pC_auth0ajsonhttpsessionsuccesssapi.md
May 13, 2026 ยท View on GitHub
Parser Content
{
Name = auth0-a-json-http-session-success-sapi
ExtractionType = json
Conditions = [
""""type":"sapi""""
""""client_name""""
""""client_id"""
]
Fields = ${Auth0AAParsersTemplates.auth0-authentication-template.Fields}[
"""exa_regex=({operation_type}sapi)"""
"""exa_json_path=$.data.details.request.method,exa_field_name=method"""
"""exa_json_path=$.data.details.request.path,exa_field_name=uri_path"""
"""exa_json_path=$.data.client_id,exa_field_name=object"""
"""exa_json_path=$.data.ip,exa_regex=({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?"""
"""exa_json_path=$.data.user_agent,exa_field_name=user_agent"""
"""exa_json_path=$.data.response.statusCode,exa_field_name=http_response_code"""
"""exa_json_path=$.data.details.request.method,exa_field_name=operation"""
"""exa_json_path=$.data.description,exa_field_name=description"""
]
ParserVersion = "v1.0.0"
auth0-authentication-template = {
Vendor = Auth0
Product = Auth0
TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
ExtractionType = json
Fields = [
"""date"+:"+({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\dZ)""",
"""hostname"+:"+({host}[^"]+)""",
"""description"+:"+({additional_info}[^"]+)\s*"+""",
""""+ip"+:"+({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?""",
""""user_id":"({user_id}[^"]+)"""",
""""user_id"+:"+((({auth_type}[^|"]+)\|({domain}[^|"]+)\|([\w\.\-]{1,40}\$?))|(({=auth_type}[^|"]+)\|))""",
"""(user_name|userEmail)\\?"+:\\?"+({email_address}([A-Za-z0-9]+[!#$%&'+\/=?^_`~.-])*[A-Za-z0-9]+@[^\]\s"\\,\|]+\.[^\]\s"\\,\|]+)""",
"""client_name"+:"+({app}[^"]+)""",
"""user_agent"+:"+({user_agent}[^"]+)""",
"""severity"+:"+({alert_severity}[^"]+)""",
""""type":"({operation_type}[^",]+)"""",
""""riskAssessment":[^\}]+?"confidence":"({confidence_level}[^"]+)"""",
"""exa_json_path=$..date,exa_field_name=time"""
"""exa_json_path=$..hostname,exa_field_name=host"""
"""exa_json_path=$.message.description,exa_field_name=additional_info"""
"""exa_json_path=$..ip,exa_regex=({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?"""
"""exa_regex="user_id":"({user_id}[^"]+)"""",
"""exa_regex=(user_name|userEmail)\\?"+:\\?"+({email_address}([A-Za-z0-9]+[!#$%&'+\/=?^_`~.-])*[A-Za-z0-9]+@[^\]\s"\\,\|]+\.[^\]\s"\\,\|]+)"""
"""exa_regex="user_id":"((({auth_type}[^|"]+)\|({domain}[^|"]+)\|([\w\.\-]{1,40}\$?))|(({=auth_type}[^|"]+)\|))""",
"""exa_json_path=$..client_name,exa_field_name=app"""
"""exa_json_path=$..user_agent,exa_field_name=user_agent"""
"""exa_json_path=$..severity,exa_field_name=alert_severity"""
"""exa_json_path=$.message.type,exa_regex=({operation_type}[^",]+)"""
"""exa_json_path=$.data..user.email,exa_regex=({email_address}([A-Za-z0-9]+[!#$%&'+\/=?^_`~.-])*[A-Za-z0-9]+@[^\]\s"\\,\|]+\.[^\]\s"\\,\|]+)"""
"""exa_json_path=$..user_name,exa_regex=({email_address}([A-Za-z0-9]+[!#$%&'+\/=?^_`~.-])*[A-Za-z0-9]+@[^\]\s"\\,\|]+\.[^\]\s"\\,\|]+)"""
"""exa_json_path=$.data..request.userAgent,exa_field_name=user_agent"""
"""exa_json_path=$.data..request.path,exa_field_name=uri_path"""
"""exa_json_path=$.data..request.method,exa_field_name=method"""
"""exa_json_path=$.data..response.statusCode,exa_field_name=http_response_code"""
"""exa_json_path=$.data.type,exa_field_name=operation_type"""
"""exa_json_path=$.data.description,exa_field_name=additional_info"""
"""exa_json_path=$..request.ip,exa_field_name=src_ip"""
"""exa_json_path=$..riskAssessment.confidence,exa_field_name=confidence_level"""
}