Panther supports ingesting OneLogin logs via OneLogin's integration with Amazon EventBridge. This allows Panther to process OneLogin logs in a scalable, reliable, and low latency manner.
In order for Panther to process your OneLogin logs, you need to configure your OneLogin account to send data to Amazon EventBridge in your Panther Amazon Web Services (AWS) account.
How to onboard OneLogin logs to Panther
Configure OneLogin to send data to Panther
Note: Keep track of the AWS Account ID and AWS Region where your instance of Panther is deployed. You can find this information in your Panther Console under Settings > General in the footer of the page.
In your OneLogin administrative console, go to Developers > Webhooks.
Go to New Webhook > Event Webhook for Amazon EventBridge.
Add a descriptive name. For example: Panther Integration
Fill out the AWS Account ID and Region that you noted earlier and click Save.
Click on the new integration that was just created. Keep note of the Event Source field, as it is used the next step.
It should be formatted aws.partner/onelogin.com/US-123456/ffffffffff.
Create a new OneLogin source in Panther
In the left-hand navigation bar of the Panther Console, click Configure > LogSources.
Click Create New.
Search for “OneLogin,” then click its tile.
Click Start Setup.
On the Configure Source page, fill in the following fields:
Name: A descriptive name for the source. For example: My OneLogin events
Log Types: Select OneLogin.Events
Bus Name: The field you noted in the previous text (formatted aws.partner/onelogin.com/US-123456/ffffffffff)
Click Setup. You will be directed to a success screen:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
schema:OneLogin.Eventsdescription:OneLogin provides single sign-on and identity management for organizationsreferenceURL:https://developers.onelogin.com/api-docs/1/events/event-resourcefields: - name:uuidrequired:truedescription:The Universal Unique Identifier for this message generated by OneLogin.type:string - name:account_idrequired:truedescription:Account that triggered the event.type:string - name:event_timestamprequired:truedescription:Time and date at which the event was created. This value is autogenerated by OneLogin.type:timestamptimeFormats: - '%Y-%m-%d %H:%M:%S %Z'isEventTime:true - name:error_descriptiondescription:Provisioning error details, if applicable.type:string - name:login_namedescription:The name of the login usertype:string - name:app_namedescription:Name of the app involved in the event, if applicable.type:string - name:authentication_factor_descriptiondescription:More details about the authentication factor used.type:string - name:certificate_namedescription:The name of the certificate that was included in the request.type:string - name:certificate_iddescription:The ID of the certificate that was included in the request.type:string - name:assumed_by_superadmin_or_resellerdescription:Indicates that the operation was performed by superadmin or reseller.type:bigint - name:directory_namedescription:The directory name.type:string - name:actor_user_iddescription:ID of the user whose action triggered the event.type:stringindicators: - actor_id - name:user_namedescription:Name of the user that was acted upon to trigger the event.type:stringindicators: - username - name:mapping_iddescription:The ID of the mapping included in the operation.type:string - name:radius_config_iddescription:The ID of the Radius configuration included in the operation.type:string - name:risk_scoredescription:The higher this number, the higher the risk.type:float - name:otp_device_iddescription:ID of a device involved in the event.type:string - name:imported_user_iddescription:The ID of the imported user.type:stringindicators: - actor_id - name:resolutiondescription:The resolution.type:string - name:directory_iddescription:The directory ID.type:string - name:authentication_factor_iddescription:The ID of the authentication factor used.type:string - name:risk_cookie_iddescription:The ID of the risk cookie.type:string - name:app_iddescription:ID of the app involved in the event, if applicable.type:string - name:custom_messagedescription:More details about the event.type:string - name:browser_fingerprintdescription:The fingerprint of the browser.type:string - name:otp_device_namedescription:Name of a device involved in the event.type:string - name:actor_user_namedescription:First and last name of the user whose action triggered the event.type:stringindicators: - username - name:actor_systemdescription:Acting system that triggered the event when the actor is not a user.type:string - name:user_field_namedescription:The name of the custom user field.type:string - name:user_field_iddescription:The ID of the custom user field.type:string - name:assuming_acting_user_iddescription:ID of the user who assumed the role of the acting user to trigger the event, if applicable.type:string - name:api_credential_namedescription:The name of the API credential used.type:string - name:imported_user_namedescription:The name of the imported user.type:stringindicators: - username - name:note_titledescription:The title of the note.type:string - name:trusted_idp_namedescription:The name of the trusted IDP.type:string - name:policy_iddescription:ID of the policy involved in the event.type:string - name:role_namedescription:Name of a role involved in the event.type:string - name:resolved_by_user_iddescription:The ID of the user that resolved the issue.type:string - name:group_iddescription:ID of a group involved in the event.type:string - name:client_iddescription:Client ID used to generate the access token that made the API call that generated the event.type:string - name:ipaddrdescription:IP address of the machine used to trigger the event.type:stringindicators: - ip - name:notesdescription:More details about the event.type:string - name:event_type_idrequired:truedescription:Type of event triggered.type:string - name:user_iddescription:ID of the user that was acted upon to trigger the event.type:stringindicators: - actor_id - name:risk_reasonsdescription:This is not an exhaustive list of the reasons for the risk score and should only be used as a guidetype:string - name:proxy_agent_namedescription:The name of the proxy agent.type:string - name:policy_typedescription:The type of the policy.type:string - name:role_iddescription:ID of a role involved in the event.type:string - name:user_agentdescription:The user agent from which the request was invoketype:string - name:privilege_namedescription:The name of the privilege.type:string - name:group_namedescription:Name of a group involved in the event.type:string - name:entitydescription:The entity involved in this request.type:string - name:resource_type_iddescription:ID of the resource (user, role, group, and so forth) associated with the event.type:string - name:mapping_namedescription:The name of the mapping.type:string - name:task_namedescription:The name of the task.type:string - name:authentication_factor_typedescription:The type of the authentication type.type:string - name:radius_config_namedescription:The name of the Radius configuration used.type:string - name:policy_namedescription:Name of the policy involved in the event.type:string - name:privilege_iddescription:The id of the privilege.type:string - name:directory_sync_run_iddescription:Directory sync run ID.type:string - name:operation_namedescription:The name of the operationtype:string
