OneLogin Logs
Panther supports pulling logs directly from OneLogin

Overview

Panther is able to process OneLogin events through OneLogin's integration with Amazon EventBridge. This allows Panther to process OneLogin logs in a scalable and reliable, low latency manner.
In order for Panther to process your OneLogin logs, you need to configure your OneLogin account to send data to Amazon EventBridge in Panther AWS account.

How to onboard OneLogin logs to Panther

Configure OneLogin to send data to Panther

Note: Keep track of the AWS Account and AWS region where your instance of Panther is deployed. You can find this information in your Panther Console under Settings > General in the footer of the page.
  1. 1.
    Log in to your OneLogin administrative console.
  2. 2.
    Go to Developers > Webhooks.
  3. 3.
    Go to New Webhook > Event Webhook for Amazon EventBridge.
  4. 4.
    Add a friendly name e.g. Panther Integration.
  5. 5.
    Fill out the AWS Account Id and Region that you noted earlier and click Save.
  6. 6.
    Click on the new integration that got just created. Keep note of the Event Source field, as it is used the next step.
    • It should be in the form aws.partner/onelogin.com/US-123456/ffffffffff.

Create a new OneLogin source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Integrations > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select OneLogin from the list of available log sources.
  5. 5.
    Select Amazon EventBridge from the list of available Data Transports.
  6. 6.
    On the Configure Source page, fill in the following fields:
    • Name: A memorable name for the source e.g., My OneLogin events
    • Log Types: Select OneLogin.Events
    • Bus Name: The field you noted in the previous text (in the form aws.partner/onelogin.com/US-123456/ffffffffff)
  7. 7.
    Click Continue Setup.
  8. 8.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  9. 9.
    Click Finish Setup.

Panther-Built Detections

The following detections are available for use immediately:
  • Active Login Activity
  • Admin Role Assigned
  • Brute Force By IP
  • Brute Force By Username
  • High Risk Failed Login
  • High Risk Login
  • Password Accessed
  • Password Changed
  • Remove Authentication Factor
  • Threshold Accounts Deleted
  • Threshold Accounts Modified
  • Unauthorized Access
  • Unusual Login
  • User Account Locked
  • User Assumed
Review the files in the onelogin_rules repository to see how these are built.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

OneLogin.Events

OneLogin provides single sign-on and identity management for organizations.
schema: OneLogin.Events
parser:
native:
name: OneLogin.Events
description: OneLogin provides single sign-on and identity management for organizations
referenceURL: https://developers.onelogin.com/api-docs/1/events/event-resource
version: 0
fields:
- name: uuid
required: true
description: The Universal Unique Identifier for this message generated by OneLogin.
type: string
- name: account_id
required: true
description: Account that triggered the event.
type: bigint
- name: event_timestamp
required: true
description: Time and date at which the event was created. This value is autogenerated by OneLogin.
type: timestamp
timeFormat: layout=2006-01-02 15:04:05 MST
isEventTime: true
- name: error_description
description: Provisioning error details, if applicable.
type: string
- name: login_name
description: The name of the login user
type: string
- name: app_name
description: Name of the app involved in the event, if applicable.
type: string
- name: authentication_factor_description
description: More details about the authentication factor used.
type: string
- name: certificate_name
description: The name of the certificate that was included in the request.
type: string
- name: certificate_id
description: The ID of the certificate that was included in the request.
type: string
- name: assumed_by_superadmin_or_reseller
description: Indicates that the operation was performed by superadmin or reseller.
type: boolean
- name: directory_name
description: The directory name.
type: string
- name: actor_user_id
description: ID of the user whose action triggered the event.
type: bigint
- name: user_name
description: Name of the user that was acted upon to trigger the event.
type: string
indicators:
- username
- name: mapping_id
description: The ID of the mapping included in the operation.
type: bigint
- name: radius_config_id
description: The ID of the Radius configuration included in the operation.
type: bigint
- name: risk_score
description: The higher thiss number, the higher the risk.
type: bigint
- name: otp_device_id
description: ID of a device involved in the event.
type: bigint
- name: imported_user_id
description: The ID of the imported user.
type: bigint
- name: resolution
description: The resolution.
type: bigint
- name: directory_id
description: The directory ID.
type: bigint
- name: authentication_factor_id
description: The ID of the authentication factor used.
type: bigint
- name: risk_cookie_id
description: The ID of the risk cookie.
type: string
- name: app_id
description: ID of the app involved in the event, if applicable.
type: bigint
- name: custom_message
description: More details about the event.
type: string
- name: browser_fingerprint
description: The fingerprint of the browser.
type: string
- name: otp_device_name
description: Name of a device involved in the event.
type: string
- name: actor_user_name
description: First and last name of the user whose action triggered the event.
type: string
indicators:
- username
- name: actor_system
description: Acting system that triggered the event when the actor is not a user.
type: string
- name: user_field_name
description: The name of the custom user field.
type: string
- name: user_field_id
description: The ID of the custom user field.
type: string
- name: assuming_acting_user_id
description: ID of the user who assumed the role of the acting user to trigger the event, if applicable.
type: bigint
- name: api_credential_name
description: The name of the API credential used.
type: string
- name: imported_user_name
description: The name of the imported user.
type: string
indicators:
- username
- name: note_title
description: The title of the note.
type: string
- name: trusted_idp_name
description: The name of the trusted IDP.
type: string
- name: policy_id
description: ID of the policy involved in the event.
type: bigint
- name: role_name
description: Name of a role involved in the event.
type: string
- name: resolved_by_user_id
description: The ID of the user that resolved the issue.
type: bigint
- name: group_id
description: ID of a group involved in the event.
type: bigint
- name: client_id
description: Client ID used to generate the access token that made the API call that generated the event.
type: string
- name: ipaddr
description: IP address of the machine used to trigger the event.
type: string
indicators:
- ip
- name: notes
description: More details about the event.
type: string
- name: event_type_id
required: true
description: Type of event triggered.
type: bigint
- name: user_id
description: ID of the user that was acted upon to trigger the event.
type: bigint
- name: risk_reasons
description: This is not an exhaustive list of the reasons for the risk score and should only be used as a guide
type: string
- name: proxy_agent_name
description: The name of the proxy agent.
type: string
- name: policy_type
description: The type of the policy.
type: string
- name: role_id
description: ID of a role involved in the event.
type: bigint
- name: user_agent
description: The user agent from which the request was invoke
type: string
- name: privilege_name
description: The name of the privilege.
type: string
- name: group_name
description: Name of a group involved in the event.
type: string
- name: entity
description: The entity involved in this request.
type: string
- name: resource_type_id
description: ID of the resource (user, role, group, and so forth) associated with the event.
type: bigint
- name: mapping_name
description: The name of the mapping.
type: string
- name: task_name
description: The name of the task.
type: string
- name: authentication_factor_type
description: The type of the authentication type.
type: bigint
- name: radius_config_name
description: The name of the Radius configuration used.
type: string
- name: policy_name
description: Name of the policy involved in the event.
type: string
- name: privilege_id
description: The id of the privilege.
type: bigint
- name: directory_sync_run_id
description: Directory sync run ID.
type: bigint
- name: operation_name
description: The name of the operation
type: string