Detection rules › Panther
OneLogin Failed High Risk Login
A OneLogin attempt with a high risk factor (>50) resulted in a failed authentication.
Rule body yaml
AnalysisType: rule
Filename: onelogin_high_risk_failed_login.py
RuleID: "OneLogin.HighRiskFailedLogin"
DisplayName: "OneLogin Failed High Risk Login"
Enabled: true
LogTypes:
- OneLogin.Events
Tags:
- OneLogin
Severity: Low
Description: A OneLogin attempt with a high risk factor (>50) resulted in a failed authentication.
Reference: https://resources.onelogin.com/OneLogin_RiskBasedAuthentication-WP-v5.pdf
Runbook: Investigate why this user login is tagged as high risk as well as whether this was caused by expected user activity.
SummaryAttributes:
- account_id
- user_name
- user_id
Tests:
- Name: Normal Login Event
ExpectedResult: false
Log:
{
"event_type_id": "6",
"actor_user_id": 123456,
"actor_user_name": "Bob Cat",
"user_id": 123456,
"user_name": "Bob Cat",
}
- Name: Failed High Risk Login
ExpectedResult: true
Log:
{
"event_type_id": "6",
"risk_score": 55,
"actor_user_id": 123456,
"actor_user_name": "Bob Cat",
"user_id": 123456,
"user_name": "Bob Cat",
}
Detection logic
Condition
risk_score gt "50"
event_type_id eq "6"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event_type_id | eq |
|
risk_score | gt |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
user_name |