OneLogin Logs

Panther supports pulling logs directly from OneLogin
Overview
Panther is able to process OneLogin events through OneLogin's integration with Amazon EventBridge. This allows Panther to process OneLogin logs in a scalable and reliable, low latency manner.
In order for Panther to process your OneLogin logs, you need to configure your OneLogin account to send data to Amazon EventBridge in Panther AWS account.
How to onboard OneLogin logs to Panther
Configure OneLogin to send data to Panther
Note: Keep track of the AWS Account and AWS region where your instance of Panther is deployed. You can find this information in your Panther Console under Settings > General in the footer of the page.
1.Log in to your OneLogin administrative console.
2.Go to Developers > Webhooks.
3.Go to New Webhook > Event Webhook for Amazon EventBridge.
4.Add a friendly name e.g. Panther Integration.
5.Fill out the AWS Account Id and Region that you noted earlier and click Save.
6.Click on the new integration that got just created. Keep note of the Event Source field, as it is used the next step.
It should be in the form aws.partner/onelogin.com/US-123456/ffffffffff.
Create a new OneLogin source in Panther
1.Log in to your Panther Console.
2.In the left sidebar menu, click Configure > Log Sources.
3.Click Create New.
4.Select OneLogin from the list of available log sources.
5.Select Amazon EventBridge from the list of available Data Transports.
6.On the Configure Source page, fill in the following fields:
Name: A memorable name for the source e.g., My OneLogin events
Log Types: Select OneLogin.Events
Bus Name: The field you noted in the previous text (in the form aws.partner/onelogin.com/US-123456/ffffffffff)
7.Click Continue Setup.
You will be directed to a success screen:
​
8.To finish the source setup:
1.Optionally configure a log drop-off alarm.
Before you finish the setup, we recommend that you create a log drop-off alarm to alert you if data stops flowing from the log source. Be sure to set an appropriate time interval for when you would like Panther to alert you that the log source is not sending data.
​
2.Optionally enable a Detection Pack.
3.Click Finish Setup. 
Panther-Built Detections
See Panther's built in rules for OneLogin in panther-analysis in Github.
Supported log types
Required fields in the schema are listed as "required: true" just below the "name" field.
OneLogin.Events
OneLogin provides single sign-on and identity management for organizations.
Reference: OneLogin Documentation on Event and Resource Types.​
schema: OneLogin.Events
parser:
    native:
        name: OneLogin.Events
description: OneLogin provides single sign-on and identity management for organizations
referenceURL: https://developers.onelogin.com/api-docs/1/events/event-resource
fields:
    - name: uuid
      required: true
      description: The Universal Unique Identifier for this message generated by OneLogin.
      type: string
    - name: account_id
      required: true
      description: Account that triggered the event.
      type: bigint
    - name: event_timestamp
      required: true
      description: Time and date at which the event was created. This value is autogenerated by OneLogin.
      type: timestamp
      timeFormat: layout=2006-01-02 15:04:05 MST
      isEventTime: true
    - name: error_description
      description: Provisioning error details, if applicable.
      type: string
    - name: login_name
      description: The name of the login user
      type: string
    - name: app_name
      description: Name of the app involved in the event, if applicable.
      type: string
    - name: authentication_factor_description
      description: More details about the authentication factor used.
      type: string
    - name: certificate_name
      description: The name of the certificate that was included in the request.
      type: string
    - name: certificate_id
      description: The ID of the certificate that was included in the request.
      type: string
    - name: assumed_by_superadmin_or_reseller
      description: Indicates that the operation was performed by superadmin or reseller.
      type: boolean
    - name: directory_name
      description: The directory name.
      type: string
    - name: actor_user_id
      description: ID of the user whose action triggered the event.
      type: bigint
    - name: user_name
      description: Name of the user that was acted upon to trigger the event.
      type: string
      indicators:
        - username
    - name: mapping_id
      description: The ID of the mapping included in the operation.
