# Auth0 This guide walks through how to set up Auth0 logs in Scanner Collect, using Auth0 log streams with custom webhooks to send logs directly to Scanner’s HTTP receiver. ### Step 1: Create a New Source In the Scanner UI, go to the Collect tab. * From the Overview page click the '+' icon in the upper right corner * Select create new **Collect Rule** * Click **Select a Source Type**. * Choose **Auth0**. * For Ingest Method, select **HTTP Push**. * For Destination, select **Scanner**. If you only want logs stored in your S3 data lake (without indexing or detection), choose AWS S3 Only. This guide assumes you’re using Scanner as the destination. Click Next. ### Step 2: Configure the Source * Set a Display Name such as `my-org-auth0-logs`. * Leave the Payload Format as the default: **JSON: Generic**. Click Next. ### Step 3: Configure Authentication * Keep the default Authentication Type: **Bearer Token**. * Generate a **Bearer Token** and specify that here (we'll refer to it as `BEARER_TOKEN`) Click Next. ### Step 4: Configure Destination * Select the S3 bucket where you want raw logs delivered. * (Optional) Enter a bucket prefix. The default is fine for most setups. * Choose the Scanner index where searchable logs should go. * Leave the Source Label as the default: `auth0`. Click Next. ### Step 5: Transform and Enrich * Keep the default transformation step: **Normalize to ECS - Auth0** * This maps Auth0 log fields to the Elastic Common Schema (ECS) to support cross-source queries and detections. * Keep **Parse JSON Columns** enabled to automatically extract data from any stringified JSON fields. * (Optional) Add additional transformation or enrichment steps as desired. Click Next. ### Step 6: Timestamp Extraction Leave the default settings to extract timestamps from the timestamp fields. Click Next. ### Step 7: Review and Create * Review your configuration. * Click Create Source. After creation, Scanner will display a unique Endpoint URL like: `https://collect.your-org-and-region.scanner.dev/receiver/v1/http/` ### Step 8: Configure in Auth0 * Log in at `auth0.com`. * Navigate to **Monitoring** → **Log Streams.** * Click **+ Create Log Stream**. * Click **Custom Webhook**. * Set a name such as `Send logs to Scanner`. * Click **Create**. * Set the Payload URL to the collect URL provided by scanner. * Set Authorization Token to `Bearer ${BEARER_TOKEN}` * **Note:** Auth0 requires the `Bearer` prefix. If you set your generated token to `foo` in scanner, it should be set to `Bearer foo` in Auth0. * Content Type should be `application/json` (the default) * Content Format should be `JSON Lines` (the default) * Set all other fields per your desired configuration. * Filter logs / obscure logs / start streaming logs at a specific time in the future/past. * Click **Save**. After creation, you can check the Health of your Auth0 Stream for any errors as reported by Auth0. ### That’s It Once routing is complete, logs will flow from Auth0 → Scanner HTTP Receiver → S3 → Scanner index.