Idaptive SSO

Idaptive SSO is a cloud service that allows you to track ingress authentication events and produce documents for those events in order to protect against privileged access abuse.

At this time, InsightIDR only tracks password authentications through your Idaptive data. After you complete the configuration, this event source refreshes every two hours.

Before You Begin

Use an Admin account to connect to InsightIDR with API permissions to query the redrock/query and /security endpoints. Read more about the Idaptive API here: https://developer.idaptive.com/reference#post_acl-checkrowright

You must also gather the following information from your Idaptive application:

  • TenantID
  • User
  • Password

Configure Idaptive SSO

Complete these tasks to configure Idaptive SSO for this event source.

Task 1: Create an authentication profile

Create an authentication profile that uses a password for the first challenge and no secondary challenge (InsightIDR only supports password authentication). The profile must also bypass multi-factor authentication.

Task 2: (Optional) Create a policy

Users who have multi-factor authentication (MFA) enabled may need to create a unique policy that allows the InsightIDR account to bypass MFA and other controls (InsightIDR does not support MFA). To create a policy:

  1. Log in to the admin portal using the same account as the event source.
  2. Click Core Services > Policies > Add Policy Set.
  3. Define the policy related information.
  4. Enter a name for the policy set.
  5. Enter the description you want to appear on the Admin Portal Policy page.
  6. Configure Set Policy to active option if necessary (this option is enabled by default).
  7. Specify policy assignment.
  8. Click the Save button.

Task 3: Verify that you can access the Redrock Query

To test access to the Redrock Query:

  1. Log in to the admin portal using the same account as the event source.
  2. Navigate to Core Services > Reports.
  3. Click on New Report.
  4. Click on Edit Script and paste:
1
select ID,InternalSessionId,WhenOccurred,EventType,EventMessage,NormalizedUser,FromIPAddress,DirectoryServiceName from event where whenoccurred >= datefunc('now','-23:59') order by whenoccurred asc
  1. Click Preview.

If the preview returns records, there is access to the Redrock Query endpoint.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Cloud Service icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Create and name a new credential for the Admin account used for the Idaptive API.
  8. In the “Username” field, enter your Admin account username.
  9. In the “Password” field, enter the password for the admin account.
  10. In the “Tenant ID” field, enter the tenant ID for your Idaptive appliance. For example, if your Idaptive URL is tenantID.my.idaptive.app, your tenant ID is tenantID.
  11. Configure your default domain.
  12. Click the Save button.

Verify the Configuration

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Idaptive SSO” if you did not name the event source.

Idaptive SSO logs flow into the log set:

  • Ingress Authentication
  1. Perform a Log Search to make sure Idaptive SSO events are coming through.

The following is a sample of input logs that Idaptive SSO sends to InsightIDR.

json
1
{
2
"FromIPAddress": "149.14.220.2",
3
"ID": "7729851cecdcfa97.W1a.f478.bdec1d8678e62ddd",
4
"EventType": "Cloud.Core.LoginFail",
5
"EventMessage": "Failed login attempt as bob from 149.14.220.2",
6
"NormalizedUser": "bob",
7
"InternalSessionId": "2669c4fd-34c2-4e01-9add-13a0a5062de1",
8
"WhenOccurred": "/Date(1547554501673)/",
9
"DirectoryServiceName": "UNKNOWN"
10
}