- Connector Migration Overview
- Cloud Collectors Overview
- Navigate the Cloud Collectors UI
- Which Collector to Use?
- Hybrid Deployment Experience
- Supported Regions for Cloud Collectors
- Access the Cloud Collectors Service
- Set up a New Cloud Connectors Instance
- Early Access Cloud Collectors
- Troubleshooting Cloud Collectors
Configure OneLogin Cloud Collector
Set up the OneLogin Cloud Collector to continuously ingest OneLogin events such as authentication events, and events related to directory management and user management.
The following table displays security events supported by the cloud collector.
Service or Module Covered | Event Types | Event Included |
|---|---|---|
Authentication | Login to OneLogin failed or succeeded, user authentication via API failed or succeeded, user failed remote authentication, Mac login success or failed, user logged-out from OneLogin, user logged-out from app, user authenticated by RADIUS, social sign-in, user login failed via assertion proxy | Represents authentication related events to OneLogin app or its protected apps |
Active Directory | Ad connector started, stopped, configuration reloaded | Represents events related to the Active Directory connector |
Directory Connector and VLDAP | Directory connector enabled or disabled, directory export started or finished, VLDAP bind failed, VLDAP enabled or disabled or updated | Represents events related to the directory connector |
Directory Management | Directory added or deleted or modified, directory group updated | Represents events related to directory management |
Integrated Application | Integrated app added or removed or updated | Represents events related to integrated applications |
Directory Users Management | User deleted or created in directory, user invited, user locked, user suspended or reactivated in directory, user field added or removed, self-registration requested for user, user unlocked in the directory | Represents events related to user management in OneLogin directories |
App Users Management | User deleted or created in app, user suspended or reactivated in app, user linked in app, user updated in app | Represents events related to user management in OneLogin apps |
Roles Management | Added role to a user, role management granted or revoked, role removed from a user | Represents events related to security setting updates |
Security Settings | Trusted idp removed, certification expiration notice, certification created, RADIUS configuration updated, desktop SSO enabled or disabled, VPN enabled or disabled | |
SAML | SAML assertion consumer service failed | |
Passwords | Set password with salt, set password with clear text, failed to set password with salt | Represents event related to password changes and management |
Use the following steps to set up the OneLogin Cloud Collector.
Before you configure the OneLogin Cloud Collector, ensure that you complete the prerequisites.
Log in to the New-Scale Security Operations Platform with your registered credentials as an administrator.
Navigate to Collectors > Cloud Collectors.
Click New Collector.
Click OneLogin.
Enter the following information for the cloud collector.
NAME – Specify a name for the Cloud Collector instance.
SUBDOMAIN – Enter the first part of your organization’s web address. For example, if the URL of your organization's web address is mycompany.oenlogin.com, enter mycompany.
CLIENT ID – Enter the value for client ID that you obtained while completing the prerequisites.
CLIENT SECRET – Enter the value for client secret that you obtained while completing the prerequisites.
REGION – Select the region for the collector: US or EU. Ensure that the region for the OneLogin account and the region you select for the collector is the same.
EVENT TYPE ID – Enter the event type ID if you want to filter the logs collected by the collector and fetch logs based on a specific event ID. For more information about event IDs, see Event Resource and Types in the OneLogin documentation.
REQUEST URL – Displays the request URL.
(Optional) SITE – Select an existing site or to create a new site with a unique ID, click manage your sites. Adding a site name helps you to ensure efficient management of environments with overlapping IP addresses.
By entering a site name, you associate the logs with a specific independent site. A sitename metadata field is automatically added to all the events that are going to be ingested via this collector. For more information about Site Management, see Define a Unique Site Name.
(Optional) TIMEZONE – Select a time zone applicable to you for accurate detections and event monitoring.
By entering a time zone, you override the default log time zone. A timezone metadata field is automatically added to all events ingested through this collector.
A cloud collector determines whether Daylight Saving Time (DST) is active based on the current date and automatically adjusts the time by adding or subtracting one hour, ensuring more accurate time reporting.
To confirm that the New-Scale Security Operations Platform communicates with the service, click Test Connection.
Click Install.
A confirmation message informs you that the new Cloud Collector is created.