Configure Auth0 for Arctic Wolf monitoring

You can configure Auth0® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • An Auth0 account with administrator permissions
  • An Auth0 Essentials or higher pricing plan
    Tip: For more information about pricing, see https://auth0.com/pricing.

Get the webhook token and URL

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Auth0.
  5. In the Name field, enter a unique and descriptive name for the account.
  6. Click Generate Token.
  7. Copy the webhook token and webhook URL to a safe, encrypted location to provide to Auth0 in Create a log stream with a custom webhook.
    Note: If you lose the webhook token, you must generate a new one. For more information, see Generate a new webhook token.

Create a log stream with a custom webhook

  1. Sign in to Auth0 with administrator permissions.
  2. On the Tenants page, click on your tenant name to view the dashboard.
  3. Navigate to Monitoring > Log Streams.
  4. On the Log Streams page, click Create Log Stream.
  5. On the New Log Stream page, click Custom Webhook.
  6. In the Create Log Stream window, enter a name for the stream, and then click Create.
  7. On the Settings tab, configure these settings:
    • Name — Enter a unique and descriptive name.
    • Payload URL — Enter the webhook URL from Get the webhook token and URL.
    • Authorization Token — Enter the webhook token from Get the webhook token and URL with the format Bearer token_value.
    • Content Type — Select application/json.
    • Content Format — Select JSON Lines.
    • Filter by Log Event Category — Click the list, click Select All for each category, and then click Apply.
    • Starting Cursor — Clear the checkbox.
  8. Click Save.
    A message displays Stream successfully saved! Auth0 logs are now being streamed to your webhook.

Test the configuration

  1. Perform an action that creates a tenant log event. For example, a sign in, token exchange, or Auth0 management API call.
  2. In a new browser window, sign in to Auth0 with administrator permissions.
  3. On the Tenants page, click on your tenant name to view the dashboard.
  4. Navigate to Monitoring > Log Streams.
  5. On the Log Streams page, for the log stream that you want to check, click > Health.
  6. Confirm that no errors are listed.
  7. Navigate to Monitoring > Logs.
  8. Confirm that the action that you performed is listed.
  9. If there are any errors or discrepancies that you cannot resolve, reach out to your Concierge Security® Team (CST) for support.