The OneLogin Login detection rule identifies successful login events for users in the OneLogin system. This rule monitors events logged with a specific `event_type_id` that corresponds to successful logins. The rule operates by filtering logs where the `event_type_id` equals '5', indicating a successful login attempt by an actor user. The expected result for this test is a truthy value (true), validating that a user has successfully logged in within the designated parameters. Conversely, the rule also sets parameters for failed login events, specified by an `event_type_id` of '6', expecting a falsy outcome (false) to ensure that the detection only triggers on successful logins. This rule is categorized under informational severity, providing a monitor of user access without creating alerts. The logging pulls from OneLogin event logs, offering historical context and additional investigation capabilities when needed. Administrators can consult the provided reference link for detailed insights concerning OneLogin's risk-based authentication approaches, ensuring they remain informed about the mechanisms employed during login events.