# AQUILA - Setup Integration from Auth0

## **Auth0 Integration Guide**

Integrate **Auth0** to ingest identity-related logs such as login attempts, user authentications, MFA usage, and blocked requests to support identity threat detection and correlation.

### **Credentials & API Access Setup (Auth0)**

Before setting up the integration, create a Machine-to-Machine application in Auth0 to collect logs via API.

#### **Steps**:

1. **Log in** to the Auth0 Dashboard.
2. Go to **Applications → APIs**.
3. Create or select your **Management API** (typically named `Auth0 Management API`).
4. Under **Machine-to-Machine Applications**, authorize your log collector app.
5. Take note of the following credentials:
    
    
    - **Auth0 Domain** (e.g., `your-tenant.us.auth0.com`)
    - **Client ID**
    - **Client Secret**
    - **Audience**: usually `https://your-tenant.us.auth0.com/api/v2/`

<div class="_tableContainer_80l1q_1" id="bkmrk-required-detail-valu"><div class="_tableWrapper_80l1q_14 group flex w-fit flex-col-reverse" tabindex="-1"><table border="1" class="w-fit min-w-(--thread-content-width)" data-end="4571" data-start="4111" style="border-collapse: collapse; border-style: solid; width: 112.857%; height: 179.719px;"><thead data-end="4175" data-start="4111"><tr data-end="4175" data-start="4111" style="height: 29.7969px;"><th data-col-size="sm" data-end="4133" data-start="4111" style="width: 48.7533%; height: 29.7969px;">Required Detail</th><th data-col-size="md" data-end="4175" data-start="4133" style="width: 51.2467%; height: 29.7969px;">Value</th></tr></thead><tbody data-end="4571" data-start="4241"><tr data-end="4305" data-start="4241" style="height: 30.1094px;"><td data-col-size="sm" data-end="4263" data-start="4241" style="width: 48.7533%; height: 30.1094px;">Auth0 Domain</td><td data-col-size="md" data-end="4305" data-start="4263" style="width: 51.2467%; height: 30.1094px;">`your-tenant.auth0.com`</td></tr><tr data-end="4370" data-start="4306" style="height: 29.7969px;"><td data-col-size="sm" data-end="4328" data-start="4306" style="width: 48.7533%; height: 29.7969px;">Client ID</td><td data-col-size="md" data-end="4370" data-start="4328" style="width: 51.2467%; height: 29.7969px;">From your M2M Application</td></tr><tr data-end="4435" data-start="4371" style="height: 29.7969px;"><td data-col-size="sm" data-end="4393" data-start="4371" style="width: 48.7533%; height: 29.7969px;">Client Secret</td><td data-col-size="md" data-end="4435" data-start="4393" style="width: 51.2467%; height: 29.7969px;">From your M2M Application</td></tr><tr data-end="4501" data-start="4436" style="height: 30.1094px;"><td data-col-size="sm" data-end="4458" data-start="4436" style="width: 48.7533%; height: 30.1094px;">Audience</td><td data-col-size="md" data-end="4501" data-start="4458" style="width: 51.2467%; height: 30.1094px;">`https://your-tenant.auth0.com/api/v2/`</td></tr><tr data-end="4571" data-start="4502" style="height: 30.1094px;"><td data-col-size="sm" data-end="4524" data-start="4502" style="width: 48.7533%; height: 30.1094px;">Token URL</td><td data-col-size="md" data-end="4571" data-start="4524" style="width: 51.2467%; height: 30.1094px;">`https://your-tenant.auth0.com/oauth/token`</td></tr></tbody></table>

</div></div>### **Permissions Reference (Auth0 M2M App)**

Ensure the app is granted the following scopes from the **Auth0 Management API**:

