From 41653e55e175c5bcc7391b0528765773bb968f36 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 5 Sep 2025 12:59:55 +0530 Subject: [PATCH 1/5] Update onelogin.md --- docs/integrations/saml/onelogin.md | 190 ++++++++++++++++------------- 1 file changed, 106 insertions(+), 84 deletions(-) diff --git a/docs/integrations/saml/onelogin.md b/docs/integrations/saml/onelogin.md index 2a4765f27a..9c5e8adbe9 100644 --- a/docs/integrations/saml/onelogin.md +++ b/docs/integrations/saml/onelogin.md @@ -11,8 +11,16 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; OneLogin is an Identity Management provider that supplies a comprehensive set of enterprise-grade identity and access management solutions, including single sign-on (SSO), user provisioning, and multi-factor authentication (MFA). The Sumo Logic app for OneLogin provides real-time visibility and analysis of OneLogin user activity through event data, such as user logins, administrative operations, and provisioning. +The app provides insights into account activity and user behavior, including total and invited users, inactive or never-logged-in accounts, user status, failed login attempts, lockouts, and password reset needs, helping administrators monitor user lifecycles and maintain security. + +:::info +This app includes [built-in monitors](#onelogin-alerts). For details on creating custom monitors, refer to [Create monitors for OneLogin app](#create-monitors-for-onelogin-app). +::: + ## Prerequisites +### Configure an event broadcaster for event logs + :::note To use this feature, you'll need to enable access to your OneLogin logs and ingest them into Sumo Logic. ::: @@ -24,106 +32,88 @@ Once you begin uploading data, your daily data usage will increase. It's a good * Add a Sumo Logic [Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector) to your Sumo Logic Org. * Configure an [HTTP Source](/docs/send-data/hosted-collectors/http-source/logs-metrics) for your OneLogin data. Make sure to set the **Source Category** when configuring the OneLogin source. For example, onelogin. * From OneLogin, configure a broadcaster that points to this endpoint using the instructions in the [OneLogin documentation](https://onelogin.service-now.com/support?id=kb_article&sys_id=43f95543db109700d5505eea4b961959). You must use SIEM (NDJSON) format. Use the Sumo Logic HTTP Source URL as the Listener URL, and custom header is not needed. +* **Configure the C2C source for users' logs** + * Follow the instructions for setting up [Cloud-to-Cloud Integration for OneLogin App](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/onelogin-source/) to create the source and use the same source category while installing the app. ## Log types -The Sumo Logic app for OneLogin uses event logs in NDJSON format. +The Sumo Logic app for OneLogin uses the following logs: +- Event logs in NDJSON format. +- Sumo Logic’s [OneLogin Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/onelogin-source/) to collect [Users' Logs](https://developers.onelogin.com/api-docs/2/users/user-resource) from OneLogin platform. ## Sample log messages -Each event is a single-line JSON, containing information such as: - -```json +```json title="Users Log" { - "event":{ - "create":{ - "_id":"443ce874-7704-54d2-b12f-b6e4a72ec6ef" - }, - "entity":null, - "role_id":null, - "client_id":null, - "trusted_idp_name":null, - "notes":null, - "app_name":null, - "service_directory_id":null, - "actor_system":"", - "login_name":null, - "assuming_acting_user_id":null, - "mapping_name":null, - "directory_sync_run_id":null, - "api_credential_name":null, - "directory_id":null, - "certificate_id":null, - "group_id":null, - "role_name":null, - "imported_user_name":null, - "resolved_at":null, - "mapping_id":null, - "authentication_factor_type":null, - "user_field_name":null, - "proxy_ip":null, - "certificate_name":null, - "task_name":null, - "adc_id":null, - "uuid":"443ce874-7704-54d2-b12f-b6e4a72ec6ef", - "note_title":null, - "event_timestamp":"2017-03-21 00:09:27+0000", - "actor_user_name":"Peyton Newton", - "proxy_agent_id":null, - "otp_device_name":null, - "actor_user_id":11826257, - "trusted_idp_id":null, - "imported_user_id":null, - "policy_type":null, - "user_id":11826257, - "resource_type_id":null, - "login_id":null, - "solved":null, - "policy_id":null, - "policy_name":null, - "otp_device_id":null, - "radius_config_name":null, - "app_id":null, - "user_name":"Peyton Newton", - "account_id":22348, - "resolved_by_user_id":null, - "radius_config_id":null, - "error_description":null, - "note_id":null, - "param":null, - "event_type_id":11, - "proxy_agent_name":null, - "privilege_id":null, - "user_field_id":null, - "authentication_factor_description":null, - "ipaddr":"137.219.197.240", - "custom_message":null, - "directory_name":null, - "object_id":null, - "group_name":null, - "resolution":null, - "privilege_name":null, - "authentication_factor_id":null, - "adc_name":null - } + "status": 4, + "username": null, + "distinguished_name": null, + "external_id": null, + "group_id": null, + "samaccountname": null, + "updated_at": "2025-08-28T14:14:35.237Z", + "invalid_login_attempts": 