Ping Identity¶
About¶
In today’s business environment, user experience is a priority. However, that shouldn’t be at the expense of reliable security. The PingOne Cloud Platform helps you optimize both, with a comprehensive, standards-based platform designed for hybrid, multi-generational and multi-cloud environments. Now you can allow all users and devices to securely access cloud, mobile, SaaS and on-premises applications and APIs.
Product Details¶
Vendor URL: Ping Identity
Product Type: Identity/Access Management
Product Tier: Tier I
Integration Method: Syslog
Integration URL: PingOne - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90-100%
Data Label: PING
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
_embedded.riskEvent.ip | target.asset.ip |
_embedded.riskEvent.ip | target.ip |
_embedded.riskEvent.sessionId | network.session_id |
_embedded.riskEvent.targetResourceId | target.url |
_embedded.riskEvent.userAgent | network.http.user_agent |
Accessing Device Browser | principal.application |
Accessing Device OS | principal.platform_version |
Accessing Device UserAgent | network.http.user_agent |
act | security_result.action_details |
act.name | principal.user.userid |
action | security_result.action |
Action | security_result.action_details |
action.type | security_result.action_details |
actors.client.name | target.resource.name |
actors.user.name | target.user.userid |
additional_cfp1 | additional.fields |
additional_cfp2 | additional.fields |
additional_cfp3 | additional.fields |
additional_cfp4 | additional.fields |
additional_cn1 | additional.fields |
additional_cn2 | additional.fields |
additional_cn3 | additional.fields |
additional_cs1 | additional.fields |
additional_cs2 | additional.fields |
additional_cs4 | additional.fields |
additional_cs5 | additional.fields |
additional_cs6 | additional.fields |
additional_cs7 | additional.fields |
additional_device_model | additional.fields |
additional_devicePayloadId | additional.fields |
additional_eventId | additional.fields |
additional_externalId | additional.fields |
additional_flexString1 | additional.fields |
additional_fname | additional.fields |
additional_mobile_os | additional.fields |
additional_smb_host | additional.fields |
additional_smb_stage1 | additional.fields |
additional_smb_uid | additional.fields |
app | target.application |
app_protocol_output | network.application_protocol |
appcategory | security_result.summary |
cat | security_result.category_details |
Country | principal.location.country_or_region |
Created Authentication | metadata.description |
cs1 | target.url |
cs2 | target.application |
destinationServiceName | target.application |
destinationTranslatedAddress | target.nat_ip |
destinationTranslatedPort | target.nat_port |
device_event_class_id event_name | metadata.product_event_type |
device_product | metadata.product_name |
device_vendor | metadata.vendor_name |
device_version | metadata.product_version |
dhost | target.hostname |
dmac | target.mac |
dntdom | target.administrative_domain |
dpid | target.process.pid |
dproc | target.process.command_line |
dpt | target.port |
dst_ip | target.ip |
duid | target.user.userid |
duser | target.user.user_display_name |
externalId | metadata.product_log_id |
id | metadata.product_log_id |
in | network.received_bytes |
ip_protocol_out | network.ip_protocol |
ipaddress | principal.ip |
jsondata | metadata.description |
msg | metadata.description |
msg_json_log.additional.0.value | principal.hostname |
msg_json_log.metadata.description | metadata.description |
msg_json_log.metadata.product_name | metadata.product_name |
msg_json_log.metadata.product_version | metadata.product_version |
msg_json_log.metadata.vendor_name | metadata.vendor_name |
mwProfile | security_result.rule_name |
old_permissions | src.resource.attribute.permissions |
oldFilePath | src.file.full_path |
oldFileSize | src.file.size |
out | network.sent_bytes |
outcome | security_result.action_details |
PingID App Version | metadata.product_version |
Policy Met | security_result.rule_name |
reason | security_result.summary |
request | target.url |
requestClientApplication | network.http.user_agent |
Requested Application ID | target.hostname |
Requested Application Name | security_result.about.application |
requestMethod | network.http.method |
resources.0.environment.id | target.asset.product_object_id |
resources.0.name | target.user.userid |
resources.0.websession | network.session_id |
result.message | metadata.description |
result.message | security_result.summary |
result.status | security_result.action_details |
Risk Evaluation | metadata.description |
Rule Met | security_result.summary |
shost | principal.hostname |
smac | principal.mac |
sntdom | principal.administrative_domain |
sourceServiceName | principal.application |
sourceTranslatedAddress | principal.nat_ip |
sourceTranslatedPort | principal.nat_port |
spid | principal.process.pid |
sproc | principal.process.command_line |
spt | principal.port |
src | principal.ip |
suid | principal.user.userid |
suser | principal.user.user_display_name |
sysloghost | observer.hostname |
tagcountry | principal.asset.location.country_or_region |
Updated Authentication | metadata.description |
Product Event Types¶
Event | UDM Event Classification |
---|---|
all others | GENERIC_EVENT |
POLICY | NETWORK_CONNECTION |
SUCCESS | UNCATEGORIZED |
Log Sample¶
{'Message':'<13>1 2021-11-03T10:44:06-07:00 sysloghost - - - - {"source": "PINGID", "id": "id", "recorded": "2021-03-11T17:43:46.906Z", "action": null, "actors": [{"type": "user", "name": "user1", "id": null}], "resources": [], "client": null, "result": {"status": "POLICY", "message": "Authentication Details:\nIP Address: 10.2.0.115\nPrevious Authentication IP: 10.2.0.115\nPrevious Authentication Time: 2021-11-02 09:22:23 PM UTC\nIP Reputation Whitelist Met: false\nIP Risk Score: Low\nCountry: United States\nPrevious Country: United States\nGround Speed: 0 km/h\nCurrent VPN/Proxy login: false\nPrevious VPN/Proxy login: false\nGeovelocity Whitelist Met: false\nNew Device: false\nRisk Level: N/A\nRequested Application ID: host\nRequested Application Name: NP: Citrix Remote Access\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: In the last 1381 minutes\nAccessing Device UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\nAccessing Device OS: Windows 10\nAccessing Device Browser: IE 11.0\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nDevice biometrics supported: N/A\nAction: Authenticate\nPolicy Met: Global Test Policy\nRule Met: \"Default Action\"\nGroup Affected: ALL"}}','tagCountry':'US'}
Sample Parsing¶
metadata.product_log_id = "id"
metadata.event_timestamp = "2021-11-03T17:44:06Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Ping"
metadata.product_name = "PingID"
metadata.product_version = "N/A"
additional.DeviceModel = "N/A"
additional.MobileOSVersion = "N/A"
principal.user.userid = "user1"
principal.ip = "10.2.0.115"
principal.application = "IE 11.0"
principal.platform_version = "Windows 10"
principal.location.country_or_region = "United States"
principal.asset.location.country_or_region = "US"
target.hostname = "host"
target.asset.hostname = "apps"
observer.hostname = "sysloghost"
security_result.about.application = "NP: Citrix Remote Access"
security_result.rule_name = "Global Test Policy"
security_result.summary = ""Default Action""
security_result.action_details = "Authenticate"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
Parser Alerting¶
This product currently does not have any Parser-based Alerting