Ingest Logs and Data from OneLogin - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Learn how to ingest different types of logs and data from OneLogin.

Note

Ingesting logs and data from OneLogin requires a Cortex XDR Pro per GB license.

Cortex XDR can ingest different types of data from OneLogin accounts using the OneLogin data collector.

To receive logs and data from OneLogin via the OneLogin REST APIs, you must configure the Collection Integrations settings in Cortex XDR based on your OneLogin credentials. After you set up data collection, Cortex XDR begins receiving new logs and data from the source.

When Cortex XDR begins receiving logs, the app creates a new dataset for the different types of data collected and normalizes the ingested data into authentication stories, where specific relevant events are collected in the authentication_story preset for the xdr_data dataset. You can search these datasets using XQL Search queries. For all logs, Cortex XDR can raise Cortex XDR alerts (Analytics, Correlation Rules, IOC, and BIOC), when relevant from OneLogin logs. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.

The following table provides a description of the different types of data you can collect, the collection method and fetch interval for the data collected, and the name of the dataset to use in Cortex Query Language (XQL) queries.

Data Type

Description

Collection Method

Fetch Interval

Dataset name

Log Collection

Events

User logins, administrative operations, provisioning, and a list of all OneLogin event types

Appends data

30 seconds

onelogin_events_raw

Directory

Users

Lists of users

Overwrites data

10 minutes

onelogin_users_raw

Groups

Lists of groups

Overwrites data

10 minutes

onelogin_groups_raw

Apps

Lists of apps

Overwrites data

10 minutes

onelogin_apps_raw

Before you configure Cortex XDR data collection from OneLogin, make sure you have the following.

  • An Advanced OneLogin account.

  • Owner or administrator permissions in your OneLogin account which enable Cortex XDR to access the OneLogin account and generate the OAuth 2.0 access token.

  • A Cortex XDR user account with permissions to Read Log Collections, for example an Instance Administrator.

Configure Cortex XDR to receive logs and data from OneLogin.

  1. Log in to OneLogin as an account owner or administrator.

  2. Under AdministrationDevelopersAPI Credentials, Create a New Credential with scope Read All.

  3. In the credential details page, copy the Client ID and the Client Secret, and save them somewhere safe. You will need to provide these keys when you configure the OneLogin data collector in Cortex XDR .

  4. Select Settings ConfigurationsData CollectionCollection Integrations.

  5. In the OneLogin configuration, click Add Instance to generate a new configuration.

  6. Configure the following parameters.

    • Domain—Specify the domain of the OneLogin instance. The domain name must be in the format https://<subdomain-name>.onelogin.com.

    • Name—Specify a descriptive and unique name for the configuration.

    • Client ID—Specify the Client ID for the OneLogin API credential pair.

    • Secret—Specify the Client Secret for the OneLogin API credential pair.

    • Collect—Select the types of data to collect. By default, all the options are selected.

      • Log Collection

        • Events—Retrieves user logins, administrative operations, provisioning, and OneLogin event types. After normalization, the event types are enriched with the event name and description.

        Note

        Event data is collected every 30 seconds.

      • Directory

        • Users—Retrieves lists of users.

        • Groups—Retrieves lists of groups.

        • Apps—Retrieves lists of apps.

        Note

        Inventory data snapshots are collected every 10 minutes.

  7. Test the connection settings. If successful, Enable the OneLogin log collection.

    When events start to come in, a green check mark appears underneath the OneLogin configuration.