Ingest Authentication Logs from PingFederate

Ingest authentication logs and data from PingFederate for use in Cortex XDR authentication stories.
Ingesting Authentication Logs requires a Cortex XDR Pro per TB license.
To receive authentication logs from PingFederate, you must first write Audit and Provisioner Audit Logs to CEF in PingFederate and then set up a Syslog Collector in Cortex XDR to receive the logs. After you set up log collection, Cortex XDR immediately begins receiving new authentication logs from the source. Cortex XDR creates a dataset named
ping_identity_pingfederate_raw
. Logs from PingFederate are searchable in XQL queries using the dataset and surfaced, when relevant, in authentication stories.
  1. Set up PingFederate to write logs in CEF.
    To set up integration, you must have an account for the PingFederate management dashboard and access to create a subscription for SSO logs.
    In your PingFederate deployment, write audit logs in CEF. During this set up you will need the IP address and port you configured in the Syslog Collector.
  2. To search for specific authentication logs or data, you can Create an Authentication Query or use the XQL Search.

Recommended For You