      type: bigint
    - name: radius_config_id
      description: The ID of the Radius configuration included in the operation.
      type: bigint
    - name: risk_score
      description: The higher this number, the higher the risk.
      type: float
    - name: otp_device_id
      description: ID of a device involved in the event.
      type: bigint
    - name: imported_user_id
      description: The ID of the imported user.
      type: bigint
    - name: resolution
      description: The resolution.
      type: bigint
    - name: directory_id
      description: The directory ID.
      type: bigint
    - name: authentication_factor_id
      description: The ID of the authentication factor used.
      type: bigint
    - name: risk_cookie_id
      description: The ID of the risk cookie.
      type: string
    - name: app_id
      description: ID of the app involved in the event, if applicable.
      type: bigint
    - name: custom_message
      description: More details about the event.
      type: string
    - name: browser_fingerprint
      description: The fingerprint of the browser.
      type: string
    - name: otp_device_name
      description: Name of a device involved in the event.
      type: string
    - name: actor_user_name
      description: First and last name of the user whose action triggered the event.
      type: string
      indicators:
        - username
    - name: actor_system
      description: Acting system that triggered the event when the actor is not a user.
      type: string
    - name: user_field_name
      description: The name of the custom user field.
      type: string
    - name: user_field_id
      description: The ID of the custom user field.
      type: string
    - name: assuming_acting_user_id
      description: ID of the user who assumed the role of the acting user to trigger the event, if applicable.
      type: bigint
    - name: api_credential_name
      description: The name of the API credential used.
      type: string
    - name: imported_user_name
      description: The name of the imported user.
      type: string
      indicators:
        - username
    - name: note_title
      description: The title of the note.
      type: string
    - name: trusted_idp_name
      description: The name of the trusted IDP.
      type: string
    - name: policy_id
      description: ID of the policy involved in the event.
      type: bigint
    - name: role_name
      description: Name of a role involved in the event.
      type: string
    - name: resolved_by_user_id
      description: The ID of the user that resolved the issue.
      type: bigint
    - name: group_id
      description: ID of a group involved in the event.
      type: bigint
    - name: client_id
      description: Client ID used to generate the access token that made the API call that generated the event.
      type: string
    - name: ipaddr
      description: IP address of the machine used to trigger the event.
      type: string
      indicators:
        - ip
    - name: notes
      description: More details about the event.
      type: string
    - name: event_type_id
      required: true
      description: Type of event triggered.
      type: bigint
    - name: user_id
      description: ID of the user that was acted upon to trigger the event.
      type: bigint
    - name: risk_reasons
      description: This is not an exhaustive list of the reasons for the risk score and should only be used as a guide
      type: string
    - name: proxy_agent_name
      description: The name of the proxy agent.
      type: string
    - name: policy_type
      description: The type of the policy.
      type: string
    - name: role_id
      description: ID of a role involved in the event.
      type: bigint
    - name: user_agent
      description: The user agent from which the request was invoke
      type: string
    - name: privilege_name
      description: The name of the privilege.
      type: string
    - name: group_name
      description: Name of a group involved in the event.
      type: string
    - name: entity
      description: The entity involved in this request.
      type: string
    - name: resource_type_id
      description: ID of the resource (user, role, group, and so forth) associated with the event.
      type: bigint
    - name: mapping_name
      description: The name of the mapping.
      type: string
    - name: task_name
      description: The name of the task.
      type: string
    - name: authentication_factor_type
      description: The type of the authentication type.
      type: bigint
    - name: radius_config_name
      description: The name of the Radius configuration used.
      type: string
    - name: policy_name
      description: Name of the policy involved in the event.
      type: string
    - name: privilege_id
      description: The id of the privilege.
      type: bigint
    - name: directory_sync_run_id
      description: Directory sync run ID.
      type: bigint
    - name: operation_name
      description: The name of the operation
      type: string
Okta Logs
Osquery Logs
Last modified 1mo ago