Configure Security Monitoring Alerts

Security monitoring alerts allow users to configure security metric thresholds in their Security Center. Numeric values for alert, warning, and recovery for each threshold can be specified, and user alert notifications can be configured to monitor when threat metric exceeds a set threshold.

Option Description
Alert A required numeric value that generates an alert notice when the evaluated metric breaches the provided value.
Warn An optional numeric value that creates a warning notice when the evaluated metric breaches the value, if provided.
Recovery An optional numeric value that creates a recovery notice when the evaluated metric has returned to a non-breached value, if provided.

Configure and update alert thresholds

Thresholds are calculated on a weighted moving average for a given metric and are customizable in your Auth0 Dashboard. Each defined threshold is viewable on your threat monitor metric charts and aggregated on an hourly basis.

A second screenshot of our Security Center Thresholds product

  1. Go to Security > Security Center > Threat Monitoring and choose a metric chart.

  2. Select the View Details icon in the top right corner.

  3. Navigate to the Thresholds panel displayed underneath the detailed chart view and choose Create.

  4. Name the threshold and configure the following settings:

    • When the threshold should trigger a warning and when it should trigger an alert

    • When the threshold should recover

  5. If notification destinations have been configured, the following choices are available:

    • Select a destination to receive the metric alert, warning, and recovery notices,

    • Create a new destination by selecting the +

    • Mute the notification temporarily or indefinitely to all threshold destinations in the Mute Notifications dropdown.

  6. Select Save.

Thresholds can also be updated or removed in the expand view screen, and different thresholds on the same chart are behind the Threshold label carrot at the top right.

A third screenshot of our Thresholds product

Manage notification destinations

Notification destinations are endpoints to which alert, warning, and recovery notices are delivered. Each tenant is limited to two destination endpoints, and a third-party webhook editor is recommended to personalize the notification's message.

  1. Navigate to the Manage Destinations page on your dashboard with the Thresholds configuration panel or by going to Security > Security Center > Manage Destinations

  2. Select the New Destination button and provide the following details:

    1. Name

    2. Destination URL

    3. Authorization token

  3. Choose Save. To delete a destination endpoint, go to More Actions > Delete.

Notification payload data

Below is the data included in the notification payload:

  • id: ID of security center alert

  • tenant: tenant where security center notification originated

  • evaluated_metric: threat metric the threshold applies to

  • state: state of the notification (ALERT/WARN/RECOVERED)

  • metric_value: value of the evaluated metric over the previous 60 minutes

  • alert_threshold: value of the threshold configured on the threat metric

  • triggered_at: UTC date and time of the threshold breach.

View alert history

Alert, warning, and recovery notices that have occurred are viewed at Security > Security Center > Alert History. All notices are also sent to your configured notification destinations.

Example of how the Alert History tab looks like