OneLogin

OneLogin is an application that manages authentication for your users on your network. You can connect OneLogin to InsightIDR in order to better track successful and failed login attempts on your assets.

To get started using OneLogin and InsightIDR:

  1. Configure a OneLogin API Credential
  2. Configure OneLogin as an Event Source

Configure a OneLogin API Credential

In your OneLogin application, you must create an API credential that allows InsightIDR read-only access to OneLogin authentication events. You can read more about OneLogin API credentials here: https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials

To configure this API credential:

  1. Log in to your OneLogin application.
  2. Select Developers > API Credentials.
  1. Click the Create New Credential button.
  2. Name your credential and choose the Read All radio button.
  1. Click the Save button.

OneLogin will then produce a Client ID and Client Secret. Copy both of these for later use in InsightIDR.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for OneLogin in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the OneLogin event source tile.
  4. Select your collector and OneLogin from the event source dropdown.
  5. Name your event source.
  6. Optionally choose to send unparsed logs.
  7. Select your LDAP account attribution preference.
  8. Select your OneLogin credentials, or optionally create a new credential. For the new credential enter the “ClientID” as your username and the “Client Secret” as the password.
  9. Select your subdomain (region).
  10. Enter the refresh rate in minutes.
  11. Click Save.