<div class="_tableContainer_80l1q_1" id="bkmrk-data-stream-scope-re"><div class="_tableWrapper_80l1q_14 group flex w-fit flex-col-reverse" tabindex="-1"><table border="1" class="w-fit min-w-(--thread-content-width)" data-end="5130" data-start="4813" style="border-collapse: collapse; border-style: solid; width: 100.476%;"><thead data-end="4865" data-start="4813"><tr data-end="4865" data-start="4813"><th data-col-size="sm" data-end="4833" data-start="4813" style="width: 47.9064%;">Data Stream</th><th data-col-size="sm" data-end="4865" data-start="4833" style="width: 52.0936%;">Scope Required</th></tr></thead><tbody data-end="5130" data-start="4919"><tr data-end="4971" data-start="4919"><td data-col-size="sm" data-end="4939" data-start="4919" style="width: 47.9064%;">Login Activity</td><td data-col-size="sm" data-end="4971" data-start="4939" style="width: 52.0936%;">`read:logs`, `read:users`</td></tr><tr data-end="5024" data-start="4972"><td data-col-size="sm" data-end="4992" data-start="4972" style="width: 47.9064%;">MFA Logs</td><td data-col-size="sm" data-end="5024" data-start="4992" style="width: 52.0936%;">`read:logs`</td></tr><tr data-end="5077" data-start="5025"><td data-col-size="sm" data-end="5045" data-start="5025" style="width: 47.9064%;">Failed Logins</td><td data-col-size="sm" data-end="5077" data-start="5045" style="width: 52.0936%;">`read:logs`</td></tr><tr data-end="5130" data-start="5078"><td data-col-size="sm" data-end="5098" data-start="5078" style="width: 47.9064%;">User Access Logs</td><td data-col-size="sm" data-end="5130" data-start="5098" style="width: 52.0936%;">`read:users, `read:logs``</td></tr></tbody></table>

</div></div>> 🔐 You can test token access using Postman or curl before ingesting.

### **Aquila Integration Configuration**

#### **AQUILA – Microsoft 365 Integration**

**1.** Log in to AQUILA click here - **[CyTech - AQUILA](https://cytechint.io/)**. Choose **Cyber Monitoring** and click the **small arrow icon** to redirect you to the Cyber Monitoring Dashboard.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/pvtVUycKNLpiyZFP-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/pvtVUycKNLpiyZFP-image.png)

2\. In the dashboard, choose **Cyber Incident Management (SIEM and XDR)**.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-05/scaled-1680-/i68EMO7YfIStKeyl-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-05/i68EMO7YfIStKeyl-image.png)

3\. Navigate through the leftmost top and click **Cyber Incident Monitoring**.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/llqjBgJ5b1dlLdh8-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/llqjBgJ5b1dlLdh8-image.png)

4\. Navigate the "Cyber Monitoring" then hover the "Cyber Incident Management" till you see the settings.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/z4rUEJDEBmsHf9kd-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/z4rUEJDEBmsHf9kd-image.png)

5\. Click the "Settings, and Navigate through **Settings&gt;Log Source&gt;Search Bar&gt;Add to Agent**.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/qMBu98h6WaqojM41-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/qMBu98h6WaqojM41-image.png)

6\. Choose your **Log Collector**. *(If you not yet installed your **Log Collector** please refer to this link -* [**Log Collector** **Installation.**](https://docs.cytechint.io/books/log-collector-installations))

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-05/scaled-1680-/1VIERSAN80moG8fG-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-05/1VIERSAN80moG8fG-image.png)

Step 7 and below is just a reference, this is still incomplete. Thorough investigation and research in progress to understand the flow and credentials required.

7\. In the integration settings follow the instructions given below.

- Click the **drop arrow** to display the contents needed for the integration setup.
- In the **Office 365 logs section** &gt; **Disable** &gt; **Collect Office 365 audit logs**

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/ykuDBJDprHeuotlo-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/ykuDBJDprHeuotlo-image.png)

- Scroll down and go to **Microsoft Office 365 audit logs section**.
- Input the credentials for **Directory(tenant) ID, Application(client) ID and the Client Secret Value**.
- Finally, click **Next** to install the log source integration.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/scaled-1680-/S6gIFsvuBjT6DxvM-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-07/S6gIFsvuBjT6DxvM-image.png)

8\. Wait for the **Successfull** window to display, this will confirm the successfull integration.

[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-05/scaled-1680-/CNFzJRIuFuvZIEdI-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2025-05/CNFzJRIuFuvZIEdI-image.png)

*If you need further assistance, kindly contact our support at* ***support@cytechint.com*** *for prompt assistance and guidance.*