OneLogin User Account Locked

calendar Aug 12, 2024 · attack.impact  ·
Share on: linkedin copy

Detects when an user account is locked or suspended.

Sigma rule (View on GitHub)

 1title: OneLogin User Account Locked
 2id: a717c561-d117-437e-b2d9-0118a7035d01
 3status: test
 4description: Detects when an user account is locked or suspended.
 5references:
 6    - https://developers.onelogin.com/api-docs/1/events/event-resource/
 7author: Austin Songer @austinsonger
 8date: 2021-10-12
 9modified: 2022-12-25
10tags:
11    - attack.impact
12logsource:
13    product: onelogin
14    service: onelogin.events
15detection:
16    selection1: # Locked via API
17        event_type_id: 532
18    selection2: # Locked via API
19        event_type_id: 553
20    selection3: # Suspended via API
21        event_type_id: 551
22    condition: 1 of selection*
23falsepositives:
24    - System may lock or suspend user accounts.
25level: low

References

Related rules

to-top