OneLogin Logs

Panther supports pulling logs directly from OneLogin

Overview

Panther supports ingesting OneLogin logs via OneLogin's integration with Amazon EventBridge. This allows Panther to process OneLogin logs in a scalable, reliable, and low latency manner.

In order for Panther to process your OneLogin logs, you need to configure your OneLogin account to send data to Amazon EventBridge in your Panther Amazon Web Services (AWS) account.

How to onboard OneLogin logs to Panther

Configure OneLogin to send data to Panther

Note: Keep track of the AWS Account ID and AWS Region where your instance of Panther is deployed. You can find this information in your Panther Console under Settings > General in the footer of the page.

  1. In your OneLogin administrative console, go to Developers > Webhooks.

  2. Go to New Webhook > Event Webhook for Amazon EventBridge.

  3. Add a descriptive name. For example: Panther Integration

  4. Fill out the AWS Account ID and Region that you noted earlier and click Save.

  5. Click on the new integration that was just created. Keep note of the Event Source field, as it is used the next step.

    • It should be formatted aws.partner/onelogin.com/US-123456/ffffffffff.

Create a new OneLogin source in Panther

  1. In the left-hand navigation bar of the Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “OneLogin,” then click its tile.

  4. Click Start Setup.

  5. On the Configure Source page, fill in the following fields:

    • Name: A descriptive name for the source. For example: My OneLogin events

    • Log Types: Select OneLogin.Events

    • Bus Name: The field you noted in the previous text (formatted aws.partner/onelogin.com/US-123456/ffffffffff)

  6. Click Setup. You will be directed to a success screen:

    • You can optionally enable one or more Detection Packs.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Panther-managed detections

See Panther-managed rules for OneLogin in the panther-analysis GitHub repository.

Supported log types

OneLogin.Events

OneLogin provides single sign-on and identity management for organizations.

For more information, see the OneLogin Documentation on Event and Resource Types.

schema: OneLogin.Events
description: OneLogin provides single sign-on and identity management for organizations
referenceURL: https://developers.onelogin.com/api-docs/1/events/event-resource
fields:
  - name: uuid
    required: true
    description: The Universal Unique Identifier for this message generated by OneLogin.
    type: string
  - name: account_id
    required: true
    description: Account that triggered the event.
    type: string
  - name: event_timestamp
    required: true
    description: Time and date at which the event was created. This value is autogenerated by OneLogin.
    type: timestamp
    timeFormats:
      - '%Y-%m-%d %H:%M:%S %Z'
    isEventTime: true
  - name: error_description
    description: Provisioning error details, if applicable.
    type: string
  - name: login_name
    description: The name of the login user
    type: string
  - name: app_name
    description: Name of the app involved in the event, if applicable.
    type: string
  - name: authentication_factor_description
    description: More details about the authentication factor used.
    type: string
  - name: certificate_name
    description: The name of the certificate that was included in the request.
    type: string
  - name: certificate_id
    description: The ID of the certificate that was included in the request.
    type: string
  - name: assumed_by_superadmin_or_reseller
    description: Indicates that the operation was performed by superadmin or reseller.
    type: bigint
  - name: directory_name
    description: The directory name.
    type: string
  - name: actor_user_id
    description: ID of the user whose action triggered the event.
    type: string
    indicators:
      - actor_id
  - name: user_name
    description: Name of the user that was acted upon to trigger the event.
    type: string
    indicators:
      - username
  - name: mapping_id
    description: The ID of the mapping included in the operation.
    type: string
  - name: radius_config_id
    description: The ID of the Radius configuration included in the operation.
    type: string
  - name: risk_score
    description: The higher this number, the higher the risk.
    type: float
  - name: otp_device_id
    description: ID of a device involved in the event.
    type: string
  - name: imported_user_id
    description: The ID of the imported user.
    type: string
    indicators:
      - actor_id
  - name: resolution
    description: The resolution.
    type: string
  - name: directory_id
    description: The directory ID.
    type: string
  - name: authentication_factor_id
    description: The ID of the authentication factor used.
    type: string
  - name: risk_cookie_id
    description: The ID of the risk cookie.
    type: string
  - name: app_id
    description: ID of the app involved in the event, if applicable.
    type: string
  - name: custom_message
    description: More details about the event.
    type: string
  - name: browser_fingerprint
    description: The fingerprint of the browser.
    type: string
  - name: otp_device_name
    description: Name of a device involved in the event.
    type: string
  - name: actor_user_name
    description: First and last name of the user whose action triggered the event.
    type: string
    indicators:
      - username
  - name: actor_system
    description: Acting system that triggered the event when the actor is not a user.
    type: string
  - name: user_field_name
    description: The name of the custom user field.
    type: string
  - name: user_field_id
    description: The ID of the custom user field.
    type: string
  - name: assuming_acting_user_id
    description: ID of the user who assumed the role of the acting user to trigger the event, if applicable.
    type: string
  - name: api_credential_name
    description: The name of the API credential used.
    type: string
  - name: imported_user_name
    description: The name of the imported user.
    type: string
    indicators:
      - username
  - name: note_title
    description: The title of the note.
    type: string
  - name: trusted_idp_name
    description: The name of the trusted IDP.
    type: string
  - name: policy_id
    description: ID of the policy involved in the event.
    type: string
  - name: role_name
    description: Name of a role involved in the event.
    type: string
  - name: resolved_by_user_id
    description: The ID of the user that resolved the issue.
    type: string
  - name: group_id
    description: ID of a group involved in the event.
    type: string
  - name: client_id
    description: Client ID used to generate the access token that made the API call that generated the event.
    type: string
  - name: ipaddr
    description: IP address of the machine used to trigger the event.
    type: string
    indicators:
      - ip
  - name: notes
    description: More details about the event.
    type: string
  - name: event_type_id
    required: true
    description: Type of event triggered.
    type: string
  - name: user_id
    description: ID of the user that was acted upon to trigger the event.
    type: string
    indicators:
      - actor_id
  - name: risk_reasons
    description: This is not an exhaustive list of the reasons for the risk score and should only be used as a guide
    type: string
  - name: proxy_agent_name
    description: The name of the proxy agent.
    type: string
  - name: policy_type
    description: The type of the policy.
    type: string
  - name: role_id
    description: ID of a role involved in the event.
    type: string
  - name: user_agent
    description: The user agent from which the request was invoke
    type: string
  - name: privilege_name
    description: The name of the privilege.
    type: string
  - name: group_name
    description: Name of a group involved in the event.
    type: string
  - name: entity
    description: The entity involved in this request.
    type: string
  - name: resource_type_id
    description: ID of the resource (user, role, group, and so forth) associated with the event.
    type: string
  - name: mapping_name
    description: The name of the mapping.
    type: string
  - name: task_name
    description: The name of the task.
    type: string
  - name: authentication_factor_type
    description: The type of the authentication type.
    type: string
  - name: radius_config_name
    description: The name of the Radius configuration used.
    type: string
  - name: policy_name
    description: Name of the policy involved in the event.
    type: string
  - name: privilege_id
    description: The id of the privilege.
    type: string
  - name: directory_sync_run_id
    description: Directory sync run ID.
    type: string
  - name: operation_name
    description: The name of the operation
    type: string

Last updated