OneLogin user viewed secure note

onelogin

Set up the onelogin integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a OneLogin user views a secure note.

Strategy

This rule lets you monitor the following OneLogin events to detect when a user views a secure note:

  • @evt.name:PRIVILEGE_GRANTED_TO_USER

This rule is useful when correlating its findings with other anomalous events from the same OneLogin user ({{@actor_user_name}}).

Triage and response

  1. Determine whether the OneLogin user ({{@actor_user_name}}) should be legitimately accessing secure notes.
  2. If the activity was not legitimate, review all activity from {{@actor_user_name}} and the IP ({{@network.client.ip}}) associated with this signal.