Auth0

This guide walks through how to set up Auth0 logs in Scanner Collect, using Auth0 log streams with custom webhooks to send logs directly to Scanner’s HTTP receiver.

Step 1: Create a New Source

In the Scanner UI, go to the Collect tab.

  • Click Create New Source.

  • Click Select a Source Type.

  • Choose Auth0.

  • For Ingest Method, select HTTP Push.

  • For Destination, select Scanner.

If you only want logs stored in your S3 data lake (without indexing or detection), choose AWS S3 Only. This guide assumes you’re using Scanner as the destination.

Click Next.

Step 2: Configure the Source

  • Set a Display Name such as my-org-auth0-logs.

  • Leave the Payload Format as the default: JSON: Lines.

Click Next.

Step 3: Configure Authentication

  • Keep the default Authentication Type: Bearer Token.

  • Generate a Bearer Token and specify that here (we'll refer to it as BEARER_TOKEN)

Click Next.

Step 4: Configure Destination

  • Select the S3 bucket where you want raw logs delivered.

  • (Optional) Enter a bucket prefix. The default is fine for most setups.

  • Choose the Scanner index where searchable logs should go.

  • Leave the Source Label as the default: auth0.

Click Next.

Step 5: Transform and Enrich

  • Keep the default transformation step: Normalize to ECS - Auth0

    • This maps Auth0 log fields to the Elastic Common Schema (ECS) to support cross-source queries and detections.

  • Keep Parse JSON Columns enabled to automatically extract data from any stringified JSON fields.

  • (Optional) Add additional transformation or enrichment steps as desired.

Click Next.

Step 6: Timestamp Extraction

Leave the default settings to extract timestamps from the timestamp fields.

Click Next.

Step 7: Review and Create

  • Review your configuration.

  • Click Create Source.

After creation, Scanner will display a unique Endpoint URL like:

https://collect.your-org-and-region.scanner.dev/receiver/v1/http/<id>

Step 8: Configure in Auth0

  • Log in at auth0.com.

  • Navigate to MonitoringLog Streams.

  • Click + Create Log Stream.

  • Click Custom Webhook.

  • Set a name such as Send logs to Scanner.

  • Click Create.

  • Set the Payload URL to the collect URL provided by scanner.

  • Set Authorization Token to Bearer ${BEARER_TOKEN}

    • Note: Auth0 requires the Bearer prefix. If you set your generated token to foo in scanner, it should be set to Bearer foo in Auth0.

  • Content Type should be application/json (the default)

  • Content Format should be JSON Lines (the default)

  • Set all other fields per your desired configuration.

    • Filter logs / obscure logs / start streaming logs at a specific time in the future/past.

  • Click Save.

After creation, you can check the Health of your Auth0 Stream for any errors as reported by Auth0.

That’s It

Once routing is complete, logs will flow from Auth0 → Scanner HTTP Receiver → S3 → Scanner index.

PreviousSourcesNextAWS CloudTrail

Last updated

Was this helpful?