Idaptive SSO

Idaptive SSO is a cloud service that allows you to track ingress authentication events and produce documents for those events in order to protect against privileged access abuse.

At this time, InsightIDR only tracks password authentications through your Idaptive data. After you complete the configuration, this event source refreshes every two hours.

Before You Begin

Use an Admin account to connect to InsightIDR with API permissions to query the redrock/query and /security endpoints. Read more about the Idaptive API here:

You must also gather the following information from your Idaptive application:

  • TenantID
  • User
  • Password

Configure Idaptive SSO

Complete these tasks to configure Idaptive SSO for this event source.

Task 1: Create an authentication profile

Create an authentication profile that uses a password for the first challenge and no secondary challenge (InsightIDR only supports password authentication). The profile must also bypass multi-factor authentication.

Task 2: (Optional) Create a policy

Users who have multi-factor authentication (MFA) enabled may need to create a unique policy that allows the InsightIDR account to bypass MFA and other controls (InsightIDR does not support MFA). To create a policy:

  1. Log in to the admin portal using the same account as the event source.
  2. Click Core Services > Policies > Add Policy Set.
  3. Define the policy related information.
  4. Enter a name for the policy set.
  5. Enter the description you want to appear on the Admin Portal Policy page.
  6. Configure Set Policy to active option if necessary (this option is enabled by default).
  7. Specify policy assignment.
  8. Click the Save button.

Task 3: Verify that you can access the Redrock Query

To test access to the Redrock Query:

  1. Log in to the admin portal using the same account as the event source.
  2. Navigate to Core Services > Reports.
  3. Click on New Report.
  4. Click on Edit Script and paste:
select ID,InternalSessionId,WhenOccurred,EventType,EventMessage,NormalizedUser,FromIPAddress,DirectoryServiceName from event where whenoccurred >= datefunc('now','-23:59') order by whenoccurred asc
  1. Click Preview.

If the preview returns records, there is access to the Redrock Query endpoint.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left-hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Cloud Services icon. The “Add Event Source” panel appears.
  4. Select your collector and Idaptive from the event source dropdown.
  5. Name your event source.
  6. Optionally choose to send unparsed logs.
  7. Select your LDAP account attribution preference.
  8. Select your Idaptive credentials, or optionally create a new credential.
  9. In the “Tenant ID” field, enter the tenant ID for your Idaptive appliance. For example, if your Idaptive URL is, your tenant ID is tenantID.
  10. Click Save.

Verify the Configuration

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Idaptive SSO” if you did not name the event source.

Idaptive SSO logs flow into the log set:

  • Ingress Authentication
  1. Perform a Log Search to make sure Idaptive SSO events are coming through.

The following is a sample of input logs that Idaptive SSO sends to InsightIDR.

"FromIPAddress": "",
"ID": "7729851cecdcfa97.W1a.f478.bdec1d8678e62ddd",
"EventType": "Cloud.Core.LoginFail",
"EventMessage": "Failed login attempt as bob from",
"NormalizedUser": "bob",
"InternalSessionId": "2669c4fd-34c2-4e01-9add-13a0a5062de1",
"WhenOccurred": "/Date(1547554501673)/",
"DirectoryServiceName": "UNKNOWN"