Links

OneLogin Logs

Panther supports pulling logs directly from OneLogin

Overview

Panther supports ingesting OneLogin logs via OneLogin's integration with Amazon EventBridge. This allows Panther to process OneLogin logs in a scalable, reliable, and low latency manner.
In order for Panther to process your OneLogin logs, you need to configure your OneLogin account to send data to Amazon EventBridge in your Panther Amazon Web Services (AWS) account.

How to onboard OneLogin logs to Panther

Configure OneLogin to send data to Panther

Note: Keep track of the AWS Account ID and AWS Region where your instance of Panther is deployed. You can find this information in your Panther Console under Settings > General in the footer of the page.
  1. 1.
    In your OneLogin administrative console, go to Developers > Webhooks.
  2. 2.
    Go to New Webhook > Event Webhook for Amazon EventBridge.
  3. 3.
    Add a descriptive name. For example: Panther Integration
  4. 4.
    Fill out the AWS Account ID and Region that you noted earlier and click Save.
  5. 5.
    Click on the new integration that was just created. Keep note of the Event Source field, as it is used the next step.
    • It should be formatted aws.partner/onelogin.com/US-123456/ffffffffff.

Create a new OneLogin source in Panther

  1. 1.
    In the left-hand navigation bar of the Panther Console, click Configure > Log Sources.
  2. 2.
    Click Create New.
  3. 3.
    Search for “OneLogin,” then click its tile.
  4. 4.
    Click Start Setup.
  5. 5.
    On the Configure Source page, fill in the following fields:
    • Name: A descriptive name for the source. For example: My OneLogin events
    • Log Types: Select OneLogin.Events
    • Bus Name: The field you noted in the previous text (formatted aws.partner/onelogin.com/US-123456/ffffffffff)
  6. 6.
    Click Setup. You will be directed to a success screen:
    The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"
    • You can optionally enable one or more Detection Packs.
    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
      The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day

Panther-managed detections

Supported log types

OneLogin.Events

OneLogin provides single sign-on and identity management for organizations.
schema: OneLogin.Events
description: OneLogin provides single sign-on and identity management for organizations
referenceURL: https://developers.onelogin.com/api-docs/1/events/event-resource
fields:
- name: uuid
required: true
description: The Universal Unique Identifier for this message generated by OneLogin.
type: string
- name: account_id
required: true
description: Account that triggered the event.
type: string
- name: event_timestamp
required: true
description: Time and date at which the event was created. This value is autogenerated by OneLogin.
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S %Z'
isEventTime: true
- name: error_description
description: Provisioning error details, if applicable.
type: string
- name: login_name
description: The name of the login user
type: string
- name: app_name
description: Name of the app involved in the event, if applicable.
type: string
- name: authentication_factor_description
description: More details about the authentication factor used.
type: string
- name: certificate_name
description: The name of the certificate that was included in the request.
type: string
- name: certificate_id
description: The ID of the certificate that was included in the request.
type: string
- name: assumed_by_superadmin_or_reseller
description: Indicates that the operation was performed by superadmin or reseller.
type: boolean
- name: directory_name
description: The directory name.
type: string
- name: actor_user_id
description: ID of the user whose action triggered the event.
type: string
indicators:
- actor_id
- name: user_name
description: Name of the user that was acted upon to trigger the event.
type: string
indicators:
- username
- name: mapping_id
description: The ID of the mapping included in the operation.
type: string
- name: radius_config_id
description: The ID of the Radius configuration included in the operation.
type: string
- name: risk_score
description: The higher this number, the higher the risk.
type: float
- name: otp_device_id
description: ID of a device involved in the event.
type: string
- name: imported_user_id
description: The ID of the imported user.
type: string
indicators:
- actor_id
- name: resolution
description: The resolution.
type: string
- name: directory_id
description: The directory ID.
type: string
- name: authentication_factor_id
description: The ID of the authentication factor used.
type: string
- name: risk_cookie_id
description: The ID of the risk cookie.
type: string
- name: app_id
description: ID of the app involved in the event, if applicable.
type: string
- name: custom_message
description: More details about the event.
type: string
- name: browser_fingerprint
description: The fingerprint of the browser.
type: string
- name: otp_device_name
description: Name of a device involved in the event.
type: string
- name: actor_user_name
description: First and last name of the user whose action triggered the event.
type: string
indicators:
- username
- name: actor_system
description: Acting system that triggered the event when the actor is not a user.
type: string
- name: user_field_name
description: The name of the custom user field.
type: string
- name: user_field_id
description: The ID of the custom user field.
type: string
- name: assuming_acting_user_id
description: ID of the user who assumed the role of the acting user to trigger the event, if applicable.
type: string
- name: api_credential_name
description: The name of the API credential used.
type: string
- name: imported_user_name
description: The name of the imported user.
type: string
indicators:
- username
- name: note_title
description: The title of the note.
type: string
- name: trusted_idp_name
description: The name of the trusted IDP.
type: string
- name: policy_id
description: ID of the policy involved in the event.
type: string
- name: role_name
description: Name of a role involved in the event.
type: string
- name: resolved_by_user_id
description: The ID of the user that resolved the issue.
type: string
- name: group_id
description: ID of a group involved in the event.
type: string
- name: client_id
description: Client ID used to generate the access token that made the API call that generated the event.
type: string
- name: ipaddr
description: IP address of the machine used to trigger the event.
type: string
indicators:
- ip
- name: notes
description: More details about the event.
type: string
- name: event_type_id
required: true
description: Type of event triggered.
type: string
- name: user_id
description: ID of the user that was acted upon to trigger the event.
type: string
indicators:
- actor_id
- name: risk_reasons
description: This is not an exhaustive list of the reasons for the risk score and should only be used as a guide
type: string
- name: proxy_agent_name
description: The name of the proxy agent.
type: string
- name: policy_type
description: The type of the policy.
type: string
- name: role_id
description: ID of a role involved in the event.
type: string
- name: user_agent
description: The user agent from which the request was invoke
type: string
- name: privilege_name
description: The name of the privilege.
type: string
- name: group_name
description: Name of a group involved in the event.
type: string
- name: entity
description: The entity involved in this request.
type: string
- name: resource_type_id
description: ID of the resource (user, role, group, and so forth) associated with the event.
type: string
- name: mapping_name
description: The name of the mapping.
type: string
- name: task_name
description: The name of the task.
type: string
- name: authentication_factor_type
description: The type of the authentication type.
type: string
- name: radius_config_name
description: The name of the Radius configuration used.
type: string
- name: policy_name
description: Name of the policy involved in the event.
type: string
- name: privilege_id
description: The id of the privilege.
type: string
- name: directory_sync_run_id
description: Directory sync run ID.
type: string
- name: operation_name
description: The name of the operation
type: string