Hunters supports ingestion of OneLogin events, based on Webhooks. This is a straightforward process which will allow Hunters to ingest your OneLogin events into the platform.
Once you set up an Event Webhook to send your OneLogin event data to Hunters, it will be gathered, analyzed, and displayed in the platform where applicable.
The Event Webhook will send real-time event data in JSON format to a listener via an HTTP POST to the endpoint provided to you by Hunters. It will make a POST whenever there are 10 events or every 10 seconds, whichever comes first.
For detailed information about the JSON payload that OneLogin sends, see https://developers.onelogin.com/api-docs/1/events/event-resource and https://developers.onelogin.com/api-docs/1/events/get-events.
Webhook URL provided to you by Hunters
Authorization header provided by Hunters
Subscription to the OneLogin Enterprise or Unlimited plan.
Adding an Event Webhook
Log in to OneLogin as an admin
Go to Developers > Webhooks.
Click New Webhook.
On the New Webhook dialog, enter a unique name for the broadcaster, a listener URL, and any required custom headers.
Listener URL: This is the Hunters endpoint that will receive the events data.
Custom Headers: Hunters requires an Authorization header. Add the header and the value you received from Hunters (see example below).
Format: Choose SIEM (NDJSON).
A new event broadcaster row appears on the Event Webhook page.
Updating an Event Webhook
If you need to edit event broadcaster values or disable/enable a broadcaster, click the broadcaster’s row on the Event Webhook page to display the Edit Event Webhook page.
If the broadcaster is disabled, the Enable button appears. If it is enabled, the Disabled button appears. Click the button and click Save to change the state. Disabled broadcasters appear in the Disabled section of the Event Webhook page.
Testing your Event Webhook
OneLogin has provided a nifty open source event receiver that you can use to test your event broadcasters. You can get it at https://github.com/onelogin/broadcast_receiver.