Update OneLogin app with new dashboard (#5749)

* Update onelogin.md

* Create 2025-09-05-apps.md

* Update docs/integrations/saml/onelogin.md

Co-authored-by: John Pipkin (Sumo Logic) <[email protected]>

* Update docs/integrations/saml/onelogin.md

Co-authored-by: John Pipkin (Sumo Logic) <[email protected]>

* changed the release date

---------

Co-authored-by: Shivani Patel <[email protected]>
Co-authored-by: John Pipkin (Sumo Logic) <[email protected]>

Author: 3 people

blog-service/2025-09-08-apps.md

@@ -0,0 +1,12 @@
+---
+title: OneLogin (Apps)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - onelogin
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to introduce the new **OneLogin - User Inventory** dashboard to the existing OneLogin app for Sumo Logic. This dashboard offers a centralized view of user account lifecycle and activity within the OneLogin environment. [Learn more](/docs/integrations/saml/onelogin/#user-inventory).

docs/integrations/saml/onelogin.md

@@ -11,8 +11,16 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 OneLogin is an Identity Management provider that supplies a comprehensive set of enterprise-grade identity and access management solutions, including single sign-on (SSO), user provisioning, and multi-factor authentication (MFA). The Sumo Logic app for OneLogin provides real-time visibility and analysis of OneLogin user activity through event data, such as user logins, administrative operations, and provisioning.
 
+The app provides insights into account activity and user behavior, including total and invited users, inactive or never-logged-in accounts, user status, failed login attempts, lockouts, and password reset needs, helping administrators monitor user lifecycles and maintain security.
+
+:::info
+This app includes [built-in monitors](#onelogin-alerts). For details on creating custom monitors, refer to [Create monitors for OneLogin app](#create-monitors-for-onelogin-app).
+:::
+
 ## Prerequisites
 
+### Configure an event broadcaster for event logs
+
 :::note
 To use this feature, you'll need to enable access to your OneLogin logs and ingest them into Sumo Logic.
 :::
@@ -24,106 +32,88 @@ Once you begin uploading data, your daily data usage will increase. It's a good
    * Add a Sumo Logic [Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector) to your Sumo Logic Org.
    * Configure an [HTTP Source](/docs/send-data/hosted-collectors/http-source/logs-metrics) for your OneLogin data. Make sure to set the **Source Category** when configuring the OneLogin source. For example, onelogin.
    * From OneLogin, configure a broadcaster that points to this endpoint using the instructions in the [OneLogin documentation](https://onelogin.service-now.com/support?id=kb_article&sys_id=43f95543db109700d5505eea4b961959). You must use SIEM (NDJSON) format. Use the Sumo Logic HTTP Source URL as the Listener URL, and custom header is not needed.
+* **Configure the C2C source for users' logs**
+	* Follow the instructions for setting up [Cloud-to-Cloud Integration for OneLogin App](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/onelogin-source/) to create the source and use the same source category while installing the app.
 
 ## Log types
 
-The Sumo Logic app for OneLogin uses event logs in NDJSON format.
+The Sumo Logic app for OneLogin uses the following logs:
+- Event logs in NDJSON format.
+- Sumo Logic’s [OneLogin Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/onelogin-source/) to collect [Users' Logs](https://developers.onelogin.com/api-docs/2/users/user-resource) from OneLogin platform.
 
