Idaptive SSO
Idaptive SSO is a cloud service that allows you to track ingress authentication events and produce documents for those events in order to protect against privileged access abuse.
At this time, InsightIDR only tracks password authentications through your Idaptive data. After you complete the configuration, this event source refreshes every two hours.
Before You Begin
Use an Admin account to connect to InsightIDR with API permissions to query the redrock/query
and /security
endpoints. Read more about the Idaptive API here: https://developer.idaptive.com/reference#post_acl-checkrowright
You must also gather the following information from your Idaptive application:
- TenantID
- User
- Password
Configure Idaptive SSO
Complete these tasks to configure Idaptive SSO for this event source.
Task 1: Create an authentication profile
Create an authentication profile that uses a password for the first challenge and no secondary challenge (InsightIDR only supports password authentication). The profile must also bypass multi-factor authentication.
Task 2: (Optional) Create a policy
Users who have multi-factor authentication (MFA) enabled may need to create a unique policy that allows the InsightIDR account to bypass MFA and other controls (InsightIDR does not support MFA). To create a policy:
- Log in to the admin portal using the same account as the event source.
- Click Core Services > Policies > Add Policy Set.
- Define the policy related information.
- Enter a name for the policy set.
- Enter the description you want to appear on the Admin Portal Policy page.
- Configure Set Policy to active option if necessary (this option is enabled by default).
- Specify policy assignment.
- Click the Save button.
Task 3: Verify that you can access the Redrock Query
To test access to the Redrock Query:
- Log in to the admin portal using the same account as the event source.
- Navigate to Core Services > Reports.
- Click on New Report.
- Click on Edit Script and paste:
1select ID,InternalSessionId,WhenOccurred,EventType,EventMessage,NormalizedUser,FromIPAddress,DirectoryServiceName from event where whenoccurred >= datefunc('now','-23:59') order by whenoccurred asc
- Click Preview.
If the preview returns records, there is access to the Redrock Query endpoint.
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Idaptive in the event sources search bar.
- In the Product Type filter, select Cloud Service.
- Select the Idaptive event source tile.
- Select your collector and Idaptive from the event source dropdown.
- Name your event source.
- Optionally choose to send unparsed logs.
- Select your Account Attribution preference:
- Use short name attribution: The system first attempts to attribute data by email address, for example,
jsmith@myorg.example.com
. If the first attempt is unsuccessful, attribution is attempted by short name, for example,jsmith
. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example,John Smith
. - Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example,
jsmith@myorg.example.com
. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example,John Smith
. This option is best if your environment has collisions with short names.
- Use short name attribution: The system first attempts to attribute data by email address, for example,
- Select your Idaptive credentials, or optionally create a new credential.
- In the “Tenant ID” field, enter the tenant ID for your Idaptive appliance. For example, if your Idaptive URL is
tenantID.my.idaptive.app
, your tenant ID istenantID
. - Click Save.
Verify the Configuration
- From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or
Idaptive SSO
if you did not name the event source. Idaptive SSO logs flow into the log set:- Ingress Authentication
- Perform a Log Search to make sure Idaptive SSO events are coming through.
The following is a sample of input logs that Idaptive SSO sends to InsightIDR.
json
1{2"FromIPAddress": "149.14.220.2",3"ID": "7729851cecdcfa97.W1a.f478.bdec1d8678e62ddd",4"EventType": "Cloud.Core.LoginFail",5"EventMessage": "Failed login attempt as bob from 149.14.220.2",6"NormalizedUser": "bob",7"InternalSessionId": "2669c4fd-34c2-4e01-9add-13a0a5062de1",8"WhenOccurred": "/Date(1547554501673)/",9"DirectoryServiceName": "UNKNOWN"10}