Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for OneLogin

OneLogin
OneLogin icon

Coralogix Extension For OneLogin Includes:

Dashboards - 1

Gain instantaneous visualization of all your OneLogin data.

OneLogin - Overview
OneLogin - Overview

Alerts - 16

Stay on top of OneLogin key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

App user limit reach

Onelogin extension pack

Unauthorized API event

This alert will trigger in case of a user making an unauthorized API call. Impact Can be an indication of a data leakage attempt. Mitigation Analyze the user activity and actions.

Successful Login From an Unfamiliar Country

This rule monitors a login from a new country based on geo location of previous logins. This might be an indication of an external actor attempting to gain access. Impact Login attempt from unfamiliar country might be an indicator of compromise. Mitigation Login attempt from unfamiliar country might be an indicator of compromise.

More than usual login failure per event type

This alert is triggered when the number of failed login attempts exceeds the configured threshold, in the context of an event type. Impact Might be an indication of a brute force attempt. Mitigation Investigate the malicious request. MITRE Tactic: TA0006 MITRE Technique: T1110

More than usual API lock user event

This alert will trigger in case of a user being locked following an API call. Impact Can be an indication of a data leakage attempt. Mitigation Analyze the user activity and actions.

Multiple Accounts Deleted

This alert will trigger in case of a sudden increase in deletion of users more times than the configured threshold. Impact Can be an indication of a possible Denial of Service attack. Mitigation Determine if this is normal user-cleanup activity. MITRE Tactic: TA0040 MITRE Technique: T1531

New Application

Brute Force Attempt - Single User

This alert will trigger in case when a OneLogin user was denied access more times than the configured threshold. Impact Can be an indication of an attacker performing a brute force attack. Mitigation Analyze the user activity and actions. MITRE Tactic: TA0006 MITRE Technique: T1110

Brute Force Attempt - Single IP

This alert will trigger in case when a single ip address was denied access to OneLogin more times than the configured threshold. Impact Can be an indication of an attacker performing a brute force attack. Mitigation Analyze the user activity and actions. MITRE Tactic: TA0006 MITRE Technique: T1110

Password Access

This alert will trigger in case of a user accessed another user's application password. Impact Can be an indication of an attempt at privilege escalation, or credential retrieval. Mitigation Investigate whether this was authorized access. MITRE Tactic: TA0006 MITRE Technique: T1552

Authentication Factor Removed

This alert will trigger in case of a user removing an authentication factor or OTP device. Impact Can be an indication of an attacker attempting defense evasion by modifying an existing authentication process. Mitigation Investigate whether this was an intentional action and if other multifactor devices exist. MITRE Tactic: TA0005 MITRE Technique: T1556

User Password Changed

This alert will trigger in case of a OneLogin user or admin user updates their password. Impact Can be an indication of an attempt at privilege escalation. Mitigation Investigate whether this was an authorized action.

User Locked

This alert will trigger in case of a user locked or suspended from their account. Impact Can be an indication of an attacker trying to input credentials as part of a brute force attempt. Mitigation Investigate whether this was caused by expected action. MITRE Tactic: TA0006 MITRE Technique: T1110

User Assumed Another User

This alert will trigger in case of a User assumed another user account. Impact Can be an indication at a lateral movement attempt. Mitigation Analyze the user activity and actions. MITRE Tactic: TA0008 MITRE Technique: T1550

Unauthorized Access

This alert will trigger in case of a OneLogin user was denied access to an app more times than the configured threshold. Impact Can be an indication at a lateral movement attempt. Mitigation Analyze the user activity and actions. MITRE Tactic: TA0008 MITRE Technique: T1550

Onelogin - No logs from Onelogin

This rule detects if there are no logs in the last 4 hours for Onelogin in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Integration

Learn more about Coralogix's out-of-the-box integration with OneLogin in our documentation.

Read More
Schedule Demo