If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
OneLogin is an identity provider as a service (aka IDaaS), to manage the organization’s identities and manage the authentication in a central and secure way across multiple applications (SSO). OneLogin service is delivered as a cloud service. OneLogin helps organizations move faster with infinite scalability and lower cost for their identity management and provider needs. But at the same time, the public cloud Software as a Service (SaaS) model presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in OneLogin account
- Retrieve the OneLogin account activities as users’ access, permissions changes, 2FA events, OneLogin applications changes and more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations in OneLogin account
What is it
SkyFormation Cloud Connector for OneLogin , is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the OneLogin account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for OneLogin retrieves the events from the OneLogin service through the service APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
OneLogin Audit Sources & Events Supported
| Audit Source (API) | Service/Module Covered | Event Types | Events included |
|---|---|---|---|
| Events | Authentication | login to onelogin failed/succeeded, user authentication via API failed/succeeded, user failed remote authentication, Mac login success/failed, user logged-out from onelogin, user logged-out from app, user authenticated by RADIUS, social sign-in, user failed login via assertion proxy etc | Represents authentication related events to onelogin app or its protected apps |
| Active Directory | ad connector started, stopped, configuration reloaded etc | Represents events relate to the ActiveDirectory connector | |
| Directory Connector & VLDAP | directory connector enabled/disabled, directory export started/finished, VLDAP bind failed, VLDAP enabled/disabled/updated etc | Represents events relate to the directory connector | |
| Directory Management | directory added/deleted/modified, directory group updated etc | Represents events relate to directory management | |
| Integrated Application | integrated app added/removed/updated etc | Represents events relate to the integrated applications | |
| Directory Users Management | user deleted/created in directory, user invited, user locked, user suspended/reactivated in directory, user field added/removed, self-registration requested for user, user unlocked in directory etc | Represents events relate to users management in onelogin directories | |
| App Users Management | user deleted/created in app, user suspended/reactivated in app, user linked in app, user updated in app etc | Represents events relate to users management in onelogin apps | |
| Roles Management | added role to user, role management granted/revoked, role removed from a user etc | Represents events relate to security settings changes | |
| Security Settings | trusted idp removed, certification expiration notice, certification created, RADIUS config updated, desktop SSO enabled/disabled, VPN enabled/disabled, | ||
| SAML | SAML assertion consumer service failed | ||
| Passwords | set password with salt, set password with clear text, failed to set password with salt etc | Reprisents event related to password changes and management |
Comments
0 comments
Please sign in to leave a comment.