CLOUD CONNECTOR
OneLogin
OneLogin is a cloud-based identity and access management provider that designs and develops a unified access management system platform for enterprise-level businesses and organizations.
Securonix integrates with the OneLogin API for the identification of identity and access threat events and insider threat events, detection of unusual account behavior and signs of account compromise, and context enrichment for threat chains.
| Events API Services/Modules | Major/Sample Event Types | Related Threats | Details |
|---|---|---|---|
| Authentication | Login to OneLogin Failed/Succeeded, User Authentication via API Failed/Succeeded, User Failed Remote Authentication, Mac Login Success/Failed, User Logged Out From OneLogin, User Logged Out From App, User Authenticated by RADIUS, Social Sign-In, User Failed Login | Account Compromise, Unusual Account Behavior/Geolocation, Privilege Escalation, Brute Force | Authentication to OneLogin or associated apps |
| Active Directory | Active Directory Connector Started/Stopped, Configuration Reloaded, Connector Broken, Connector Provisioning Error | Account Compromise, Insider Threat | Active Directory Connector events |
| App User Management | App User Deleted/Created, App User Suspended/Reactivated, App User Linked | Privilege Escalation, Account Compromise, Insider Threat | OneLogin App user management events |
| Directory Connector & VLDAP | Directory Connector Enabled/Disabled, Directory Export Started/Finished, VLDAP Bind Failed, VLDAP Enabled/Disabled/Updated, etc. | Account Compromise, Insider Threat | Directory Connector and VLDAP events |
| Directory Management | Directory Added/Deleted/Modified, Directory Group Updated | Account Compromise, Insider Threat | Directory Management events |
| Applications | App Added/Removed/Updated to OneLogin/User | Account Compromise, Insider Threat | Application events |
| Directory Users Management | User Associated/Disassociated, User Deleted/Created, User Invited, User Locked/Unlocked, User Suspended/Reactivated, User Field Added/Removed, Self-Registration Requested for User | Account Compromise, Unusual Account Behavior/Geolocation, Privilege Escalation, Brute Force | Directory user management events |
| Roles Management | Added User Role, Role Management Granted/Revoked, User Role Removed | Account Compromise, Unusual Account Behavior/Geolocation, Privilege Escalation, Brute Force, Insider Threat | Role management events |
| Security Settings | Trusted IdP Removed, Certification Expiration Notice, Certification Created, RADIUS Configuration Updated, Desktop SSO Enabled/Disabled, VPN Enabled/Disabled | Account Compromise, Insider Threat | Security setting modification events |
| SAML | SAML ACS (Assertion Consumer Service) Failure | Account Compromise, Insider Threat | SAML events |
| Passwords | Set Password, Request Password, Failed to Set Password, Smart Password Update Success/Failure | Account Compromise, Insider Threat | Password management events |
| Sandbox | Sandbox Sync, Sandbox Update/Create Delete Success/Failure | Account Compromise, Insider Threat | Sandbox events |