heroui logo

OneLogin Unauthorized Access

Panther Rules

View Source
Summary
This detection rule monitors unauthorized access attempts to applications managed via OneLogin. It is triggered when a user has been denied access to a particular application more times than the configured threshold over a set period of time. The rule is designed to identify potential lateral movement within the network, particularly when a user attempts to access resources without the necessary credentials. It captures events from OneLogin, specifically looking for event type identifiers that signify both normal and unauthorized access attempts. The rule recommends analyzing user activity to determine if there is malicious intent or a possible breach in authentication practices. Given that the threshold for triggered alerts is set at 10 denied attempts within a 10-minute deduplication period, it aims to reduce false positives while ensuring that legitimate threats are detected promptly.
Categories
  • Identity Management
  • Cloud
  • Application
Data Sources
  • User Account
  • Application Log
ATT&CK Techniques
  • T1550
Created: 2022-09-02