OneLogin

OneLogin is an application that manages authentication for your users on your network. You can connect OneLogin to InsightIDR in order to better track successful and failed login attempts on your assets.

To get started using OneLogin and InsightIDR:

  1. Configure a OneLogin API Credential
  2. Configure OneLogin as an Event Source

Configure a OneLogin API Credential

In your OneLogin application, you must create an API credential that allows InsightIDR read-only access to OneLogin authentication events. You can read more about OneLogin API credentials here: https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials

To configure this API credential:

  1. Log in to your OneLogin application.
  2. Select Developers > API Credentials.
  1. Click the Create New Credential button.
  2. Name your credential and choose the Read All radio button.
  1. Click the Save button.

OneLogin will then produce a Client ID and Client Secret. Copy both of these for later use in InsightIDR.

Configure the OneLogin Event Source

  1. From your dashboard, select Data Collection on the left-hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Cloud Services icon. The “Add Event Source” panel appears.
  4. Select your collector and OneLogin from the event source dropdown.
  5. Name your event source.
  6. Optionally choose to send unparsed logs.
  7. Select your LDAP account attribution preference.
  8. Select your OneLogin credentials, or optionally create a new credential. For the new credential enter the “ClientID” as your username and the “Client Secret” as the password.
  9. Select your subdomain (region).
  10. Enter the refresh rate in minutes.
  11. Click Save.