0, + "activated_at": "2025-08-28T14:14:35.237Z", + "created_at": "2025-08-28T14:14:35.237Z", + "directory_id": null, + "member_of": null, + "lastname": "patel", + "invitation_sent_at": "2025-08-28T14:14:35.237Z", + "phone": null, + "email": "RaminBenjamin@xyz.com", + "firstname": "shivani", + "id": 252998076, + "locked_until": null, + "state": 1, + "last_login": "2025-08-28T14:14:35.237Z", + "password_changed_at": "2025-08-28T14:14:35.237Z" } ``` ## Sample queries -```sql title="Name - Events by User" -_sourceCategory=onelogin -| json "event.event_type_id", "event.app_name","event.ipaddr", "event.user_name", "event.actor_user_name" as event_id, app_name, src_ip, user_name, actor_user_name -| where event_id in ("10","11") -| count by user_name -| sort by _count +```sql title="Users by State" +_sourceCategory="Labs/OneLogin" +| json "id", "state", "invitation_sent_at", "activated_at", "status", "last_login", "invalid_login_attempts", "password_changed_at", "email", "username", "locked_until", "firstname", "lastname", "group_id", "updated_at", "created_at", "member_of" as id, state, invitation_sent_at, activated_at, status, last_login, invalid_login_attempts, password_changed_at, email, user_name, locked_until, first_name, last_name, group_id, updated_at, created_at, member_of nodrop + +| if (state = 0, "Unapproved", if (state = 1, "Approved", if (state = 2, "Rejected", if (state = 3, "Unlicensed", "Other")))) as state +| if (status = 0, "Unactivated", if (status = 1, "Active", if (status = 2, "Suspended", if (status = 3, "Locked", if (status = 4, "Password expired", if (status = 5, "Awaiting password reset", if (status = 7, "Password pending", if (status = 8, "Security questions required", "Other")))))))) as status + +| first(state) as state, first(status) as status by id, user_name +| where state matches "{{state}}" +| where status matches "{{status}}" +| where user_name matches "{{user_name}}" + +| count by state, id +| count by state +| sort by _count, state ``` ## Installing the OneLogin app -import AppInstall from '../../reuse/apps/app-install-v2.md'; - - +To install the app, do the following: +:::note + Next-Gen App: To install or update the app, you must be an account administrator or a user with Manage Apps, Manage Monitors, Manage Fields, Manage Metric Rules, and Manage Collectors capabilities depending upon the different content types part of the app. +::: +1. Select **App Catalog**. +1. In the 🔎 **Search Apps** field, run a search for your desired app, then select it. +1. Click **Install App**. + :::note + Sometimes this button says **Add Integration**. + ::: +1. Click **Next** in the **Setup Data** section. +1. In the **Configure App** section of your respective app, complete the following field. + 1. Enter values for two data sources: + - **Event logs data source** + - **User logs data source** + 1. **Field Name**. If you already have collectors and sources set up, select the configured metadata field name (eg _sourcecategory) or specify other custom metadata (eg: _collector) along with its metadata **Field Value**. +1. Click **Next**. You will be redirected to the **Preview & Done** section. + +**Post-installation** + +Once your app is installed, it will appear in your **Installed Apps** folder, and dashboard panels will start to fill automatically. + +Each panel slowly fills with data matching the time range query received since the panel was created. Results will not immediately be available but will be updated with full graphs and charts over time. ## Viewing OneLogin dashboards @@ -183,6 +173,38 @@ import FilterDashboards from '../../reuse/filter-dashboards.md'; OneLogin +### User Inventory + +The **OneLogin - User Inventory** dashboard offers a centralized view of user account lifecycle and activity within the OneLogin environment. + +**Centralized User Overview**. Provides a single view of user account lifecycle and activity within the OneLogin environment. + +**Account Provisioning Metrics**. Tracks total users, invited users, never-logged-in accounts, pending approvals, and rejections. + +**Risk Detection**. Highlights issues like repeated failed logins, locked or inactive accounts, and password problems. + +**Usage Trends**. Visualizes user status and login activity to reveal patterns in user behavior. + +**Security Monitoring**. Includes detailed tables on lockouts, recent invites, and accounts with unchanged passwords. + +**Governance & Compliance Support**. Helps ensure strong user management practices, risk awareness, and regulatory compliance. + +OneLogin - User Inventory dashboard + +## Create monitors for OneLogin app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### OneLogin alerts + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `OneLogin - Account Lockout` | This alert is triggered when a user account has been locked due to multiple failed login attempts. | Critical | Count > 0 | +| `OneLogin - Password Expired & Reset Pending` | This alert is triggered when user accounts are found with expired passwords or are pending a password reset. | Critical | Count > 0 | +| `OneLogin - User Rejected` | This alert is triggered when a user account has been rejected, indicating denied access during onboarding or approval. | Critical | Count > 0 | + ## Upgrade/Downgrade the OneLogin app (Optional) import AppUpdate from '../../reuse/apps/app-update.md'; From 23f912b2b723757d7ceb350101c86b910d496b90 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 5 Sep 2025 13:10:43 +0530 Subject: [PATCH 2/5] Create 2025-09-05-apps.md --- blog-service/2025-09-05-apps.