OneLogin API activity from malicious IP address
Set up the onelogin integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect and investigate OneLogin API activity originating from suspicious IP addresses, which may indicate potential unauthorized access attempts or malicious API interactions.
Strategy
This rule monitors activities within OneLogin, focusing specifically on actions initiated by users via the API. It flags activities where the source IP address has been identified with suspicious or malicious indicators, such as associations with botnet proxies, known malicious intent, or anonymization services like Tor.
Triage and Response
Verify user activity: Check if the user associated with the alert ({{@usr.name}}) has a legitimate reason for API interactions from the flagged IP.
Investigate suspicious IP:
- Review logs related to the flagged IP to determine if it has been involved in other potentially malicious actions.
- Use threat intelligence sources or IP investigation tools to gather context on the flagged IP’s reputation and any recent malicious activity.
Containment and remediation:
- If the activity is confirmed unauthorized, consider blocking the IP address at the network level.
- Review and rotate API keys or admin credentials associated with the suspicious activity to prevent further unauthorized access.
