Panther is able to process OneLogin events through OneLogin's integration with Amazon EventBridge. This allows Panther to process OneLogin logs in a scalable and reliable, low latency manner.
In order for Panther to process your OneLogin logs, you need to configure your OneLogin account to send data to Amazon EventBridge in Panther AWS account.
Configure OneLogin to send data to Panther
First of all, you need to keep note of the AWS Account and AWS region where Panther is deployed. You can find this information from your Panther UI, going to Settings > General > About Panther.
Log in to OneLogin Administration console
Go to Developers > Webhooks
Go to New Webhook > Event Webhook for Amazon EventBridge
Add a friendly name e.g. Panther Integration
Fill the AWS Account Id and Region that you noted earlier. Click Save
Click on the new integration that got just created. Keep a note of the Event Source field as we are going to use it
in the next step (it should be in the form aws.partner/onelogin.com/US-123456/ffffffffff)
Create a new OneLogin source in Panther
Log in to your Panther account.
Go to Integrations > LogSources from the sidebar menu.
Click Add Source.
Select Amazon EventBridge from the list of available Data Transports if you would like to pull logs directly from OneLogin. You can also select S3 or SNS if you would like to retrieve logs from those sources.
In the following form, fill in the following fields:
Name: A friendly name for the source e.g. My OneLogin events
Log Type: Select OneLogin
Bus Name: The field you noted in the previous text (in the form aws.partner/onelogin.com/US-123456/ffffffffff)
Click on Next and then Save Source
You are done! You can now start writing detections and exploring your OneLogin data.