 ## Sample log messages
 
-Each event is a single-line JSON, containing information such as:
-
-```json
+```json title="Users Log"
 {
-	"event":{
-		"create":{
-			"_id":"443ce874-7704-54d2-b12f-b6e4a72ec6ef"
-		},
-		"entity":null,
-		"role_id":null,
-		"client_id":null,
-		"trusted_idp_name":null,
-		"notes":null,
-		"app_name":null,
-		"service_directory_id":null,
-		"actor_system":"",
-		"login_name":null,
-		"assuming_acting_user_id":null,
-		"mapping_name":null,
-		"directory_sync_run_id":null,
-		"api_credential_name":null,
-		"directory_id":null,
-		"certificate_id":null,
-		"group_id":null,
-		"role_name":null,
-		"imported_user_name":null,
-		"resolved_at":null,
-		"mapping_id":null,
-		"authentication_factor_type":null,
-		"user_field_name":null,
-		"proxy_ip":null,
-		"certificate_name":null,
-		"task_name":null,
-		"adc_id":null,
-		"uuid":"443ce874-7704-54d2-b12f-b6e4a72ec6ef",
-		"note_title":null,
-		"event_timestamp":"2017-03-21 00:09:27+0000",
-		"actor_user_name":"Peyton Newton",
-		"proxy_agent_id":null,
-		"otp_device_name":null,
-		"actor_user_id":11826257,
-		"trusted_idp_id":null,
-		"imported_user_id":null,
-		"policy_type":null,
-		"user_id":11826257,
-		"resource_type_id":null,
-		"login_id":null,
-		"solved":null,
-		"policy_id":null,
-		"policy_name":null,
-		"otp_device_id":null,
-		"radius_config_name":null,
-		"app_id":null,
-		"user_name":"Peyton Newton",
-		"account_id":22348,
-		"resolved_by_user_id":null,
-		"radius_config_id":null,
-		"error_description":null,
-		"note_id":null,
-		"param":null,
-		"event_type_id":11,
-		"proxy_agent_name":null,
-		"privilege_id":null,
-		"user_field_id":null,
-		"authentication_factor_description":null,
-		"ipaddr":"137.219.197.240",
-		"custom_message":null,
-		"directory_name":null,
-		"object_id":null,
-		"group_name":null,
-		"resolution":null,
-		"privilege_name":null,
-		"authentication_factor_id":null,
-		"adc_name":null
-	}
+    "status": 4,
+    "username": null,
+    "distinguished_name": null,
+    "external_id": null,
+    "group_id": null,
+    "samaccountname": null,
+    "updated_at": "2025-08-28T14:14:35.237Z",
+    "invalid_login_attempts": 0,
+    "activated_at": "2025-08-28T14:14:35.237Z",
+    "created_at": "2025-08-28T14:14:35.237Z",
+    "directory_id": null,
+    "member_of": null,
+    "lastname": "patel",
+    "invitation_sent_at": "2025-08-28T14:14:35.237Z",
+    "phone": null,
+    "email": "[email protected]",
+    "firstname": "shivani",
+    "id": 252998076,
+    "locked_until": null,
+    "state": 1,
+    "last_login": "2025-08-28T14:14:35.237Z",
+    "password_changed_at": "2025-08-28T14:14:35.237Z"
 }
 ```
 
 ## Sample queries
 
-```sql title="Name - Events by User"
-_sourceCategory=onelogin
-| json "event.event_type_id", "event.app_name","event.ipaddr", "event.user_name", "event.actor_user_name" as event_id, app_name, src_ip, user_name, actor_user_name  
-| where event_id in ("10","11")
-| count by user_name
-| sort by _count
+```sql title="Users by State"
+_sourceCategory="Labs/OneLogin"
+| json "id", "state", "invitation_sent_at", "activated_at", "status", "last_login", "invalid_login_attempts", "password_changed_at", "email", "username", "locked_until", "firstname", "lastname", "group_id", "updated_at", "created_at", "member_of" as id, state, invitation_sent_at, activated_at, status, last_login, invalid_login_attempts, password_changed_at, email, user_name, locked_until, first_name, last_name, group_id, updated_at, created_at, member_of nodrop
+
+| if (state = 0, "Unapproved", if (state = 1, "Approved", if (state = 2, "Rejected", if (state = 3, "Unlicensed", "Other")))) as state
+| if (status = 0, "Unactivated", if (status = 1, "Active", if (status = 2, "Suspended", if (status = 3, "Locked", if (status = 4, "Password expired", if (status = 5, "Awaiting password reset", if (status = 7, "Password pending", if (status = 8, "Security questions required", "Other")))))))) as status
+
+| first(state) as state, first(status) as status by id, user_name
+| where state matches "{{state}}"
+| where status matches "{{status}}"
+| where user_name matches "{{user_name}}"
+
+| count by state, id 
+| count by state
+| sort by _count, state
 ```
 
 ## Installing the OneLogin app
 
-import AppInstall from '../../reuse/apps/app-install-v2.md';
-
-<AppInstall/>
+To install the app, do the following:
+:::note
+    Next-Gen App: To install or update the app, you must be an account administrator or a user with Manage Apps, Manage Monitors, Manage Fields, Manage Metric Rules, and Manage Collectors capabilities depending upon the different content types part of the app.
+:::
+1. Select **App Catalog**.
+1. In the 🔎 **Search Apps** field, run a search for your desired app, then select it.
+1. Click **Install App**.
+    :::note
+    Sometimes this button says **Add Integration**.
+    :::
+1. Click **Next** in the **Setup Data** section.
+1. In the **Configure App** section of your respective app, complete the following field.
+	1. Enter values for two data sources: 
+		- **Event logs data source**
+		- **User logs data source**
+    1. **Field Name**. If you already have collectors and sources set up, select the configured metadata field name (for example, `_sourcecategory`) or specify other custom metadata (for example, `_collector`) along with its metadata **Field Value**.
+1. Click **Next**. You will be redirected to the **Preview & Done** section.
+
+**Post-installation**
+
+Once your app is installed, it will appear in your **Installed Apps** folder, and dashboard panels will start to fill automatically.
+
+Each panel slowly fills with data matching the time range query received since the panel was created. Results will not immediately be available but will be updated with full graphs and charts over time.
 
 ## Viewing OneLogin dashboards
 
@@ -183,6 +173,32 @@ import FilterDashboards from '../../reuse/filter-dashboards.md';
 
 <img src={useBaseUrl('img/integrations/saml/OneLoginSecurity.png')} alt="OneLogin" />
 
+### User Inventory
+
+The **OneLogin - User Inventory** dashboard offers a centralized view of user account lifecycle and activity within the OneLogin environment:
+* **Centralized user overview**. Provides a single view of user account lifecycle and activity within the OneLogin environment.
+* **Account provisioning metrics**. Tracks total users, invited users, never-logged-in accounts, pending approvals, and rejections.
+* **Risk detection**. Highlights issues like repeated failed logins, locked or inactive accounts, and password problems.
+* **Usage trends**. Visualizes user status and login activity to reveal patterns in user behavior.
+* **Security monitoring**. Includes detailed tables on lockouts, recent invites, and accounts with unchanged passwords.
+* **Governance and compliance support**. Helps ensure strong user management practices, risk awareness, and regulatory compliance.
+
+<img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/OneLogin/OneLogin+-+User+Inventory.png' alt="OneLogin - User Inventory dashboard" />
+
+## Create monitors for OneLogin app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### OneLogin alerts
+
+| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | 
+|:--|:--|:--|:--|
+| `OneLogin - Account Lockout` | This alert is triggered when a user account has been locked due to multiple failed login attempts. | Critical | Count > 0 |
+| `OneLogin - Password Expired & Reset Pending` | This alert is triggered when user accounts are found with expired passwords or are pending a password reset. | Critical | Count > 0 |
+| `OneLogin - User Rejected` | This alert is triggered when a user account has been rejected, indicating denied access during onboarding or approval. | Critical | Count > 0 |
+
 ## Upgrade/Downgrade the OneLogin app (Optional)
 
 import AppUpdate from '../../reuse/apps/app-update.md';