Learn how to ingest different types of logs and data from OneLogin.
Cortex XSIAM can ingest different types of data from OneLogin accounts using the OneLogin data collector.
To receive logs and data from OneLogin via the OneLogin REST APIs, you must configure the Data Sources settings in Cortex XSIAM based on your OneLogin credentials. After you set up data collection, Cortex XSIAM begins receiving new logs and data from the source.
When Cortex XSIAM begins receiving logs, the app creates a new dataset for the different types of data collected and normalizes the ingested data into authentication stories, where specific relevant events are collected in the authentication_story
preset for the xdr_data
dataset. You can search these datasets using XQL Search queries. For all logs, Cortex XSIAM can raise Cortex XSIAM alerts (Analytics, Correlation Rules, IOC, and BIOC), when relevant from OneLogin logs. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.
The following table provides a description of the different types of data you can collect, the collection method and fetch interval for the data collected, and the name of the dataset to use in Cortex Query Language (XQL) queries.
Data type | Description | Collection method | Fetch interval | Dataset name |
---|---|---|---|---|
Log collection | ||||
Events | User logins, administrative operations, provisioning, and a list of all OneLogin event types | Appends data | 30 seconds | onelogin_events_raw |
Directory | ||||
Users | Lists of users | Overwrites data | 10 minutes | onelogin_users_raw |
Groups | Lists of groups | Overwrites data | 10 minutes | onelogin_groups_raw |
Apps | Lists of apps | Overwrites data | 10 minutes | onelogin_apps_raw |
Before you configure Cortex XSIAM data collection from OneLogin, make sure you have the following.
An Advanced OneLogin account.
Owner or administrator permissions in your OneLogin account which enable Cortex XSIAM to access the OneLogin account and generate the OAuth 2.0 access token.
A Cortex XSIAM user account with permissions to Read Log Collections, for example an Instance Administrator.
Configure Cortex XSIAM to receive logs and data from OneLogin.
Log in to OneLogin as an account owner or administrator.
Under Create a New Credential with scope Read All.
→ → ,In the credential details page, copy the Client ID and the Client Secret, and save them somewhere safe. You will need to provide these keys when you configure the OneLogin data collector in Cortex XSIAM .
Select
→ .On the Data Sources page, click Add Data Source, search for and select OneLogin, and click Connect.
Configure the following parameters.
Domain: Specify the domain of the OneLogin instance. The domain name must be in the format
https://<subdomain-name>.onelogin.com
.Name: Specify a descriptive and unique name for the configuration.
Client ID: Specify the Client ID for the OneLogin API credential pair.
Secret: Specify the Client Secret for the OneLogin API credential pair.
Collect: Select the types of data to collect. By default, all the options are selected.
Log Collection
Events: Retrieves user logins, administrative operations, provisioning, and OneLogin event types. After normalization, the event types are enriched with the event name and description.
Note
Event data is collected every 30 seconds.
Directory
Users: Retrieves lists of users.
Groups: Retrieves lists of groups.
Apps: Retrieves lists of apps.
Note
Inventory data snapshots are collected every 10 minutes.
Test the connection settings. If successful, Enable the OneLogin log collection.
When events start to come in, a green check mark appears underneath the OneLogin configuration.