OneLogin

  • Updated on Feb 12, 2025
  • Published on Jun 26, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

OneLogin Users

✅

onelogin_users

NDJSON

API / Webhook / S3

OneLogin Events

✅

✅

onelogin_events

NDJSON

API / Webhook / S3

Overview

imageOneLogin is an identity and access management (IAM) platform that provides secure single sign-on (SSO), multi-factor authentication (MFA), and user provisioning for businesses. It helps organizations manage access to applications and data across cloud and on-premises environments while enhancing security and compliance. With features like adaptive authentication, role-based access control, and automated user lifecycle management, OneLogin simplifies identity management and protects against unauthorized access.

Supported data types

OneLogin Users

Table name: onelogin_users

Provides snapshot-in-time information about all users that exist in the system. More info can be found here. This data type can be ingested via the Hunters portal.

OneLogin Events

Table name: onelogin_events

Returns logs from any events happened by the users of the account. More info can be found here. This data type can be ingested via the Hunters portal, and via Webhook.

Send data to Hunters

You can collect logs using 3 methods:

  • API - connect your OneLogin instance to Hunters using API by performing a few simple steps.

  • Webhook - use OneLogin Webhook offerings to direct logs to Hunters.

  • S3 storage - route logs to an S3 bucket and provide Hunters with the details.

Using API

To connect OneLogin logs:

  1. Retrieve the following information from OneLogin:

    • Client ID

    • Client Secret

    • API hostname (Example - xxxx.onelogin.com)

      📘Learn more

      Information on how to generate and access the Client ID and Client Secret can be found here.

  2. Complete the process on the Hunters platform, following this guide.

Using Webhook

Hunters supports ingestion of OneLogin events, based on Webhooks. To enable this integration, please approach Hunters' support. The Event Webhook by OneLogin will send real-time event data in NDJSON format to a listener via an HTTP POST to the endpoint provided to you by Hunters.

For detailed information about the NDJSON payload that OneLogin sends, see https://developers.onelogin.com/api-docs/1/events/event-resource and https://developers.onelogin.com/api-docs/1/events/get-events.

Prerequisites

  • Subscription to the OneLogin Enterprise or Unlimited plan.

  • Webhook URL provided to you by Hunters

  • Authorization header provided by Hunters

Adding An Event Webhook

  1. Log into OneLogin as an admin.

  2. Go to Developers > Webhooks.
    image

  3. Click New Webhook.

  4. On the New Webhook dialog, enter a unique name for the broadcaster, a listener URL, and any required custom headers.
    image

    • Listener URL: This is the Hunters endpoint that will receive the events data.

    • Custom Headers: Hunters requires an Authorization header. Add the header and the value you received from Hunters (see example below).

    Authorization:Bearer BbbYZvtqXGm4cxKihJ6JRm1CoR1sD1PdvUbgVU44

    • Format: Choose "SIEM (NDJSON)".

  5. Click Save.

A new event broadcaster row appears on the Event Webhook page.

Updating An Event Webhook

If you need to edit event broadcaster values or disable/enable a broadcaster, click the broadcaster’s row on the Event Webhook page to display the Edit Event Webhook page.

If the broadcaster is disabled, the Enable button appears.  If it is enabled, the Disabled button appears. Click the button and click Save to change the state. Disabled broadcasters appear in the Disabled section of the Event Webhook page.

Testing Your Event Webhook

OneLogin has provided a nifty open source event receiver that you can use to test your event broadcasters. You can get it at https://github.com/onelogin/broadcast_receiver.

Using S3 storage

Alternatively, you can collect the OneLogin logs from your network to a shared Storage Service (e.g. to an S3 bucket) shared with Hunters. Click here for further instructions.

