# Investigation: Auth0 Action, Rule, or Hook Modified

This notebook assists in investigating alerts related to modifications of Auth0 Actions, Rules, or Hooks.

In [None]:
from scanner_client import ScannerClient
import pandas as pd
import plotly.express as px

# Initialize Scanner Client
client = ScannerClient(api_url="https://api.kast-apse1.scanner.dev", api_key="YOUR_API_KEY")

## 1. Retrieve Recent Modifications
Fetch the recent events related to Action, Rule, or Hook modifications.

In [None]:
query = """
%ingest.source_type:auth0
data.type:sapi
(
  (data.description:"Create an action") or
  (data.description:"Update an action") or
  (data.description:"Delete an action") or
  (data.description:"Create a rule") or
  (data.description:"Update a rule") or
  (data.description:"Delete a rule") or
  (data.description:"Create a hook") or
  (data.description:"Update a hook") or
  (data.description:"Delete a hook")
)
"""

results = client.query(query, time_range_s=86400) # Last 24 hours
df = pd.DataFrame(results)
df.head()

## 2. Analyze User Activity
Group by user to see who is making the most changes.

In [None]:
if not df.empty:
    user_counts = df['data.user_id'].value_counts().reset_index()
    user_counts.columns = ['User ID', 'Count']
    fig = px.bar(user_counts, x='User ID', y='Count', title='Modifications by User')
    fig.show()