Detectionlowtest

OneLogin User Account Locked

Detects when an user account is locked or suspended.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Tue Oct 12Updated Sun Dec 25a717c561-d117-437e-b2d9-0118a7035d01identity

Log Source

oneloginonelogin.events

Productonelogin← raw: onelogin

Serviceonelogin.events← raw: onelogin.events

Detection Logic

detection:
    selection1: # Locked via API
        event_type_id: 532
    selection2: # Locked via API
        event_type_id: 553
    selection3: # Suspended via API
        event_type_id: 551
    condition: 1 of selection*

False Positives

System may lock or suspend user accounts.

References

Resolving title…

developers.onelogin.com

MITRE ATT&CK

Tactics

TA0040 · Impact

Rule Metadata

Rule ID

a717c561-d117-437e-b2d9-0118a7035d01

Status

test

Level

low

Type

Detection

Created

Tue Oct 12

Modified

Sun Dec 25

Author

Austin Songer

Path

rules/identity/onelogin/onelogin_user_account_locked.yml

Raw Tags

attack.impact

View on GitHub