_list": ["dependabot[bot]", "mergify[bot]", "elastic-vault-github-plugin-prod[bot]"],
+      "allowed_list": ["dependabot[bot]", "mergify[bot]", "elastic-vault-github-plugin-prod[bot]", "github-actions[bot]"],
       "set_commit_status": true,
       "build_on_commit": true,
       "build_on_comment": true,
 
@@ -158,6 +158,7 @@
 /packages/darktrace @elastic/security-service-integrations
 /packages/ded @elastic/ml-ui @elastic/sec-applied-ml
 /packages/dga @elastic/ml-ui @elastic/sec-applied-ml
+/packages/digital_guardian @elastic/security-service-integrations
 /packages/docker @elastic/obs-cloudnative-monitoring
 /packages/elastic_agent @elastic/elastic-agent
 /packages/elastic_package_registry @elastic/ecosystem
 
@@ -1,29 +1,30 @@
 # Auth0 Log Streams Integration
 
-Auth0 offers integrations that push log events via log streams to Elasticsearch. The [Auth0 Log Streams](https://auth0.com/docs/customize/log-streams) integration package creates a HTTP listener that accepts incoming log events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch.
+Auth0 offers integrations that push log events via log streams to Elasticsearch or allows an Elastic Agent to make API requests for log events. The [Auth0 Log Streams](https://auth0.com/docs/customize/log-streams) integration package creates a HTTP listener that accepts incoming log events or runs periodic API requests to collect events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch.
 
-The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.
-
-For more information, see Auth0's webpage on [integration to Elastic Security](https://marketplace.auth0.com/integrations/elastic-security).
-
-## Compatability
+## Compatibility
 
-The package collects log events sent via log stream webhooks.
+The package collects log events either sent via log stream webhooks, or by API request to the Auth0 v2 API.
 
-## Configuration
-
-### Enabling the integration in Elastic
+## Enabling the integration in Elastic
 
 1. In Kibana go to **Management > Integrations**
 2. In "Search for integrations" search bar type **Auth0**
 3. Click on "Auth0" integration from the search results.
 4. Click on **Add Auth0** button to add Auth0 integration.
 
+## Configuration for Webhook input
+
+The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.
+
+For more information, see Auth0's webpage on [integration to Elastic Security](https://marketplace.auth0.com/integrations/elastic-security).
+
 ### Configure the Auth0 integration
 
-1. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the **Endpoint URL** `https://{AGENT_ADDRESS}:8383/auth0/logs`.
-2. Enter value for "Secret value". This must match the "Authorization Token" value entered when configuring the "Custom Webhook" from Auth0 cloud.
-3. Enter values for "TLS". Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.
+1. Click on **Collect Auth0 log streams events via Webhooks** to enable it.
+2. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the **Endpoint URL** `https://{AGENT_ADDRESS}:8383/auth0/logs`.
+3. Enter value for "Secret value". This must match the "Authorization Token" value entered when configuring the "Custom Webhook" from Auth0 cloud.
+4. Enter values for "TLS". Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.
 
 ### Creating the stream in Auth0
 
@@ -33,8 +34,27 @@ The package collects log events sent via log stream webhooks.
 4. In **Payload URL**, paste the **Endpoint URL** collected during Step 1 of **Configure the Auth0 integration** section.
 5. In **Authorization Token**, paste the **Authorization Token**. This must match the value entered in Step 2 of **Configure the Auth0 integration** section.
 6. In **Content Type**, choose  **application/json**.
-7. In **Content Format**, choose  **JSON Lines**.
-8. **Click Save**.
+7. In **Content Format**, choose **JSON Lines**.
+8. Click **Save**.
+
+## Configuration for API request input
+
+### Creating an application in Auth0
+
+1. From the Auth0 management console, navigate to **Applications > Applications** and click **+ Create Application**.
+2. Choose **Machine to Machine Application**.
+3. Name the new **Application** appropriately (e.g. Elastic) and click **Create**.
+4. Select the **Auth0 Management API** option and click **Authorize**.
+5. Select the `read:logs` and `read:logs_users` permissions and then click **Authorize**.
+6. Navigate to the **Settings** tab. Take note of the "Domain", "Client ID" and "Client Secret" values in the **Basic Information** section.
+7. Click **Save Changes**.
+
+### Configure the Auth0 integration
+
+1. In the Elastic Auth0 integration user interface click on **Collect Auth0 log events via API requests** to enable it.
+2. Enter value for "URL". This must be an https URL using the **Domain** value obtained from Auth cloud above.
+3. Enter value for "Client ID". This must match the "Client ID" value obtained from Auth0 cloud above.
+4. Enter value for "Client Secret". This must match the "Client Secret" value obtained from Auth0 cloud above.
 
