Skip to content

Ping Identity

Ping Identity

About

In today’s business environment, user experience is a priority. However, that shouldn’t be at the expense of reliable security. The PingOne Cloud Platform helps you optimize both, with a comprehensive, standards-based platform designed for hybrid, multi-generational and multi-cloud environments. Now you can allow all users and devices to securely access cloud, mobile, SaaS and on-premises applications and APIs.

Product Details

Vendor URL: Ping Identity

Product Type: Identity/Access Management

Product Tier: Tier I

Integration Method: Syslog

Integration URL: PingOne - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: 90-100%

Data Label: PING

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
_embedded.riskEvent.ip target.asset.ip
_embedded.riskEvent.ip target.ip
_embedded.riskEvent.sessionId network.session_id
_embedded.riskEvent.targetResourceId target.url
_embedded.riskEvent.userAgent network.http.user_agent
Accessing Device Browser principal.application
Accessing Device OS principal.platform_version
Accessing Device UserAgent network.http.user_agent
act security_result.action_details
act.name principal.user.userid
action security_result.action
Action security_result.action_details
action.type security_result.action_details
actors.client.name target.resource.name
actors.user.name target.user.userid
additional_cfp1 additional.fields
additional_cfp2 additional.fields
additional_cfp3 additional.fields
additional_cfp4 additional.fields
additional_cn1 additional.fields
additional_cn2 additional.fields
additional_cn3 additional.fields
additional_cs1 additional.fields
additional_cs2 additional.fields
additional_cs4 additional.fields
additional_cs5 additional.fields
additional_cs6 additional.fields
additional_cs7 additional.fields
additional_device_model additional.fields
additional_devicePayloadId additional.fields
additional_eventId additional.fields
additional_externalId additional.fields
additional_flexString1 additional.fields
additional_fname additional.fields
additional_mobile_os additional.fields
additional_smb_host additional.fields
additional_smb_stage1 additional.fields
additional_smb_uid additional.fields
app target.application
app_protocol_output network.application_protocol
appcategory security_result.summary
cat security_result.category_details
Country principal.location.country_or_region
Created Authentication metadata.description
cs1 target.url
cs2 target.application
destinationServiceName target.application
destinationTranslatedAddress target.nat_ip
destinationTranslatedPort target.nat_port
device_event_class_id event_name metadata.product_event_type
device_product metadata.product_name
device_vendor metadata.vendor_name
device_version metadata.product_version
dhost target.hostname
dmac target.mac
dntdom target.administrative_domain
dpid target.process.pid
dproc target.process.command_line
dpt target.port
dst_ip target.ip
duid target.user.userid
duser target.user.user_display_name
externalId metadata.product_log_id
id metadata.product_log_id
in network.received_bytes
ip_protocol_out network.ip_protocol
ipaddress principal.ip
jsondata metadata.description
msg metadata.description
msg_json_log.additional.0.value principal.hostname
msg_json_log.metadata.description metadata.description
msg_json_log.metadata.product_name metadata.product_name
msg_json_log.metadata.product_version metadata.product_version
msg_json_log.metadata.vendor_name metadata.vendor_name
mwProfile security_result.rule_name
old_permissions src.resource.attribute.permissions
oldFilePath src.file.full_path
oldFileSize src.file.size
out network.sent_bytes
outcome security_result.action_details
PingID App Version metadata.product_version
Policy Met security_result.rule_name
reason security_result.summary
request target.url
requestClientApplication network.http.user_agent
Requested Application ID target.hostname
Requested Application Name security_result.about.application
requestMethod network.http.method
resources.0.environment.id target.asset.product_object_id
resources.0.name target.user.userid
resources.0.websession network.session_id
result.message metadata.description
result.message security_result.summary
result.status security_result.action_details
Risk Evaluation metadata.description
Rule Met security_result.summary
shost principal.hostname
smac principal.mac
sntdom principal.administrative_domain
sourceServiceName principal.application
sourceTranslatedAddress principal.nat_ip
sourceTranslatedPort principal.nat_port
spid principal.process.pid
sproc principal.process.command_line
spt principal.port
src principal.ip
suid principal.user.userid
suser principal.user.user_display_name
sysloghost observer.hostname
tagcountry principal.asset.location.country_or_region
Updated Authentication metadata.description

Product Event Types

Event UDM Event Classification
all others GENERIC_EVENT
POLICY NETWORK_CONNECTION
SUCCESS UNCATEGORIZED

Log Sample

{'Message':'<13>1 2021-11-03T10:44:06-07:00 sysloghost - - - - {"source": "PINGID", "id": "id", "recorded": "2021-03-11T17:43:46.906Z", "action": null, "actors": [{"type": "user", "name": "user1", "id": null}], "resources": [], "client": null, "result": {"status": "POLICY", "message": "Authentication Details:\nIP Address: 10.2.0.115\nPrevious Authentication IP: 10.2.0.115\nPrevious Authentication Time: 2021-11-02 09:22:23 PM UTC\nIP Reputation Whitelist Met: false\nIP Risk Score: Low\nCountry: United States\nPrevious Country: United States\nGround Speed: 0 km/h\nCurrent VPN/Proxy login: false\nPrevious VPN/Proxy login: false\nGeovelocity Whitelist Met: false\nNew Device: false\nRisk Level: N/A\nRequested Application ID: host\nRequested Application Name: NP: Citrix Remote Access\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: In the last 1381 minutes\nAccessing Device UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\nAccessing Device OS: Windows 10\nAccessing Device Browser: IE 11.0\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nDevice biometrics supported: N/A\nAction: Authenticate\nPolicy Met: Global Test Policy\nRule Met: \"Default Action\"\nGroup Affected: ALL"}}','tagCountry':'US'}

Sample Parsing

metadata.product_log_id = "id"
metadata.event_timestamp = "2021-11-03T17:44:06Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Ping"
metadata.product_name = "PingID"
metadata.product_version = "N/A"
additional.DeviceModel = "N/A"
additional.MobileOSVersion = "N/A"
principal.user.userid = "user1"
principal.ip = "10.2.0.115"
principal.application = "IE 11.0"
principal.platform_version = "Windows 10"
principal.location.country_or_region = "United States"
principal.asset.location.country_or_region = "US"
target.hostname = "host"
target.asset.hostname = "apps"
observer.hostname = "sysloghost"
security_result.about.application = "NP: Citrix Remote Access"
security_result.rule_name = "Global Test Policy"
security_result.summary = ""Default Action""
security_result.action_details = "Authenticate"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"

Parser Alerting

This product currently does not have any Parser-based Alerting