Expected format

OneLogin Users

{
  "activated_at": "2024-10-28T13:02:36.236Z",
  "created_at": "2022-03-17T09:52:41.467Z",
  "email": "daniel.roberts-external@example.com",
  "username": "daniel.roberts-external@example.com",
  "firstname": "Daniel",
  "lastname": "Roberts",
  "group_id": 123456,
  "id": 98765432,
  "invalid_login_attempts": 1,
  "invitation_sent_at": "2022-03-17T09:53:31.295Z",
  "last_login": "2025-02-06T08:28:06.155Z",
  "locked_until": null,
  "comment": "External IT consultant",
  "openid_name": "adm-robertsd",
  "locale_code": "en-US",
  "preferred_locale_code": "en-GB",
  "password_changed_at": "2024-01-08T09:42:57.310Z",
  "phone": "+1-000-987-6543",
  "status": 1,
  "updated_at": "2025-02-06T08:28:06.421Z",
  "distinguished_name": "CN=Daniel Roberts,OU=IT Consultants,OU=External,OU=Users,OU=London,OU=UK,OU=REGION,DC=example,DC=corp",
  "external_id": "ext-12345",
  "directory_id": 54321,
  "member_of": [
    "CN=External-IT-Consultants,OU=Groups,OU=Consultants,OU=SERVICES,DC=example,DC=corp",
    "CN=AzureActiveDirectory-IT-Access,OU=Groups,OU=AzureAD,OU=SERVICES,DC=example,DC=corp",
    "CN=Global-IT-Admins,OU=Groups,OU=Administration,OU=SERVICES,DC=example,DC=corp",
    "CN=Secure-Access,OU=Groups,OU=Security,OU=SERVICES,DC=example,DC=corp"
  ],
  "samaccountname": "robertsd",
  "userprincipalname": "daniel.roberts-external@example.com",
  "manager_ad_id": "mgr-98765",
  "manager_user_id": 56789,
  "role_id": [11111, 22222, 33333, 44444],
  "company": "Example Consulting Ltd.",
  "department": "INFORMATION SYSTEMS",
  "title": "External IT Project Manager",
  "state": 1,
  "trusted_idp_id": "idp-78910",
  "custom_attributes": {
    "extensionAttribute1": "London",
    "mSDSConsistencyGuid": "ABC123XYZ456==",
    "CompanyID": "EX123",
    "ApplicationID": "APP789",
    "UserType": "Contractor",
    "Identities": "AzureAD, OneLogin",
    "UPN": "daniel.roberts-external@example.com"
  }
}

OneLogin Events

{
  "id": 99999999999,
  "created_at": "2025-02-08T01:00:13.263Z",
  "account_id": 12345,
  "user_id": 67890,
  "event_type_id": 8,
  "notes": "Initiated by Office 365 via WS-Federation",
  "ipaddr": "192.168.1.1",
  "actor_user_id": 67890,
  "assuming_acting_user_id": 54321,
  "role_id": 2,
  "app_id": 111111,
  "group_id": 98765,
  "otp_device_id": "otp-12345",
  "policy_id": "policy-67890",
  "actor_system": "Windows 10",
  "custom_message": "User login event triggered by SSO",
  "role_name": "Administrator",
  "app_name": "Office 365",
  "group_name": "IT Admins",
  "actor_user_name": "Jordan Peterson",
  "user_name": "Alex Morgan",
  "policy_name": "MFA Requirement Policy",
  "otp_device_name": "Google Authenticator",
  "operation_name": "User Authentication",
  "directory_sync_run_id": "sync-78945",
  "directory_id": "dir-34567",
  "resolution": "Success",
  "client_id": "client-abc123",
  "resource_type_id": 45678,
  "error_description": null,
  "proxy_ip": "10.10.10.10",
  "risk_score": 42,
  "risk_reasons": ["New login location", "Unrecognized device"],
  "risk_cookie_id": "cookie-98765",
  "browser_fingerprint": "fingerprint-12345",
  "event_type_ids": [8, 12],
  "until": "2025-02-09T01:00:00.000Z",
  "since": "2025-02-08T00:00:00.000Z"
}