Ping Identity¶
About¶
In today’s business environment, user experience is a priority. However, that shouldn’t be at the expense of reliable security. The PingOne Cloud Platform helps you optimize both, with a comprehensive, standards-based platform designed for hybrid, multi-generational and multi-cloud environments. Now you can allow all users and devices to securely access cloud, mobile, SaaS and on-premises applications and APIs.
Product Details¶
Vendor URL: Ping Identity
Product Type: Identity/Access Management
Product Tier: Tier I
Integration Method: Syslog
Integration URL: PingOne - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90-100%
Data Label: PING
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| _embedded.riskEvent.ip | target.asset.ip |
| _embedded.riskEvent.ip | target.ip |
| _embedded.riskEvent.sessionId | network.session_id |
| _embedded.riskEvent.targetResourceId | target.url |
| _embedded.riskEvent.userAgent | network.http.user_agent |
| Accessing Device Browser | principal.application |
| Accessing Device OS | principal.platform_version |
| Accessing Device UserAgent | network.http.user_agent |
| act | security_result.action_details |
| act.name | principal.user.userid |
| action | security_result.action |
| Action | security_result.action_details |
| action.type | security_result.action_details |
| actors.client.name | target.resource.name |
| actors.user.name | target.user.userid |
| additional_cfp1 | additional.fields |
| additional_cfp2 | additional.fields |
| additional_cfp3 | additional.fields |
| additional_cfp4 | additional.fields |
| additional_cn1 | additional.fields |
| additional_cn2 | additional.fields |
| additional_cn3 | additional.fields |
| additional_cs1 | additional.fields |
| additional_cs2 | additional.fields |
| additional_cs4 | additional.fields |
| additional_cs5 | additional.fields |
| additional_cs6 | additional.fields |
| additional_cs7 | additional.fields |
| additional_device_model | additional.fields |
| additional_devicePayloadId | additional.fields |
| additional_eventId | additional.fields |
| additional_externalId | additional.fields |
| additional_flexString1 | additional.fields |
| additional_fname | additional.fields |
| additional_mobile_os | additional.fields |
| additional_smb_host | additional.fields |
| additional_smb_stage1 | additional.fields |
| additional_smb_uid | additional.fields |
| app | target.application |
| app_protocol_output | network.application_protocol |
| appcategory | security_result.summary |
| cat | security_result.category_details |
| Country | principal.location.country_or_region |
| Created Authentication | metadata.description |
| cs1 | target.url |
| cs2 | target.application |
| destinationServiceName | target.application |
| destinationTranslatedAddress | target.nat_ip |
| destinationTranslatedPort | target.nat_port |
| device_event_class_id event_name | metadata.product_event_type |
| device_product | metadata.product_name |
| device_vendor | metadata.vendor_name |
| device_version | metadata.product_version |
| dhost | target.hostname |
| dmac | target.mac |
| dntdom | target.administrative_domain |
| dpid | target.process.pid |
| dproc | target.process.command_line |
| dpt | target.port |
| dst_ip | target.ip |
| duid | target.user.userid |
| duser | target.user.user_display_name |
| externalId | metadata.product_log_id |
| id | metadata.product_log_id |
| in | network.received_bytes |
| ip_protocol_out | network.ip_protocol |
| ipaddress | principal.ip |
| jsondata | metadata.description |
| msg | metadata.description |
| msg_json_log.additional.0.value | principal.hostname |
| msg_json_log.metadata.description | metadata.description |
| msg_json_log.metadata.product_name | metadata.product_name |
| msg_json_log.metadata.product_version | metadata.product_version |
| msg_json_log.metadata.vendor_name | metadata.vendor_name |
| mwProfile | security_result.rule_name |
| old_permissions | src.resource.attribute.permissions |
| oldFilePath | src.file.full_path |
| oldFileSize | src.file.size |
| out | network.sent_bytes |
| outcome | security_result.action_details |
| PingID App Version | metadata.product_version |
| Policy Met | security_result.rule_name |
| reason | security_result.summary |
| request | target.url |
| requestClientApplication | network.http.user_agent |
| Requested Application ID | target.hostname |
| Requested Application Name | security_result.about.application |
| requestMethod | network.http.method |
| resources.0.environment.id | target.asset.product_object_id |
| resources.0.name | target.user.userid |
| resources.0.websession | network.session_id |
| result.message | metadata.description |
| result.message | security_result.summary |
| result.status | security_result.action_details |
| Risk Evaluation | metadata.description |
| Rule Met | security_result.summary |
| shost | principal.hostname |
| smac | principal.mac |
| sntdom | principal.administrative_domain |
| sourceServiceName | principal.application |
| sourceTranslatedAddress | principal.nat_ip |
| sourceTranslatedPort | principal.nat_port |
| spid | principal.process.pid |
| sproc | principal.process.command_line |
| spt | principal.port |
| src | principal.ip |
| suid | principal.user.userid |
| suser | principal.user.user_display_name |
| sysloghost | observer.hostname |
| tagcountry | principal.asset.location.country_or_region |
| Updated Authentication | metadata.description |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all others | GENERIC_EVENT |
| POLICY | NETWORK_CONNECTION |
| SUCCESS | UNCATEGORIZED |
Log Sample¶
{'Message':'<13>1 2021-11-03T10:44:06-07:00 sysloghost - - - - {"source": "PINGID", "id": "id", "recorded": "2021-03-11T17:43:46.906Z", "action": null, "actors": [{"type": "user", "name": "user1", "id": null}], "resources": [], "client": null, "result": {"status": "POLICY", "message": "Authentication Details:\nIP Address: 10.2.0.115\nPrevious Authentication IP: 10.2.0.115\nPrevious Authentication Time: 2021-11-02 09:22:23 PM UTC\nIP Reputation Whitelist Met: false\nIP Risk Score: Low\nCountry: United States\nPrevious Country: United States\nGround Speed: 0 km/h\nCurrent VPN/Proxy login: false\nPrevious VPN/Proxy login: false\nGeovelocity Whitelist Met: false\nNew Device: false\nRisk Level: N/A\nRequested Application ID: host\nRequested Application Name: NP: Citrix Remote Access\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: In the last 1381 minutes\nAccessing Device UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\nAccessing Device OS: Windows 10\nAccessing Device Browser: IE 11.0\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nDevice biometrics supported: N/A\nAction: Authenticate\nPolicy Met: Global Test Policy\nRule Met: \"Default Action\"\nGroup Affected: ALL"}}','tagCountry':'US'}
Sample Parsing¶
metadata.product_log_id = "id"
metadata.event_timestamp = "2021-11-03T17:44:06Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Ping"
metadata.product_name = "PingID"
metadata.product_version = "N/A"
additional.DeviceModel = "N/A"
additional.MobileOSVersion = "N/A"
principal.user.userid = "user1"
principal.ip = "10.2.0.115"
principal.application = "IE 11.0"
principal.platform_version = "Windows 10"
principal.location.country_or_region = "United States"
principal.asset.location.country_or_region = "US"
target.hostname = "host"
target.asset.hostname = "apps"
observer.hostname = "sysloghost"
security_result.about.application = "NP: Citrix Remote Access"
security_result.rule_name = "Global Test Policy"
security_result.summary = ""Default Action""
security_result.action_details = "Authenticate"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
Parser Alerting¶
This product currently does not have any Parser-based Alerting