OneLogin

OneLogin is an application that manages authentication for your users on your network. You can connect OneLogin to InsightIDR in order to better track successful and failed login attempts on your assets.

To get started using OneLogin and InsightIDR:

  1. Configure a OneLogin API Credential
  2. Configure OneLogin as an Event Source

Configure a OneLogin API Credential

In your OneLogin application, you must create an API credential that allows InsightIDR read-only access to OneLogin authentication events. You can read more about OneLogin API credentials here: https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials

To configure this API credential:

  1. Log in to your OneLogin application.
  2. Select Developers > API Credentials.
  1. Click the Create New Credential button.
  2. Name your credential and choose the Read All radio button.
  1. Click the Save button.

OneLogin will then produce a Client ID and Client Secret. Copy both of these for later use in InsightIDR.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for OneLogin in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the OneLogin event source tile.
  4. Select your collector and OneLogin from the event source dropdown.
  5. Name your event source.
  6. Optionally choose to send unparsed logs.
  7. Select your Account Attribution preference:
    • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
    • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
  8. Select your OneLogin credentials, or optionally create a new credential. For the new credential enter the “ClientID” as your username and the “Client Secret” as the password.
  9. Select your subdomain (region).
  10. Enter the refresh rate in minutes.
  11. Click Save.