If you're having trouble at any stage please contact us at firstname.lastname@example.org.
OneLogin is an identity provider as a service (aka IDaaS), to manage the organization’s identities and manage the authentication in a central and secure way across multiple applications (SSO). OneLogin service is delivered as a cloud service. OneLogin helps organizations move faster with infinite scalability and lower cost for their identity management and provider needs. But at the same time, the public cloud Software as a Service (SaaS) model presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in OneLogin account
- Retrieve the OneLogin account activities as users’ access, permissions changes, 2FA events, OneLogin applications changes and more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations in OneLogin account
What is it
SkyFormation Cloud Connector for OneLogin , is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the OneLogin account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for OneLogin retrieves the events from the OneLogin service through the service APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
OneLogin Audit Sources & Events Supported
|Audit Source (API)||Service/Module Covered||Event Types||Events included|
|Events||Authentication||login to onelogin failed/succeeded, user authentication via API failed/succeeded, user failed remote authentication, Mac login success/failed, user logged-out from onelogin, user logged-out from app, user authenticated by RADIUS, social sign-in, user failed login via assertion proxy etc||Represents authentication related events to onelogin app or its protected apps|
|Active Directory||ad connector started, stopped, configuration reloaded etc||Represents events relate to the ActiveDirectory connector|
|Directory Connector & VLDAP||directory connector enabled/disabled, directory export started/finished, VLDAP bind failed, VLDAP enabled/disabled/updated etc||Represents events relate to the directory connector|
|Directory Management||directory added/deleted/modified, directory group updated etc||Represents events relate to directory management|
|Integrated Application||integrated app added/removed/updated etc||Represents events relate to the integrated applications|
|Directory Users Management||user deleted/created in directory, user invited, user locked, user suspended/reactivated in directory, user field added/removed, self-registration requested for user, user unlocked in directory etc||Represents events relate to users management in onelogin directories|
|App Users Management||user deleted/created in app, user suspended/reactivated in app, user linked in app, user updated in app etc||Represents events relate to users management in onelogin apps|
|Roles Management||added role to user, role management granted/revoked, role removed from a user etc||Represents events relate to security settings changes|
|Security Settings||trusted idp removed, certification expiration notice, certification created, RADIUS config updated, desktop SSO enabled/disabled, VPN enabled/disabled,|
|SAML||SAML assertion consumer service failed|
|Passwords||set password with salt, set password with clear text, failed to set password with salt etc||Reprisents event related to password changes and management|