Ingest Logs and Data from OneLogin - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-18
Category
Administrator Guide
Abstract

Learn how to ingest different types of logs and data from OneLogin.

Cortex XSIAM can ingest different types of data from OneLogin accounts using the OneLogin data collector.

To receive logs and data from OneLogin via the OneLogin REST APIs, you must configure the Data Sources settings in Cortex XSIAM based on your OneLogin credentials. After you set up data collection, Cortex XSIAM begins receiving new logs and data from the source.

When Cortex XSIAM begins receiving logs, the app creates a new dataset for the different types of data collected and normalizes the ingested data into authentication stories, where specific relevant events are collected in the authentication_story preset for the xdr_data dataset. You can search these datasets using XQL Search queries. For all logs, Cortex XSIAM can raise Cortex XSIAM alerts (Analytics, Correlation Rules, IOC, and BIOC), when relevant from OneLogin logs. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.

The following table provides a description of the different types of data you can collect, the collection method and fetch interval for the data collected, and the name of the dataset to use in Cortex Query Language (XQL) queries.

Data Type

Description

Collection Method

Fetch Interval

Dataset name

Log Collection

Events

User logins, administrative operations, provisioning, and a list of all OneLogin event types

Appends data

30 seconds

onelogin_events_raw

Directory

Users

Lists of users

Overwrites data

10 minutes

onelogin_users_raw

Groups

Lists of groups

Overwrites data

10 minutes

onelogin_groups_raw

Apps

Lists of apps

Overwrites data

10 minutes

onelogin_apps_raw

Before you configure Cortex XSIAM data collection from OneLogin, make sure you have the following.

  • An Advanced OneLogin account.

  • Owner or administrator permissions in your OneLogin account which enable Cortex XSIAM to access the OneLogin account and generate the OAuth 2.0 access token.

  • A Cortex XSIAM user account with permissions to Read Log Collections, for example an Instance Administrator.

Configure Cortex XSIAM to receive logs and data from OneLogin.

  1. Log in to OneLogin as an account owner or administrator.

  2. Under AdministrationDevelopersAPI Credentials, Create a New Credential with scope Read All.

  3. In the credential details page, copy the Client ID and the Client Secret, and save them somewhere safe. You will need to provide these keys when you configure the OneLogin data collector in Cortex XSIAM .

  4. Select SettingsData Sources.

  5. In the OneLogin configuration, click Add Instance to generate a new configuration.

  6. Configure the following parameters.

    • Domain—Specify the domain of the OneLogin instance. The domain name must be in the format https://<subdomain-name>.onelogin.com.

    • Name—Specify a descriptive and unique name for the configuration.

    • Client ID—Specify the Client ID for the OneLogin API credential pair.

    • Secret—Specify the Client Secret for the OneLogin API credential pair.

    • Collect—Select the types of data to collect. By default, all the options are selected.

      • Log Collection

        • Events—Retrieves user logins, administrative operations, provisioning, and OneLogin event types. After normalization, the event types are enriched with the event name and description.

        Note

        Event data is collected every 30 seconds.

      • Directory

        • Users—Retrieves lists of users.

        • Groups—Retrieves lists of groups.

        • Apps—Retrieves lists of apps.

        Note

        Inventory data snapshots are collected every 10 minutes.

  7. Test the connection settings. If successful, Enable the OneLogin log collection.

    When events start to come in, a green check mark appears underneath the OneLogin configuration.