Ingest Authentication Logs and Data from PingOne

Set up PingOne for Enterprise to send logs and data.
To set up integration, you must have an account for the PingOne management dashboard and access to create a subscription for SSO logs.
From the PingOne Dashboard:
Set up a Poll subscription.
Select
Reporting
Subscriptions
Add Subscription
.
Enter a
NAME
for the subscription.
Select
Poll
as the subscription type.
Leave the remaining defaults and select
Done
.
Identify your account ID and subscription ID.
Select the subscription you just set up and note the part of the poll URL between /reports/ and /poll-subscriptions. This is your PingOne account ID.
For example:
https://admin-api.pingone.com/v3/reports/1234567890asdfghjk-123456-zxcvbn/poll-subscriptions/***-0912348765-4567-98012***/events
In this URL, the account ID is
1234567890asdfghjk-123456-zxcvbn
.
Next, note the part of the poll URL between /poll-subscriptions/ and /events. This is your subscription ID.
In the example above, the subscription ID is
***-0912348765-4567-98012***
.
Select
Settings ( )
Configurations
Data Collection
Collection Integrations
.
Connect Cortex XDR to your PingOne for Enterprise authentication service.
Enter your PingOne
ACCOUNT ID
.
Enter your PingOne
SUBSCRIPTION ID
.
Enter your PingOne
USER NAME
.
Enter your PingOne
PASSWORD
.
Test
the connection settings.
If successful,
Enable
PingOne authentication log collection.
After configuration is complete, Cortex XDR begins receiving information from the authentication service. From the Integrations page, you can view the log collection summary.
To search for specific authentication logs or data, you can Create an Authentication Query or Create an XQL Query.