OneLogin User Assumed Another User

 1title: OneLogin User Assumed Another User
 2id: 62fff148-278d-497e-8ecd-ad6083231a35
 3status: test
 4description: Detects when an user assumed another user account.
 5references:
 6    - https://developers.onelogin.com/api-docs/1/events/event-resource
 7author: Austin Songer @austinsonger
 8date: 2021-10-12
 9modified: 2022-12-25
10tags:
11    - attack.impact
12logsource:
13    product: onelogin
14    service: onelogin.events
15detection:
16    selection:
17        event_type_id: 3
18    condition: selection
19falsepositives:
20    - Unknown
21level: low

References

• Event Resource and Types - OneLogin Developers

  

  1 App %app% added to role %role% 2 App %app% removed from role %role% 3 %actor_user% assumed %user% 4 Assigned %role% to user %user% 5 %user% logged into onelogin 6 %user% failed authentication 7 %...

  
  Read More

Related rules

• GitHub Repository Archive Status Changed
• Github Delete Action Invoked
• Github Self Hosted Runner Changes Detected
• Okta API Token Revoked
• Okta Application Modified or Deleted