Security monitoring alerts allow users to configure security metric thresholds in their Security Center. Numeric values for alert, warning, and recovery for each threshold can be specified, and user alert notifications can be configured to monitor when threat metric exceeds a set threshold.
OptionDescription
AlertA required numeric value that generates an alert notice when the evaluated metric breaches the provided value.
WarnAn optional numeric value that creates a warning notice when the evaluated metric breaches the value, if provided.
RecoveryAn optional numeric value that creates a recovery notice when the evaluated metric has returned to a non-breached value, if provided.

Configure and update alert thresholds

Thresholds are calculated on a weighted moving average for a given metric and are customizable in your . Each defined threshold is viewable on your threat monitor metric charts and aggregated on an hourly basis; if no recovery threshold is configured, the recovery default to just below the set warning or alert threshold.
A second screenshot of our Security Center Thresholds product
  1. Go to Security > Security Center > Threat Monitoring and choose a metric chart.
  2. Select the View Details icon in the top right corner.
  3. Navigate to the Thresholds panel displayed underneath the detailed chart view and choose Create.
  4. Name the threshold and configure the following settings:
    • When the threshold should trigger a warning
    • When the threshold should trigger an alert
    • When the threshold should recover
  5. If notification destinations have been configured, the following choices are available:
    • Select a destination to receive the metric alert, warning, and recovery notices,
    • Create a new destination by selecting the +
    • Mute the notification temporarily or indefinitely to all threshold destinations in the Mute Notifications dropdown.
  6. Select Save.
Thresholds can also be updated or removed in the expand view screen. Different thresholds on the same chart are behind the Threshold label carrot at the top right.
A third screenshot of our Thresholds product

Manage notification destinations

Notification destinations are endpoints to which alert, warning, and recovery notices are delivered. Each tenant is limited to two destination endpoints, and a third-party webhook editor is recommended to personalize the notification’s message.
  1. Navigate to the Manage Destinations page on your dashboard with the Thresholds configuration panel or by going to Security > Security Center > Manage Destinations
  2. Select the New Destination button and provide the following details:
    1. Name
    2. Destination URL
    3. Authorization token
  3. Choose Save. To delete a destination endpoint, go to More Actions > Delete.

Notification payload data

The root fields included in the notification payload are:
  • id: ID of security center alert
  • time: UTC date and time of the threshold breach
  • source: URL to the Auth0 Security Center Alert History dashboard
  • data: data object containing relevant information about the alert notification
Below is the data object included in the notification payload:
  • id: ID of security center alert
  • tenant: tenant where security center notification originated
  • evaluated_metric: threat metric the threshold applies to
  • state: state of the notification (ALERT/WARN/RECOVERED)
  • metric_value: value of the evaluated metric over the previous 60 minutes
  • alert_threshold: value of the alert threshold configured on the threat metric
  • warn_threshold: value of the warn threshold configured on the threat metric
  • recovery_threshold: value of the recovery threshold configured on the threat metric
  • triggered_at: UTC date and time of the threshold breach.

View alert history

Alert, warning, and recovery notices that have occurred are viewed at Security > Security Center > Alert History. All notices are also sent to your configured notification destinations.
Example of how the Alert History tab looks like