Custom Notifications for Suspicious Activity


Auth0’s default behavior sends email alerts for suspicious logins only to tenant administrators. However, this approach has the following limitation:

  • Only tenant admins receive these alerts, which might not be sufficient for comprehensive monitoring.


Use the Log Streams feature in Auth0 to forward tenant logs directly to the systems. This will allow setting up custom notifications based on specific log events, such as limit_mu, which corresponds to our Suspicious IP throttling functionality.

Here’s an example of how to set it up:

  1. Navigate to the Log Streams sections in the Auth0 dashboard.
  2. Create a new stream and select the preferred service to send the logs (e.g., Amazon EventBridge, Azure Event Grid, or a custom webhook).
  3. Configure the external system to monitor the limit_mu log event.
  4. Set up notifications within the system to alert when this event occurs.

This method gives greater flexibility to control how alerts are received and allows integrating them seamlessly into the existing incident response framework.