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 blog-service/2025-09-05-apps.md diff --git a/blog-service/2025-09-05-apps.md b/blog-service/2025-09-05-apps.md new file mode 100644 index 0000000000..9f774eef49 --- /dev/null +++ b/blog-service/2025-09-05-apps.md @@ -0,0 +1,12 @@ +--- +title: OneLogin (Apps) +image: https://help.sumologic.com/img/reuse/rss-image.jpg +keywords: + - apps + - onelogin +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +We're excited to introduce the new **OneLogin - User Inventory** dashboard to the existing OneLogin app for Sumo Logic. This dashboard offers a centralized view of user account lifecycle and activity within the OneLogin environment. [Learn more](/docs/integrations/saml/onelogin/#user-inventory). From 0ee50e2d2d830356721a9c5ba32089a2bcf02cd5 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 8 Sep 2025 10:43:15 +0530 Subject: [PATCH 3/5] Update docs/integrations/saml/onelogin.md Co-authored-by: John Pipkin (Sumo Logic) --- docs/integrations/saml/onelogin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saml/onelogin.md b/docs/integrations/saml/onelogin.md index 9c5e8adbe9..f23203da6f 100644 --- a/docs/integrations/saml/onelogin.md +++ b/docs/integrations/saml/onelogin.md @@ -106,7 +106,7 @@ To install the app, do the following: 1. Enter values for two data sources: - **Event logs data source** - **User logs data source** - 1. **Field Name**. If you already have collectors and sources set up, select the configured metadata field name (eg _sourcecategory) or specify other custom metadata (eg: _collector) along with its metadata **Field Value**. + 1. **Field Name**. If you already have collectors and sources set up, select the configured metadata field name (for example, `_sourcecategory`) or specify other custom metadata (for example, `_collector`) along with its metadata **Field Value**. 1. Click **Next**. You will be redirected to the **Preview & Done** section. **Post-installation** From 40d33acca7f4b33ea93881e53b22348ce9e3a771 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 8 Sep 2025 10:43:26 +0530 Subject: [PATCH 4/5] Update docs/integrations/saml/onelogin.md Co-authored-by: John Pipkin (Sumo Logic) --- docs/integrations/saml/onelogin.md | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/docs/integrations/saml/onelogin.md b/docs/integrations/saml/onelogin.md index f23203da6f..99bc621ce3 100644 --- a/docs/integrations/saml/onelogin.md +++ b/docs/integrations/saml/onelogin.md @@ -175,19 +175,13 @@ import FilterDashboards from '../../reuse/filter-dashboards.md'; ### User Inventory -The **OneLogin - User Inventory** dashboard offers a centralized view of user account lifecycle and activity within the OneLogin environment. - -**Centralized User Overview**. Provides a single view of user account lifecycle and activity within the OneLogin environment. - -**Account Provisioning Metrics**. Tracks total users, invited users, never-logged-in accounts, pending approvals, and rejections. - -**Risk Detection**. Highlights issues like repeated failed logins, locked or inactive accounts, and password problems. - -**Usage Trends**. Visualizes user status and login activity to reveal patterns in user behavior. - -**Security Monitoring**. Includes detailed tables on lockouts, recent invites, and accounts with unchanged passwords. - -**Governance & Compliance Support**. Helps ensure strong user management practices, risk awareness, and regulatory compliance. +The **OneLogin - User Inventory** dashboard offers a centralized view of user account lifecycle and activity within the OneLogin environment: +* **Centralized user overview**. Provides a single view of user account lifecycle and activity within the OneLogin environment. +* **Account provisioning metrics**. Tracks total users, invited users, never-logged-in accounts, pending approvals, and rejections. +* **Risk detection**. Highlights issues like repeated failed logins, locked or inactive accounts, and password problems. +* **Usage trends**. Visualizes user status and login activity to reveal patterns in user behavior. +* **Security monitoring**. Includes detailed tables on lockouts, recent invites, and accounts with unchanged passwords. +* **Governance and compliance support**. Helps ensure strong user management practices, risk awareness, and regulatory compliance. OneLogin - User Inventory dashboard From 889268ccf37e00643c1957adf3021556b27c17ff Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 8 Sep 2025 22:24:55 +0530 Subject: [PATCH 5/5] changed the release date --- blog-service/{2025-09-05-apps.md => 2025-09-08-apps.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename blog-service/{2025-09-05-apps.md => 2025-09-08-apps.md} (100%) diff --git a/blog-service/2025-09-05-apps.md b/blog-service/2025-09-08-apps.md similarity index 100% rename from blog-service/2025-09-05-apps.md rename to blog-service/2025-09-08-apps.md