Ingesting logs and data from OneLogin requires a Cortex XDR Pro per TB license.
Cortex XDR can ingest different types of data from OneLogin accounts using the OneLogin data collector.
To receive logs and data from OneLogin via the OneLogin REST APIs, you must configure the Collection Integrations settings in Cortex XDR based on your OneLogin credentials. After you set up data collection, Cortex XDR begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the app creates a new dataset for the different types of data collected and normalizes the ingested data into authentication stories, where specific relevant events are collected in the
authentication_story preset for the
xdr_data dataset. You can search these datasets using XQL Search queries. For all logs, Cortex XDR can raise Cortex XDR alerts (Analytics, Correlation Rules, IOC, and BIOC), when relevant from OneLogin logs. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.
The following table provides a description of the different types of data you can collect, the collection method and fetch interval for the data collected, and the name of the dataset to use in Cortex Query Language (XQL) queries.
User logins, administrative operations, provisioning, and a list of all OneLogin event types
Lists of users
Lists of groups
Lists of apps
Before you configure Cortex XDR data collection from OneLogin, make sure you have the following.
An Advanced OneLogin account.
Owner or administrator permissions in your OneLogin account which enable Cortex XDR to access the OneLogin account and generate the OAuth 2.0 access token.
A Cortex XDR user account with permissions to Read Log Collections, for example an Instance Administrator.
Configure Cortex XDR to receive logs and data from OneLogin.
Log in to OneLogin as an account owner or administrator.
Under Create a New Credential with scope Read All.→ → ,
In the credential details page, copy the Client ID and the Client Secret, and save them somewhere safe. You will need to provide these keys when you configure the OneLogin data collector in Cortex XDR .
In Cortex XDR , select→ → → .
In the OneLogin configuration, click Add Instance to generate a new configuration.
Configure the following parameters.
Domain—Specify the domain of the OneLogin instance. The domain name must be in the format https://<subdomain-name>.onelogin.com.
Name—Specify a descriptive and unique name for the configuration.
Client ID—Specify the Client ID for the OneLogin API credential pair.
Secret—Specify the Client Secret for the OneLogin API credential pair.
Collect—Select the types of data to collect. By default, all the options are selected.
Events—Retrieves user logins, administrative operations, provisioning, and OneLogin event types. After normalization, the event types are enriched with the event name and description.
Event data is collected every 30 seconds.
Users—Retrieves lists of users.
Groups—Retrieves lists of groups.
Apps—Retrieves lists of apps.
Inventory data snapshots are collected every 10 minutes.
Test the connection settings. If successful, Enable the OneLogin log collection.
When events start to come in, a green check mark appears underneath the OneLogin configuration.