 ## Log Events
 
 
@@ -19,3 +19,16 @@ services:
       - STREAM_WEBHOOK_HEADER=Authorization=abc123
       - STREAM_INSECURE=true
     command: log --start-signal=SIGHUP --delay=5s /sample_logs/auth0-ndjson.log
+  auth0-http-server:
+    image: docker.elastic.co/observability/stream:v0.15.0
+    hostname: auth0
+    ports:
+      - 8090
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: '8090'
+    command:
+      - http-server
+      - --addr=:8090
+      - --config=/files/config-logs.yml
@@ -0,0 +1,171 @@
+rules:
+  - path: /oauth/token
+    methods: ['POST']
+    request_body: '{"audience":"http://svc-auth0-http-server:8090/api/v2/","client_id":"wwwwwwww","client_secret":"xxxxxxxx","grant_type":"client_credentials"}'
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |
+          {"access_token":"yyyyyyyy","scope":"read:logs read:logs_users","expires_in":86400,"token_type":"Bearer"}
+  - path: /api/v2/logs
+    methods: ['GET']
+    request_headers:
+      Authorization:
+        - "Bearer yyyyyyyy"
+    query_params:
+      from: "{from:900[0-9]{20}0{33}}"
+      take: 1
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+          Link:
+            - <http://svc-auth0-http-server:8090/api/v2/logs?from=90020240308035905601176000000000000001223372052035100532&take=1>; rel="next"
+        body: |-
+          {{ minify_json `
+          [
+              {
+                  "date": "2024-03-08T03:59:05.520Z",
+                  "type": "sapi",
+                  "description": "Create client grant",
+                  "client_id": "xZjM1MjUxOGVhYzYxNTAxZmE3NmI1MGIgIC",
+                  "client_name": "",
+                  "ip": "81.2.69.144",
+                  "user_agent": "Firefox 125.0.0 / Arch 0.0.0",
+                  "details": {
+                      "request": {
+                          "method": "post",
+                          "path": "/api/v2/client-grants",
+                          "query": {},
+                          "userAgent": "Mozilla/5.0 (X11; Arch; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0",
+                          "body": {
+                              "client_id": "MWNhMmRiOGY5MGIxNjE0ZTVmMjc0NDhl",
+                              "audience": "https://dev-fulaoenaspapatoulp.us.auth0.com/api/v2/",
+                              "scope": [
+                                  "read:logs",
+                                  "read:logs_users"
+                              ]
+                          },
+                          "channel": "https://manage.auth0.com/",
+                          "ip": "81.2.69.144",
+                          "auth": {
+                              "user": {
+                                  "user_id": "github|32487232",
+                                  "name": "User McUserface",
+                                  "email": "user.mcuserface@company.com"
+                              },
+                              "strategy": "jwt",
+                              "credentials": {
+                                  "jti": "e01983470586edb819c8c5d9967a63d3"
+                              }
+                          }
+                      },
+                      "response": {
+                          "statusCode": 201,
+                          "body": {
+                              "client_id": "MWNhMmRiOGY5MGIxNjE0ZTVmMjc0NDhl",
+                              "audience": "https://dev-fulaoenaspapatoulp.us.auth0.com/api/v2/",
+                              "scope": [
+                                  "read:logs",
+                                  "read:logs_users"
+                              ]
+                          }
+                      }
+                  },
+                  "user_id": "github|32487232",
+                  "$event_schema": {
+                      "version": "1.0.0"
+                  },
+                  "log_id": "90020240308035905601176000000000000001223372052035100532",
+                  "tenant_name": "dev-fulaoenaspapatoulp",
+                  "_id": "90020240308035905601176000000000000001223372052035100532",
+                  "isMobile": false
+              }
+          ]
+          ` }}
+  - path: /api/v2/logs
+    methods: ['GET']
+    request_headers:
+      Authorization:
+        - "Bearer yyyyyyyy"
+    query_params:
+      from: "90020240308035905601176000000000000001223372052035100532"
+      take: 1
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+          Link:
+            - <http://svc-auth0-http-server:8090/api/v2/logs?from=90020240308035906742643000000000000001223372052035101088&take=1>; rel="next"
+        body: |-
+          {{ minify_json `
+          [
+              {
+                  "date": "2024-03-08T03:59:06.700Z",
+                  "type": "mgmt_api_read",
+                  "description": "Get client by ID",
+                  "client_id": "xZjM1MjUxOGVhYzYxNTAxZmE3NmI1MGIgIC",
+                  "client_name": "",
+                  "ip": "81.2.69.144",
+                  "user_agent": "Firefox 125.0.0 / Arch 0.0.0",
+                  "details": {
+                      "accessedSecrets": [
+                          "client_secret"
+                      ],
+                      "request": {
+                          "method": "get",
+                          "path": "/api/v2/clients/MWNhMmRiOGY5MGIxNjE0ZTVmMjc0NDhl",
+                          "query": {},
+                          "userAgent": "Mozilla/5.0 (X11; Arch; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0",
+                          "channel": "https://manage.auth0.com/",
+                          "ip": "81.2.69.144",
+                          "auth": {
+                              "user": {
+                                  "user_id": "github|32487232",
+                                  "name": "User McUserface",
+                                  "email": "user.mcuserface@company.com"
+                              },
+                              "strategy": "jwt",
+                              "credentials": {
+                                  "jti": "e01983470586edb819c8c5d9967a63d3"
+                              }
+                          }
+                      },
+                      "response": {
+                          "statusCode": 200,
+                          "body": {
+                              "client_id": "MWNhMmRiOGY5MGIxNjE0ZTVmMjc0NDhl"
+                          }
+                      }
+                  },
+                  "user_id": "github|32487232",
+                  "$event_schema": {
+                      "version": "1.0.0"
+                  },
+                  "log_id": "90020240308035906742643000000000000001223372052035101088",
+                  "tenant_name": "dev-fulaoenaspapatoulp",
+                  "_id": "90020240308035906742643000000000000001223372052035101088",
+                  "isMobile": false
+              }
+          ]
+          ` }}
+  - path: /api/v2/logs
+    methods: ['GET']
+    request_headers:
+      Authorization:
+        - "Bearer yyyyyyyy"
+    query_params:
+      from: "90020240308035906742643000000000000001223372052035101088"
+      take: 1
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+          Link:
+            - <http://svc-auth0-http-server:8090/api/v2/logs?from=90020240308035906742643000000000000001223372052035101088&take=1>; rel="next"
+        body: '[]'
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.17.0"
+  changes:
+    - description: Add pull v2/logs API input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10656
 - version: "1.16.0"
   changes:
     - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.